Protecting Classified Information

While we focused during the election on possibly classified emails on Hillary Clinton’s mail server, in Europe they have their own version.

Shodan, the IoT search engine turned up on an Internet connected disk drive that was not password protected.  While Trump says that Clinton should be thrown in jail, in Europe they said it was the result of an “absent minded European Union police officer”.

In this case, Mr. Absent Minded took 700 pages of documents on Europol investigations without permission and stored them on an unprotected Internet connected disk drive.

While the information was old, it was “packed” with personally identifiable information on terrorism suspects and also details on a number of Europol investigations on terror attacks such as the 2004 Madrid train bombing and other terrorism incidents.

The disk drive is a Lenovo Iomega drive.

As is common in the computer hardware and software industry, Lenovo says that security is the responsibility of the owner.  Said differently, don’t sue us, read the license agreement, we are not responsible.,

What this seems to indicate is that until computer vendors have at least some skin in the game, they are going to ignore security and vulnerabilities, since, after all, protecting your information is not their problem.  What this does mean is that you have to be responsible for both the vendor and yourself.

Getting back to the Europol police officer, the data taken was for personal use and in violation of policy, but as we all know, easy to do.  99% of the time,  we don’t hear about these incidents as they are swept under the rug – or not even detected.

For all organizations, you can replace classified with proprietary with the same results.  Employees often take data and rarely do organizations find out about it.  If they do find out about it, they often don’t prosecute because they want to avoid the bad PR.

This is not case of someone making a mistake or security which is too hard to follow.  Instead, this is a case of someone intentionally taking information which they did not have authority to take.  Unfortunately, this happens all too often and often times is not even detected.

Information for this post came from SC Magazine.


Facebooktwitterredditlinkedinmailby feather

The (Not So) High Price of Crime

Ever wonder how much a hacker charges to hack someone’s email for you?  Wonder no more.

Dell Secureworks, now a separate publicly traded company, publishes an annual report on the cost of crime.  They look at both Russian speaking and English speaking underground markets.

So here it is.  Place your orders soon 🙂

  • $129 – cost to hack your GMail or similar account
  • $500 – to hack your corporate email
  • $65 to $103 – to hack popular Russian email accounts
  • $129 – to hack into Ukrainian email accounts
  • $90 – to hack the IP address of your computer
  • $129 – to hack your Facebook or other social media account
  • $194 – to hack into a Russian social media account
  • $173 – fake U.S., U.K., German or Israeli driver’s license
  • $140 to $250 – fake physical social security card
  • $3,000 to $10,000 – fake physical U.S. passport
  • $7 to $15 – fake Visa card
  • $30 – Premium Visa, Amex or Discover card
  • $5 to $10 – remote access trojan software
  • $80 to $440 for encryption malware
  • $20 to $40 for hacking tutorials
  • $350 – for instructions on how to hack a website
  • $40 to $80 – A U.S. bank account with $1,000 to $2,000 in it

The report goes on, but you get the idea.

What surprises me is how cheap this seems to be.  Either they think it is pretty easy or they don’t value their labor very much.  My guess is that it is pretty easy.

The only number that does not surprise me is the cost of a fake U.S. passport.  With the chips and encryption in them now, that is probably hard.

The hackers have definitely turned this into a volume industry and I suspect that they make a lot of money.

Just food for thought.

Information for this post came from Digital Trends.

Facebooktwitterredditlinkedinmailby feather

IRS Going After Bitcoin Users

It is common mythology that Bitcoin users are thieves, hackers and tax cheats.  The IRS doesn’t like tax cheats.

The IRS is asking a court for a “John Doe” summons asking Coinbase, a Bitcoin exchange, to turn over information on any customers that match a certain criteria.

The summons applies as long as the government can’t get the information elsewhere and has “a reasonable basis for believing that such person or group or class of persons may fail or may have failed to comply with any provision of the tax laws.”

The group that the IRS is asking for information on is every customer of Coinbase between 2013 and 2015 in the U.S.  Suffice it to say that this is not a small list.

The reasonable basis?  “a public perception that tax evasion is possible with virtual currency.”  The IRS’s proof for this is limited to a Huffington Post article.

Where did this article appear?  A pretty staid publication called American Banker.  Granted, the banking community has a dog in this fight.  The IRS could ask banks for a list of all of their customers between, say, 2013 and 2015 who deposited or withdrew cash, since cash is used to pay for drugs.  That might upset some customers.

American Banker says that this is a fishing expedition and Coinbase complies with regulations and cooperates with law enforcement on a regular basis, so why attack them.

I think, although my evidence is about as strong as that HuffPo article, that there could be a different reason.

It is liekly that smart crooks are not going to use a U.S. bitcoin exchange.  After all, it seems likely that some government agency might ask questions.  That means that, at best, the IRS will only catch dumb crooks.

Since there are plenty of offshore exchanges in places like Switzerland, Malta, The Netherlands, China, India, Bulgaria, Belize and other places, why not use an offshore exchange?

Of course, you don’t need to use a Bitcoin exchange at all.  In fact, the smart crooks will do transfers that are less demanding of ID such as LocalBitcoins or Bitcoin ATMs.  These methods allow you to use cash and many do not require IDs, since cash, as long as it is not counterfeit, is a pretty safe trade.

The downside of some of these methods is that the buyer and seller have to meet or, in the case of ATMs, you have to visit the ATM.  For many people, one of these methods is perfectly satisfactory.  After all, we visit ATMs to get cash all the time, so why not get Bitcoin instead.

Given that the feds don’t like cash transactions, I can only imagine how they feel about Bitcoin transactions.  Conspiracy theorists might say that the IRS is trying to spook people who are using Bitcoin.  I don’t know, but I certainly would not rule that out.  However, since Bitcoin is basically fancy arithmetic stored in a (digital) ledger, it will be hard to outlaw.  That doesn’t mean that people won’t try.

As of a few hours ago, the court granted the summons.  This is only the first step in a potentially long battle.  Coinbase said they expected this and will begin fighting it when they are served with the order.

The order is asking:

For any customer between 12/31/13 and 12/31/15 with a U.S. address, phone number, email domain or bank account, the following information.

User profiles, preferences, security settings, history, payment methods and funding sources.

Also, all records of activity including date, amount, type of transaction, name, transfer instructions and correspondence.

Given that Bitcoin seems to maintain a lot of documentation, I would think that only stupid people would use it for tax evasion given there are many other much more secretive ways to deal with this, but who knows.

Stay tuned for the cat and dog fight.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

The Safety Of Using Your Facebook ID To Sign On To Other Websites

UPDATE:  Apparently Paypal was one of the companies affected by some of these OAuth security holes and they just released a fix (Dec 1,2016) for a bug that would allow hackers to steal OAuth tokens from payment apps of third party developers.

Many web sites encourage you to sign on with your social media userid and password.  Different sites allow you to use different social media accounts such as Facebook or LinkedIn.

But no matter which social media account you use, the technology behind it, called OAuth 2.0, is the technology that they use to make this happen.

I have never been a fan of doing that, but not for the reason I am about to talk about.

For me, the issue is that, by definition, when you share your credentials with another site, they connect your visits and, of course, sell your data.  As an example, if you sign on to sites A, B and C using your Facebook userid and password, then Facebook knows that you are visiting sites A, B and C and it may get other information from those sites as well.

In addition, if you use your Facebook credentials at those sites and any one of the sites where you are using that userid and password has a breach, then all of those sites are compromised.  So even if you think that Facebook has good security (and it likely does have better than average security), the weakest link in that chain will compromise ALL of those sites.

Now we have another reason not to “share” userids.

Back in January, researchers at the University of Trier found two security glitches in the OAuth protocol and made recommendations on how to fix the bugs.  Whether any given site has, in fact, fixed those bugs is unknown and impossible for you as a user to tell.

Now researchers have identified 4 bugs in OAuth that compromise the security in the system and, of course, since that paper is available in the SANS library, hackers know about it also.

