Partial Ban on Airline Carry On Electronics – What is the Impact?

The U.S. and Britain announced new restrictions on carry on electronics this week.  While this has been considered many times before, it is now being implemented, but only from a limited number of airports and a limited number of airlines.  The U.S. and British lists are different – of course.  I will only talk about what the U.S. is doing.

The ban covers laptops, tablets, game consoles and anything bigger than a phone.  Even portable disk drives.  Other electronics such as very expensive photographic equipment is banned as well.

First the ONLY airports affected are the following.  For now.

  • Cairo, Egypt
  • Dubai, UAE
  • Abu Dhabi, UAE
  • Istanbul, Turkey
  • Doha, Qatar
  • Amman, Jordan
  • Kuwait
  • Casablanca, Morocco
  • Jeddah, Saudi Arabia
  • Riyadh, Saudi Arabia

And only on flights to the U.S.  Since no U.S. flagged airlines currently fly from those airports to the U.S., no U.S. airlines are affected.  The airlines included are:

  • Egyptair
  • Emirates Airline
  • Etihad Airways
  • Kuwait Airways
  • Qatar Airways
  • Royal Air Maroc
  • Royal Jordanian Airlines
  • Saudi Arabian Airlines and
  • Turkish Airlines

The airlines have 96 hours to implement the ban or they risk losing their landing rights in the U.S., so all will comply.

So what is the impact to travelers?

First, the current ban is for a REALLY small group of flights – maybe 50 a day.  For now, assuming the U.S. doesn’t expand the ban to other airports and airlines.

For some companies, they will choose not to travel to those countries and lose business opportunities as the collateral risk is too high.

Next, you will be able to take you electronics onboard going TO those airports, just not coming home.

Coming home, you can check the laptop or tablet in your luggage, so it will still be on the plane with you.  If it is a bomb, it could still blow up, but it would require a more sophisticated detonator , such as what may have blown up Pan Am Flight 103 over Lockerbie, Scotland.

Regarding getting the computer stolen, there are tens of thousands of reports a year of stuff getting stolen from luggage and likely many more that are not reported, but that is a very small percentage of all of the luggage checked during a year.

Some airlines may pay, but many will not.  There are exclusions in some airlines terms of carriage for paying for valuable stuff.  Even if they do pay, the limit of liability is less than $2,000, so if the laptop is a business laptop, the value may exceed the available coverage.

Even if the laptop isn’t stolen, the bag may get dropped  and the laptop or tablet could get broken.  Proving damage is likely hard.

Even if the airline does eventually pay, it may be months before you see any money.

For many airlines, there are rules about filing a claim  – like 48 hours or 7 days.  Outside that window, the odds of you getting paid go down dramatically.

Most airlines will require a police report.  Skeptics might say that they want to make you jump through enough hoops that you eat the loss yourself.

So what can you do?  Here are a few suggestions.

  • The best choice is to avoid travelling with electronics if your travel includes their airports.
  • Consider taking an indirect return flight. While adding an extra stopover will increase your travel time, it MAY allow you to carry on your stuff.  Instead of a direct flight from Cairo to New York, maybe go from Cairo to Paris and Paris to New York.  Done right you are likely to avoid the ban at the cost of extra time.
  • The next best choice is to buy burner electronics – ones that are inexpensive AND DO NOT HAVE ANY DATA ON THEM.  Ones that you don’t care about if they are broken or stolen. Many companies do this as a matter of practice.
  • Assume that a laptop out of your site can be cloned in a matter of a few minutes with all the data on it compromised.  This is not NSA level stuff, many high school kids can do it.
  • Only take data that you need and make sure the data is fully encrypted using robust encryption.
  • If possible, store the data securely in the cloud, download it when you get to your destination, upload it before you return and wipe the disk before you pack it for the return flight.
  • Pad the laptop or other electronics in the suitcase as best you can.
  • Write down serial numbers on anything that you put in a suitcase.  Do not put the serial numbers in the checked luggage.
  • Take pictures of the electronics if possible.

When you arrive, check everything immediately and if there is an issue, if possible, file a claim before you leave the airport.  Getting the airlines on the phone is, to be polite, a bit difficult.

Unfortunately, these suggestions don’t help business travelers that have to take other, non computer electronics with them.   For them, shipping via Fedex or similar carriers may an alternative, albeit expensive, option.

The good news is that it won’t affect a huge number of travelers.  For now.  Needless to say, the countries and airlines involved are worried that they are going to lose business.  The U.S. has decided against the ban in the past because it would affect business travelers – which is the most profitable segment of the travelling public.  Hopefully that issue will stop them from expanding the ban, but stay tuned.

Information for this post came from CNN and CNN.

Facebooktwitterredditlinkedinmailby feather

VMware Escape Nets Researcher $105,000

We think of a virtual machine as a way to isolate one system from another and, in general, it works well.  But not always.

Pwn2Own is a hacking contest that is part of the CanSecWest security conference in Vancouver, BC, Canada.

This year researchers who were members of Qihoo 360’s security team figured out a way to exploit a heap overflow bug in the Microsoft Edge browser.  Using that, they were able to execute code in the browser that allowed them to exploit a Windows 10 bug to escape the Edge sandbox.

But they weren’t done yet.

Finally, they exploited a hardware simulation bug in VMware to escape from the virtual machine completely and get down to the host hypervisor.

All of this started with visiting a website.

Obviously, the affected vendors will be issuing patches for all these bugs, but it points to the fact – and it is a fact – that nothing is bulletproof, only bullet resistant.

That means that you need to be smart in segmenting workloads on VM hosts (that means any VM hypervisor – VMWare, HyperV, Openbox, etc.).

To the degree that you can implement micro segmentation, that should be your goal.  Micro segmentation allows you to create many network segments, not just a couple, or one.

Then you need to make sure that you only place compatible workloads on the same host.  If you combine micro segmentation with smart virtual load management, you make your environment as secure as you can in the case of a virtual machine escape.

The folks that engineered this attack won a prize of $105,000.  Before you think that they got all that money for a few hours of work, many times the researchers work on these attacks for a year (starting right after the last Pwn2Own) and then release them at the next hack-fest.

This year Pwn2Own distributed more than a half million dollars of prize money.  That is a lot of motivation for researchers.

The only question is whether I.T. security engineers are smart enough to use the results of Pwn2Own to reconsider how they are engineering their workloads.  Doing that reengineering is a lot of work, but modern day hypervisors allow companies to easily move loads, sometimes with no downtime at all.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

DC Appeals Court Says You Have No Recourse If Hacked By A Foreign Government

A U.S. citizen of Ethiopian heritage was hacked a few years ago by the Ethiopian government here in the U.S.  The victim, who goes by the pseudonym of Mr. Kidane to protect his family here and in Ethiopia, is being represented by the EFF, the Jones Day law firm and the law firm Robins Kaplan.

Mr. Kidane lives in Maryland and came to the U.S. 20 years ago, first getting asylum and then citizenship.  He is a critic of the Ethiopian government and, as a result, according to court documents, the Ethiopian government hacked his computer and monitored his communications.

He filed suit against the Ethiopian government in 2014 and the case was dismissed.

This month, the DC Circuit Court of Appeals upheld the lower court’s dismissal.  The logic is interesting and affects anyone that a foreign government is interested in.

In 1976 Congress passed and President Ford signed a bill called the Foreign Sovereigns Immunities Act.  The idea was to stop people from suing foreign governments in U.S. courts for things those governments did to U.S. citizens with certain exceptions.

Without going into  a lot of detail, the act defines the situations when a foreign country is immune and those exceptions when it is not immune.  Sovereign immunity is not new;  in fact, the origins of it go back to the 1800s.

Recent laws such as the Defense Appropriations Act of 2014 add a couple of more exceptions such as terrorism committed in the U.S., torture and extrajudicial killings, but, for the most part, governments are immune.

In this particular case, the appeals court reasoned that since this plot to hack Mr. Kidane was plotted in Ethiopia and also carried out from Ethiopia, and it doesn’t fall into one of the exceptions, sovereign immunity applies.

How far this extends is not completely clear to me, but it would seem that if, for example, the Chinese hacked your computer, broke into your brokerage account and stole all your money, you have no right to go after them if the hacked your from China.

The EFF suggested that if the Russians wanted to do you in and hacked your car and drive it off the road (although this might fit into the exception of extrajudicial killings if you wind up dead – but not if you were only injured), targets you for a drone strike or sends a virus to your pacemaker, you couldn’t go after them unless you were dead and even then, only if the killing was deemed extrajudicial.

Another scenario is that if a foreign government hacks into your computer from overseas and steals your money or your intellectual property, you might not have any recourse against them.  In the case of bank accounts for INDIVIDUALS but not for BUSINESSES, there certain laws (such as Check 21) that protects you if your money is stolen, but that just makes the bank eat the loss and not the person who committed the crime.  There are no laws that I am aware of that make you whole if someone steals your information .  Normally, your recourse is to sue them.  If you win and are entitled to collect damages, you can TRY to collect those damages.  This process could go on for years and maybe even decades and the odds of you seeing any money may be very low.

I speculate that this law – the FSIA – is quid pro quo because our government does not want to be sued in some court in an unfriendly foreign country and wind up having our assets frozen and/or seized.  While the FSIA does not provide legal cover for our government, it certainly provides a basis for us to request similar protections from other governments.

In 1976 when this bill was signed, the concept of hacking me and stealing my money, information or just eavesdropping on my mail and phone conversations from the other side of the globe was the stuff of science fiction, but a lot has changed in 40 years.  Now, the ability for a foreign government to hack you from half way around the globe and never set foot in the U.S. is pretty easy.

In some cases (like your personal bank account), you may be able to get recourse from a third party who is also a victim (like your bank), but in many other cases, you may have no recourse at all.  Typically, insurance policies do not consider sovereign immunity as an exclusion, so IF you have an insurance policy that covers the particular situation, your insurance company may have to pay.

On the other hand, insurance policies have exclusions such as acts of terrorism, so that might not provide you any coverage either.

It sounds like the best bet is to work hard to keep the bad guys out and failing that, to detect it quickly if they do get in.  Not a great situation.

Information for this post came from Network World and Wikipedia.

Facebooktwitterredditlinkedinmailby feather

Yet Another Backup Drive Exposed To The Internet

Earlier this month I wrote about Stewart International Airport in New York leaving a backup drive exposed to the Internet without a password or encryption, exposing extremely sensitive information (see post here).

Now it has been revealed that an unnamed DoD officer, possibly a Lt. Colonel, had a backup drive with thousands of sensitive documents exposed to the Internet and unprotected.

The source article says that this would have been solved if the backup drive was protected by a password.  THIS IS NOT CORRECT.  I seem to recall that the DNC emails were protected by passwords.  That didn’t seem to help them.

In reality, that drive should not be accessible to the Internet, password or not. That is just too big a risk.  Maybe, if the backups were encrypted prior to being placed on the drive and the encryption key is both strong and stored offline, you would probably be OK, but why risk it?  In this case, none of that is true.

So what was on the disk drive?

  • Personal information of over 4,000 officers including names, addresses, socials and rank.
  •  A list of hundreds of officers who had top secret, SCI and Codeword clearances.
  • Contact information for staff and spouses.
  • Completed SF86 security questionnaires for two four-star generals.  This is the same type of information stolen from the Office of Management and Budget a few years ago.
  • A list of officers under investigation by the military.
  • Financial information including banking information.
  • A spreadsheet containing passport and contact information for high profile celebrities.
  • Gigabytes of email.
  • And other sensitive files

This is the second time in recent months that the Defense Department suffered a large data breach and the second time a backup drive was known to be exposed in recent weeks.

How long this drive was exposed is unknown.  Since this was a personal backup drive, it is unlikely that there are any log files at all.

Consider this – how confident are you that the information that you are entrusted with is really being protected?  Trust – but verify.

My two cents.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

DoJ Indicts 4 In Old Yahoo Breach

Today the Department of Justice announced the indictment of 4 in the 2013 Yahoo breach – three years after it happened.

Two of the people indicted are members of the Russian FSB.  Under Russian law, the FSB is part of the Russian military and responsible for, among other things, counterespionage.

The other two indicted are Russian hackers, hired, the DoJ says, by the FSB to do some of the dirty work.

As has already been reported, once a hacker has access to a user’s Yahoo mail credentials, that also gives them, similar to GMail, access to all of the other Yahoo services such as Flickr, Tumbler and others.

The FSB, the successor to the KGB, is responsible for counterespionage, among other responsibilities.

The DoJ says that the FSB wanted access to the Yahoo accounts of journalists, dissidents and U.S. Government Officials So that they could find out what they are up to and alternatively, to blackmail them.

I wasn’t aware of this, put apparently the FSB has a bit of a capitalist leaning, even though they are Russian.  The FSB took what they wanted from the hack and allowed the hackers to use the rest of the data for their own thieving purposes.

One of the hackers was arrested in Moscow in December.  Needless to say, the Russians are not likely to turn him over to us.

One of the other people charged was in custody in Greece for some time but managed to make his way back to Russia.

The other hacker-mercenary was born in Kazakhstan but is a Canadian citizen.  He was arrested in Canada yesterday.  The Canadians will likely turn him over to the U.S. authorities.  He is likely the only one of the four that the U.S. will get their hands on.  UNLESS, one of them is stupid and decides to travel to a country more friendly to the U.S. than Russia.  Believe it or not, that has occurred on more than one occasion.

It is certainly possible that President Trump could add additional sanctions against Russia as President Obama did last year.  That is an option available to the U.S. if it chooses.

The indictments are also useful to let people know that even if the U.S. cannot capture the bad guys, they do have the ability, in a few very high profile cases, to spend the resources to identify the bad guys.  That might dissuade at least a few hackers who think that they might be caught.

In the grand scheme of things, most hackers understand that in 99.9% of the cases, unlike a case where 500 million accounts were hacked and another 1 billion accounts at the same company were later hacked, the FBI is HIGHLY unlikely to spend the resources to find the culprit, so they are reasonably safe.

As it is said, pigs get fat but hogs get slaughtered – in other words, keep your hack small enough to be below the interest level of the law enforcement establishment.

Since a large percentage of the bad guys hail from countries that are not terribly friendly with us – ones which whom we do not have extradition treaties – the FBI likely calculates the odds of being able to actually lay their hands on the bad guys as part of the calculus of how much of their limited resources to expend tilting at windmills.  And the bad guys know this.  Of course, some of the hackers are in America and some of them do get caught.  However, as is the case with many other crimes, the crooks make a calculated assumption that THEY are not going to get caught, even if other crooks will get caught.

Unfortunately for us, in many cases the crooks are right and the odds are in the crook’s favor.  And definitely, the odds are, almost always, against the FBI.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Hidden Backdoor Found In Another Chinese Network Gateway

The headline reads Hidden Backdoor Found in Chinese-Made Equipment.  Nothing New! Move Along!

That headline by itself should scare you.

Researchers found a hidden backdoor in a Double Technology GSM gateway used by telephone companies and VoIP providers.  DblTek is based in Hong Kong.

According to the security firm Trustwave, there is an account called Dbladm that is not listed in the documentation and that is allowed to telnet into the device with Root (admin) access.

Unlike other manufacturer supplied userids which are listed in the documentation, this userid does not use a password which the user can change.  Instead, it uses a challenge phrase from which the user needs to calculate a response in order to log in.

So lets see where we are right now?

#1 – Hidden userid, not in the documentation

#2 – User cannot change the password even if they found out the userid was there.

#3 – User cannot disable the account

#4 – the account uses a challenge rather than a password and the response to the challenge is pretty easy to figure out.

Once the user figures out the challenge response, they have full access to the device, can listen to traffic or use the device for other purposes such as launching a denial of service attack on other web sites.

In the “this would be funny if it wasn’t so scary” category, when the researchers told Dbltek about the security hole, they didn’t remove it, they merely changed the algorithm to make the response a little harder to calculate.  Still easily hackable.

So why does the headline say NOTHING NEW?

Researchers have already found similar back doors in MVPower DVRs, RaySharp DVRs, Dahua DVRs, AVer DVRs and Foxconn firmware used in some (cheap) Android phones.

And remember, just because the equipment has a name brand on the face plate does not mean that there isn’t some nosy Chinese software in it under the covers.

In 2012 a former Pentagon analyst told the media that China had backdoors in the equipment of 80% of the world’s telecoms.

Think about that for a minute.  The Pentagon says that the Chinese can listen to traffic from 80% of the world’s telecoms.

So why would you buy Chinese equipment for your network?

One word.  Price.

Just consider that you are getting a little extra value with your purchase.

A Free (no extra charge) backdoor.

Nice.

So when you are considering buying network and computer equipment, dig a little deeper, ask more questions, do some research.  It might just help you keep the Chinese out of your stuff.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed