Phishing? Pharming? Don’t these guys know how to spell?

Network World wrote about an interesting attack that is – at least in this case – very simple to fix.

First, what is Pharming.  When you go to your browser and type in www., you are trusting the browser to actually send you to  What if it really sent you to is designed to look very much like, except maybe, it loads malware on your computer or maybe captures your userid and password to your banking site.

In this particular attack, the attacker sent out a bunch of emails that were a phishing attack.  If the user clicked on the link, it directed the user to a site that compromised their home Internet router.  From that point, the malware tries the default userid and password for the router and if the user has not changed the password, the malware is able to make changes to the configuration of the router.  Specifically, it changes the setting for what is called the DNS server.  The DNS server is that part of the internet that converts the web site that you put in your browser into the numbers that the Internet actually understands.

For example, if I type in WWW.WELLSFARGO.COM, what my browser needs to know is that the address for that web site is .  The DNS server does this translation.

What the malware does, in this case, is change the DNS server from your Internet provider’s server to one controlled by the hacker.  Now, if the hacker wants to create his own web site for Wells Fargo, he can, and your browser will happily send you there.  This address translation affects your email and most every other form of internet traffic.

The hacker could achieve the same result by hacking your Internet provider’s DNS servers, but that is likely well protected, while your home router is not.  In addition, your Internet provider will eventually detect that their DNS server has been hacked while you likely will never detect that your home router has been attacked.

Being able to change your DNS server address is joyful for the hacker and really sad for you.

This particular attack is based on two things.  First, a bug in your home internet router that has not been patched and second, the fact that 99 percent of the planet does not change the default password that comes with the router.

All you need to do in order to thwart this – and a whole bunch of other – attacks is change the default password.  While this won’t make you younger, better looking or richer, this simple change will help keep the bad guys out.

Changing the password also applies to any other Internet connected device that you have in your home – TV, refrigerator, washer.  It is amazing what is connected to the Internet these days.  All of those smart devices are connected to the same network as your laptop or your nanny cam that is watching your baby.  Hack your refrigerator and they have a toe hold to the rest of your network.  That is EXACTLY how the Target and Home Depot attacks started.  Seriously.  So, if you have not changed the password of all Internet connected devices since they came out of the box, I recommend you do so now.



China Stops Buying Western Brands

Reuters is reporting that the Chinese government has removed a number of Western technology vendors products from the approved list.

Whether this is due to Western surveillance or just due to their desire to support local companies is not clear – they are not saying.

What they are saying is that Chinese companies “offer more product guarantees that overseas rivals”.  Translating that, we can look at their code and hardware to see if we like it.

Cisco used to have 42 products on the approved list.  Now they have none.  Bloomberg reports that Cisco did about $2 Billion in sales in China out of about $48 billion worldwide.

Apple and Intel have also been dropped off the approved list.  In fact, the number of Western companies has fallen by one third and the number of Western companies selling security products has fallen by half.

There are many very smart Chinese engineers.  For the government to use their smarts with the government’s money to control the software and hardware that secures their infrastructure makes perfect sense.

Microsoft is off the list as well, but since most Microsoft software used in China is pirated, that probably won’t impact usage of Microsoft products.

This is a bit of a double whammy.  Obviously it impacts sales for companies like Cisco.  Cisco has announced it will layoff around 6,000 employees or 8 percent of it’s workforce this year.  That will have a ripple effect on the economy.

The other part is that the NSA has already figured out how to hack Cisco products, so now they have to go back to work to figure out how to hack the Chinese products.  The good news is that this is likely not hard since many Chinese network products look like a clone of Cisco gear.  If you put a network engineer in front of some Chinese network equipment, they would not know that they are not working on a piece of Cisco gear. 🙂



Gemalto Attack – We Don’t Really Know

I wrote a couple of days ago that The Intercept reported that the SIM and banking card maker Gemalto was hacked by GCHQ and NSA.

Well, now, after just a couple of days, Gemalto says not to worry, everything is cool.    We looked at our logs and while GCHQ might have gotten into our corporate network, we don’t see anything in the logs that show they got into the part of the network where SIM cards are stored and anyway, that would not affect 3G and 4G networks.  Note that they did not say that GCHQ did not get in – just that they don’t see anything in the logs to that effect. 

In addition, they said their security is so good that even GCHQ with NSA’s help could not get in.  Really?  The only network for which that is true is one that is not connected to anything.  Ever.  And I am not sure about that.  Think about Iran’s Stuxnet attack.  That network was not connected to the outside world and we managed to hack that with a couple of thumb drives.

As the cryptographer and privacy advocate Bruce Schneier said (see article) said:

“It makes no sense that in a couple of days they are anything resembling confident that the NSA didn’t break their security. An NSA attack would be undetectable,” Schneier says. Plus, it takes weeks to fully investigate attacks, not days, says Schneier, who is CTO of Co3 Systems.

After all, if you take a group of master hackers like those in NSA’s TAO (tailored access operations) group, surely, you could just look at the logs and see “Kilroy was here”. NOT!

I appreciate that they need to do damage control to salvage the mess that they were placed in by the NSA and maybe what they are saying they actually believe, but to think that in a few days they can definitively say that GCHQ or the NSA was not in here is pure bull.

I suspect we will see more.


Florida Law Enforcement Makes Significant Use Of Stingray Cell Phone Interceptors

As I have reported before, more law enforcement agencies are using cell phone interceptors to obtain evidence of crimes.  This is not particularly surprising given how important cell phones are in our lives – they are likely just as important in the lives of bad guys.

What is interesting is the secrecy surrounding them.

In a recent Florida case, reported here, prosecutors gave a defendant 6 months probation rather than 4 years in jail for an armed robbery of a drug dealer, rather than reveal the stingray to the judge and defense attorney.

The Florida Department Of Law Enforcement has spent $3 million buying Stingrays from Harris Communications and has agreements with 11 police departments to loan them out to them.

According to a Freedom of Information Act (FOIA) request, Florida cops used Stingrays 1800+ times between 2007 and 2014.  To me, that is not a huge number of uses.  Miami said they used the Stingray in 59 closed cases;  Tallahassee said they used it 250 times.

Here is the bigger deal —

In many cases, the cops did not seek a court order to use the devices or asked the court to allow them to use unidentified electronic surveillance.  Of the sample requests reviewed in the FOIA request, not one request mentioned the use of a Stingray.

How could a judge make an informed decision about granting approval for the use of a Stingray if (a) they are not even told that they are going to be used and (b) they have no idea how they work.  (See this Washington Post article for an explanation of how they work).

Many of the FOIA requests went unanswered, so we really don’t know how widespread the use really is.

Not a single department produced a policy on how the Stingrays could be used or not used.

Given that the use of Stingrays is being actively hidden from judges – to the extent of letting criminals walk rather than tell judges about the Stingrays and given that no Florida law enforcement department produced a policy on use of the Stingrays, that seems to be an indication a problem in the making.

If you are not Familiar with a Stingray, they are not precision devices (think of a bomb rather than a handgun).  They snarf up every single communication in range of the device, good guy or bad guy.  Phone calls, text messages, numbers called, etc.

In the absence of any rules, how is that data managed?  Do they delete data not related to the search warrant?  How long do they keep it?  Who do they share it with?  Under what rules?

This is a bit of a stretch, but could a cop who is in an unhappy relationship, use a Stingray to track his spouse or significant other?  In the absence of rules, it certainly would be possible.

And, since you or I would have no idea that it was being used, we would never know.

The good news is that more information is coming out about Stingray use (the Stingray is just one model of a category of devices.  Stingrays are made by Harris Communications;  other companies make them too), so I suspect this is a problem that will be resolved, hopefully, in the next, say, 3-5 years, but only if we keep the pressure on.

This tech comes out of the creation of what is commonly called a “cell site in a box” for the military so that they can create a cell coverage bubble for troops out in the field.  This way they can talk directly to each other without needing to have expensive military radios in a place where no communications exist.  These things fit in a small suitcase and can easily be carried by one person.

With the police hiding the use of Stingrays from both judges and the public, the only assumption we can make is that the devices are being misused.

Law enforcement says that they don’t want the crooks to know that they are using the devices.  Sorry, except maybe for the corner drug dealer selling dime bags, every crook knows about Stingrays.  I even see some for sale online.  I would be extremely surprised if organized crime doesn’t own some of them for their own purposes.  The cat is out of the bag;  give it up.

It is time for the cops to come out of the closet regarding the use of cell site simulators.

Some information for this post came from this article.


Microsoft 1, Lenovo 0 (or minus 1?)

Lenovo is getting more than it’s share of attention these days.

Microsoft has released an update to it’s free Windows Defender anti-malware software that classifies Lenovo’s Superfish as the malicious software that it is, removes the certificate from the Windows certificate store (which is the hard part, so yeah, Microsoft – and I don’t say that very often) and gives you instructions for removing the Superfish software.

Lenovo is now in hyper damage control mode and likely will be for a while.

There are plenty of other brands out that – perhaps choosing a brand that is not controlled by the Chinese government/military might be a wise move anyway.  I know that Lenovo claims that they are not controlled by the government, but what would you expect them to say?


2014 Breach Report – Over A Billion Records Exposed

Risk Based Security released their 2014 data breach report (available here) with some impressive numbers.  I am just going to highlight a few;  read the report if you would like more details.

  • 3,014 data breach incidents (up 28.5%)
  • 1.1 Billion records breached (up 22.3%)
  • 72.5% of the incidents released less than 10,000 records
  • 55.3% of the incidents released less than 1,000 records
  • 83.3% were lost due to traditional hacking, with fraud and social engineering making up another 14.3%, so the breaches are overwhelmingly malicious (out for the money).
  • There were 5 incidents in the all time 10 worst list

To have breaches go up by around 25% year over year is not a good sign.  That 55% of the breaches released less than a thousand records and 72% released less than 10,000 records supports other statistics that small and medium businesses are the targets of hackers.  This supports the First Data numbers of 70% of the breaches are against small and medium businesses.

That there were 5 breaches that made the all time top 10 list is unfortunate and they include several you probably have never heard about (the NYC taxi commission lost 173 taxi trip records).

The message is that just because you are not Home Depot or Sony, it doesn’t mean the hackers are not coming after you.