OAuth was designed to allow users to log in to web sites, but now it is being used for mobile apps.  In addition, it turns out that the OAuth specification is complex and convoluted, so, apparently, many developers have not implemented it correctly in the mobile space.

Researchers looked at 600 Android apps.  They used Android apps not because they are more or less secure, but rather it was easier to look at the code because of the Android architecture.

Of those 600 mobile apps, 182 allowed the user to log on using their social media accounts.  For those apps that allowed the user to log on using their social media userids and passwords, 41% of them had security issues with their implementation OAuth.  For example, developers did not check the validity of the information sent from the ID provider.  Other developers only looked at the returned ID and didn’t bother to see if the developer said that the credentials were valid.  There were a number different security issues.

While that 41% amounted to only 75 apps, scale that up to the millions of apps out there and you can see that this could be a big problem.

Unlike SSL, where there are organizations like SSL Labs website where you can test any web site’s implementation of SSL – at least to a degree – there is no equivalent way to test any particular web site OR MOBILE APP’s implementation of OAuth.

As we said, while these tests were done with Android apps, there is no reason to believe that developers coded their OAuth implementations any better on Apple devices than on Google devices.

So if you weren’t squeamish about logging on to some random website using your social media userid and password before, you may be now.    Of course, if you follow best practice and do not share passwords across web sites, then using social media IDs and passwords at different sites violates that rule.

Just food for thought.

Information for this post came for SC Magazine, SANS reading room and Forbes.

Facebooktwitterredditlinkedinmailby feather

SF Muni Hit By Ransomware

UPDATE:  While the ticket kiosks are back online, the hacker is saying that if the Muni doesn’t fix security problems and pay the ransom by Friday that they are going to release the data that they have taken.

Passengers entering the San Francisco Muni rail system were greeted by the message “You Hacked” on Friday when they attempted to purchase a ticket.

Later, handwritten signs on the ticket machines said FREE MUNI.

While the rail operator has been very quiet on what is going on, the hacker is not.  Some of the messages from the hacker include:

“You Hacked, ALL Data Encrypted.”  The bad English could easily be an attempt to disguise where the attackers came from,

The attackers are supposedly asking for 100 Bitcoin or roughly $75,000.

The agency is “using very old system’s !” the person behind the email address said. We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …!”

We Gain Access Completely Random and Our Virus Working Automatically !” he continued. “We Don’t Have Targeted Attack to them ! It’s wonderful !”

We Don’t live in USA,” he said. “Sorry For My English anyway ;)”

The attackers claim to have taken 30 gigabytes of data, which may seem like a lot, but in today’s world, it is pretty small.

While shoppers on Black Friday had a free ride, by Cyber Monday, the ticket machines, at least, were working again.

While Muni officials are saying that they were investigating and it would be inappropriate (or embarrassing) to comment, others are talking.  Hoodline, a Bay Area news blog said that other data including payroll, email, Quickbooks, Nextbus operations, MySQL databases and other data had been taken.

If that is true, this could be a big deal.  While people like some federal agencies (HHS) and me have said that you need to ASSUME that if hackers encrypt your data, they could easily have a copy of the data, we now have more evidence of this actually happening.

If the comments from the hackers are true, they have control of over 2,000 computers at the agency, roughly a quarter of all of the agency’s computers.  They will need to assume that the other three quarters of their computers may be infected even though they are not showing symptoms.  YET!

Assuming that they even have backups for 2,000+ computers, which is HIGHLY unlikely, rebuilding and restoring 2,000 computers could take weeks – or more – depending on the resources available.

Apparently, the attack is a “Spray and Pray” style attack, meaning the SFMTA was not targeted.  Typically these attacks work by sending out millions of emails and whoever opens them or clicks on a link in the infected emails becomes the next victim.

If the hackers do have the data, then the SFMTA has a significant breach to deal with.

For businesses and now government agencies, this is something I have been saying would happen for months – not only do they have to worry about rebuilding their machines, potentially losing data if they don’t have backups and maybe paying a ransom, but now they have to add to that list, having their data compromised and possibly being publicly released.

In this case, the hackers merely encrypted the computers that run the ticketing and other business systems.  What if they compromised the systems that actually run the trains – similar to the attack in Ukraine last year that blacked out the country for 24 hours?  Depending on what they did, the Muni could be down for weeks.  Or more.  In the case of the Ukraine attack, the hackers DAMAGED the automation equipment, making it difficult or even impossible to repair, making replacing a lot of very expensive hardware the only option.  That equipment is not the kind of stuff that you can buy at Home Depot or Best Buy.

Being prepared for these types of attacks takes time and money and requires people to stop doing risky things.  For many businesses, dealing with this is just not a priority.  I predict it is now a priority for the SFMTA.  This will likely cost them 10 to 100 times what it would have cost them to be prepared.  The good news is that if they fall under the umbrella of governmental immunity, it will be very hard to sue them and there is not an alternative railroad for customers to use instead.

Information for this post came from the San Francisco Examiner and Fortune.


Facebooktwitterredditlinkedinmailby feather

Free is Not Always Free

We don’t seem to remember history very well, so, I guess, we are doomed to repeat it.

Trojan Horse from Flickr under Creative Commons License by Playinto

A Chinese company, ADUPS, makes a technology that a number of phone manufacturers buy and use.  It allows the manufacturer to update the firmware in a phone or IoT device over the air (meaning, I assume, over the cellular, WiFi or Bluetooth network, not literally over the air).  This gives the manufacturer a lot of control over the device.  This is really not different from what Sprint, AT&T and Verizon do, but HOPEFULLY, they have more self control.

In ADUPS case, their technology was integrated into inexpensive phones made by, at least, ZTE, Blu and Huawei and sold by Amazon and Best Buy, among others.

The phones sell for between $50 and $100 and, apparently, are quite nice.  The stated reason that they sell for so little money is that the user agrees to accept onscreen advertising.  But how, exactly, do they target that advertising?

Kryptowire bought and tore apart a Blu phone from Amazon and guess what they found?

The phone transmits the full text messages, contact lists, call history with phone numbers and phone ID (IMSI and IMEI depending).  It can target specific users using remotely defined keywords. It also collected information on the applications installed and bypassed the Android permissions model and executed remote commands with system privileges.  Finally, it had the ability to reprogram the devices.

Being security conscious, ADUPS encrypted the data – wait – before it transmitted it to several servers in Shanghai, China every 72 hours.

Kind of sounds like a Trojan horse, doesn’t it?

ADUPS claims to have over 700 million active users;  they have offices in Shanghai, Shezhen, Beijing, Tokyo, New Delhi and Miami.

Kryptowire has a graphic in their article, captured below, that compares this to CarrierIQ – the spying software that US Carriers used a couple of years ago that raised such an uproar.  While neither one was cheered by privacy advocates, this new one seems to be worse.


As you can see, there are a lot of similarities but a few “improvements” such as remote firmware update.

ADUPS, on their web site, said they do this to screen out junk calls and texts.  First, at least for me, those don’t seem to be a huge problem and second, if they were honestly doing this wouldn’t they tell the owner of the device and give them a way to see what they are doing?  That excuse doesn’t hold much water.

ADUPS claims that after they were outed for doing what they were doing, they disabled (but not removed) the feature.

They also say that they take privacy seriously and didn’t disclose the text messages, contacts and phone logs to anyone before they were caught.  That doesn’t mean that they aren’t and didn’t disclose other information, they just (maybe) didn’t have time to disclose this information before they were caught.

This is why security researchers are so critical.  You or I don’t have the time or skill to tear apart a phone and figure out what people are doing.  If some folks in Congress have their way, this type of research will be completely illegal.

So just remember, if someone offers you a free (or nearly free) Trojan horse OR phone, you do get what you pay for.  And likely, something extra – also for free.

It will be interesting to see if this software shows up elsewhere in the U.S.  Based on where their offices are located, their target market seems to be China, Japan, India and Latin America, where the loss of privacy is outweighed by the benefit of getting a high end phone.

Information for this post came from Brian Krebs,  Kryptowire and from a statement by ADUPS.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed