The Wild Neutrons Are Coming

Following on from yesterday’s United Airlines post, both Kaspersky and Symantec are reporting about a hacking group that is not interested in stealing credit cards.  Instead, they are stealing corporate secrets for financial gain.  Whether they are using them for insider trading or selling them to the highest bidder, the group, whom Kaspersky calls Wild Neutron, is very good at what they do.

The group has been around since at least 2011, but came into the spotlight in 2013 with attacks against Microsoft, Apple, Facebook and Twitter, using a watering hole attack.  As the name suggests, a watering hole attack creates an attractive site which is infected with malware.  When the water buffalo (employees) come to the watering hole (infected site), their computers are infected (animals die).  This particular attack, they say, used a zero day Java vulnerability.

The group went dark for a little while after this attack was disclosed, but came back into the spotlight in 2014 with attacks on a wide range of industries: healthcare, legal, real estate, technology, investment firms and firms involved in mergers and acquisitions.

Symantec says that their investigation uncovered attacks on 49 companies in 20 countries.  Kaspersky said this group is the one that stole the Acer digital certificate that was used in a related attack.

The group has been able to keep their shields up, so neither research group has a lot of information about them.  They do say that they do not think they are state sponsored.

From the hacker’s viewpoint, this methodology can be very successful due to a number of reasons.

Unlike credit cards where their very first use is likely to raise alarm bells, if corporate trade secrets are stolen, likely no one will know.  In addition, since companies are not required by law to disclose this type of theft, the victim companies are likely to stay silent to avoid being embarrassed.

If the victim companies do not disclose that valuable process, engineering, manufacturing or financial data has been compromised, they will also avoid shareholder and class action lawsuits – another reason these attacks stay in the shadows.

That is, of course, if the victim is even aware that they have been hacked.  Many companies discover their credit card system has been hacked when they receive a call from Visa or a visit from the FBI.  It is highly likely that this group is outside the U.S. and in a country unfriendly to us.  If they were, for example, in Russia, and were somehow discovered by the authorities, it is more likely that they would ask for a cut than shut the group down.  After all, what’s in it for them to shut down a group that is hacking U.S. companies.

For businesses, this is a much harder class of attack to stop because there are no external tell tale warning signs.  Looking at the attack itself, the attack techniques and protection methods are no different than are used in credit card attacks.

For a business, this means that they are much less likely to know that they have been had.


Undisclosed United Airlines Attack Revealed

We are so used to breaches in the news that we are blind to the likely way larger number of breaches that never make the news.  In this case, United Airlines was hacked, likely by the same Chinese group that hacked OPM and Anthem.  Bloomberg is reporting that the attackers stole manifests, among other data and that they may have been inside United’s network for months or longer.  A “look alike” domain, often used for spear phishing was registered in April of last year.

Since a passenger manifest would not fall in the category of data that a company is required to disclose if breached, United likely would try to keep things quiet.  Unfortunately for United, there likely are employees who don’t think keeping that kind of thing quiet is the right thing to do.

United is a large vendor to the government and certainly being able to figure out who from the government was in some given place at the same time as other people might allow foreign spies to figure out who is working with whom.  For groups like the NSA and CIA, they would prefer that kind of information not fall into unfriendly hands.

If you assume that the the purpose of this incursion is a test run to see if they can get in and stay in undetected – so that they can come back later and do something more sinister, that is still not good.   True, United will likely try to tighten things up, but commercial companies are usually not willing to deal with the heat from employees over the tightening.

I was in a meeting today and spoke to a participant who worked for a large defense contractor.  I was highly impressed with the seriousness that they took towards security.  As an example, if you had a laptop and you had access to certain classes of sensitive information, you can not take that laptop and use it except at a company facility.  If you wanted to work at home or travel, they will provide you with another clean laptop that has none of your data on it.  If you need to travel with a subset of your data on that laptop, you have to fill out paperwork explaining why and get approval to do that.  Do you think that most companies have the guts to do that?  I don’t think so.  And that is just one example of what they do.

Unless the laws change – and I don’t anticipate that happening any time soon – these types of breaches will typically remain undisclosed and we will likely have a very incomplete view of how bad things really are.

As another example, if your law firm is hacked and all of your company’s confidential communications are stolen, there is no LAW requiring the law firm to tell you.  Since they are likely to get fired if you find out, they might not tell you.  Assuming they even know that they were hacked.  IF there is language in your contract with the law firm that requires them to disclose it AND if there are significant penalties associated with not telling you if they are caught failing to disclose, then they likely will disclose it.  Again, assuming they even know.  I am picking on law firms only because they are a hot target right now and often do not have very strong defenses, but this would equally apply to any firm that has copies of your sensitive data.

What does appear to be clear is that some hackers, likely affiliated with the Chinese, are hell bent on collecting LARGE quantities of data (think Anthem, OPM and now United) for the purpose of building profiles on people of interest and cross correlating that data.  What is less clear is what they plan to do with that data.  Likely, it is not to send out birthday cards.

Information for this post came from SC Magazine and Bloomberg.

Microsoft’s Newest Security Nightmare – WiFi Sense

With Windows 10 (and previously, Windows 8.1 phone), Microsoft has created a way for you to share WiFi passwords without revealing them – sort of.  In my opinion, and in the opinion of a lot of other security professionals, this is a complete security disaster.    There are some things that you can do to  mitigate the security disaster, but you should not have to.


First, what did they do.  With WiFi Sense turned on, you have the ability to share the WiFi password of WiFi networks that you connect to with your Facebook friends, Skype buddies and contacts.  Microsoft does it behind the scenes, but they take the password, store it on their server and distribute it to your friends if they are in range.

You can control whether you share it with your Facebook, Skype, Outlook.Com and Hotmail contacts but ONLY at the SERVICE level.  If you say yes to Facebook, then you are agreeing to share it with all 7,429 of your Facebook friends.

I have seen reports that it is enabled by default and other reports that it is disabled by default and still other reports that it is enabled if you specify express setup.

It is also unclear what happens if you disable WiFi Sense, but someone that you gave your WiFi password to has it turned on, does YOUR WiFi password get shared?  They don’t answer that question.  I suspect the answer is yes.

You can opt out of this, but in order to do that, you have to rename your access point.  If your WiFi name is MitchsWifi, you have to rename it to MitchsWifi_Optout.

Microsoft CLAIMS that people who receive your WiFi password won’t be able get to your internal computers, only the Internet.  I believe that about as much as I believe the federal budget will be balanced next year.

If you also don’t want Google to map (on Google Maps) your WiFi, you have to rename it _Nomap.  If you don’t, then Google will map the address of your WiFi in the public Google maps.  From the example above, if you don’t want Google or Microsoft to help you out, you would have to name your WiFi MitchsWifi_Nomap_Optout.  That sure is friendly.

One other thing.  Microsoft will also answer standard questions that an access point might ask for like your name, email and accept terms of service for you.

The last one is really cool.  What happens if Microsoft does accept the terms of service for you and you do something really evil.  The owner finds out and says that you violated the agreement and do whatever they can do, like take your first born child.  You say that not only did I not agree to those terms of service, I never even saw them.  I believe (and believing anything when it comes to the law is always dicey), that the court would say that there was no way for someone to be bound to the terms of an agreement that they never saw or even had reason to know that it existed, since many WiFi hotspots do not present a terms of service agreement.  I hope, maybe, that it just fills in the blanks but doesn’t click enter.

Finally, if you have it enabled, you could be connected to any number of seamy WiFi access points without you being aware.  If one of those access points infects your computer, is Microsoft liable?  Interesting question.  After all, you did not actively do anything to connect to that access point, Microsoft did it, kind of, without your knowledge or approval.  Microsoft, I am sure, would say that you turned on WiFi Sense, so you are responsible.  But, if WiFi Sense is turned on by default in any of the cases above, then that logic doesn’t hold.  Think of this more work for lawyers!

So what can you do?  Unfortunately, nothing easy.

If you are a business and you have WiFi access to your internal network, then that is probably the most serious situation.

Some tips:

1. Rename your Wifi access point.  Not my first option, but it is supposed to work.

2. Restrict access to your WiFi by MAC address.  This is a SERIOUS pain in the tush, but this will work.  This falls into the “don’t try this at home category” – unless you are a geek.

3. Enable two factor authentication on your WiFi.  Certainly for businesses, this is a good idea anyway.

4. For businesses, enable 802.1X authentication (often called Radius).  This is what is called enterprise WiFi.  Way more secure than passwords and WiFi Sense can’t deal with it.

5. Separate WiFi from any connection to your internal network (where your PCs and laptops live).  This is easier for businesses, but with all the Internet of Things non-security, home users are going to need to start doing this also.  This does not handle what you do if you need WiFi on your internal network for other reasons.  Then you have to resort to one of the other options.

Microsoft has an FAQ page here.  It isn’t great, but it does answer some questions.

Information for this post came from Krebs, among other sources.

Why NOT Reading Those License Agreements Can Be Hazardous

After the Ashley Madison breach, CNN read through the Ashley Madison license agreement.  Here are a few tidbits from their reading of the agreement.

1.  They can sell your personally identifiable information in connection with the sale of the business or sale of the assets.  If this was Facebook, we might not care.  If we are cheating on our spouse, we might.

2. You have to provide accurate information like name, age and financial information.  Of course, I am not sure that they have any way to know unless you mess up.

3. They cannot ensure the security or privacy of your information.  Nice.  How’s that for an out?  You have to give them all this truthful information but they don’t guarantee that we will protect it.

4. While they repeatedly say they won’t share your data with marketers, they don’t guarantee that they won’t disclose the information they collect “to third parties”.

5.  They say that they will not be liable to you for any damages – even if they disclose your private data.

You may have noticed that there have not been any lawsuits filed.   For one thing, they are not a U.S. company.  For another, given this agreement that their customers willingly signed, they did not breach any promises or make any lies.

The Federal Trade Commission likely does not have jurisdiction.  Unless they can be shown to have broken any U.S. or Canadian laws, they will likely get off scot-free.

Which is why reading those crappy license agreements might be more important than you think.

Information for this post came from CNN.

Smartwatches Fail Security Test

HP’s security folks tested the security features on 10 smartwatches along with their cloud and management infrastructure and the results, while not surprising to me, are disappointing.

Smart watches are in their infancy; the compute power is relatively limited and, as is usually the case, features win out over security.  The question to ask is whether the security will mature before the devices go mainstream.  The watches tested include both Apple IOS and Google Android based devices. Here are some of the findings:

  • None of the devices supported two factor authentication – what is quickly becoming the standard for protecting sensitive information.
  • None of the interfaces allowed the user to lock out an intruder after multiple failed logins, meaning an attack can brute force the password.
  • 40 percent used weak encryption.  I would guess this is to reduce the amount of computing power required.
  • 70 percent had security related firmware vulnerabilities
  • In 90% of the cases, communications were easily intercepted and
  • In 70% of the cases, watch firmware is transmitted without encryption.

While, as I said above, none of this is surprising, it does mean that people should consider how they use and how they physically protect their smart watches.  It also means that users should be more

Since watches don’t have big hard disks (yet), they are dependent on the cloud as a source of storage.  That means that, if the watch is compromised, your cloud could be compromised as well.

Information for this post came from Dark Reading.

Stagefright – The Heartbleed For Android


Stagefright is an Android subsystem that processes video in your phone.  Stagefright has been around since Android 2.2.  That means that the potential to affect around 950 million Android phones exist.

The bugs (there are several of them) that researchers have discovered are really nasty because at least one of them does not even require a user to do anything to infect a phone and all the attacker needs to know is your phone number.  An attack could be constructed where the attacker sends you a multi-media message, which infects the phone and then deletes the message before you even see it.

The researcher will be presenting his findings next week at Blackhat.  Even if he does not lay out a set of “connect the dots” level of instructions, it won’t take but a few days for the hackers to figure things out.  Remember, the code is open source.  That is good news/bad news.  Other hackers can look at the code too and try to figure out the same thing that this researcher did.  Someone will be successful and publish it underground.

Before everyone gasps, newer phones (jellybean 4.1 and later) are LESS susceptible to Stagefright due to other compensating controls that Google as added in newer versions of the Android OS, but that still leaves several hundred million phones that are completely vulnerable and many will never be patched.  And that does not mean that newer phones are completely off the hook – it is just harder.

And, it depends on the particular apps on the phone.  On one version of Messenger, on a Galaxy Nexus, you had to open the message for the exploit to trigger.

So far, Google has released patches to SEVEN vulnerabilities reported to them and they did that in a couple of days.

For all phones, if the exploit is triggered, the hackers will have access to your pictures and videos as well as the phone’s microphone and camera.

Worse yet, some phones such as the Samsung S4 and LG Optimus Elite, run the exploitable process with system level privileges, meaning that if one of those phones is attacked, the hacker has full run of the phone.  You don’t want to hear my thoughts on that decision.

Now on to an old rant.  Even though Google has released the patch, they release it to the phone manufacturers.  The phone manufacturers need to test it to make sure that the patches don’t break any of their valuable bloatware (as one article put it somewhat inelegantly).  Depending on the manufacturer, that could take days or weeks.

Next the phone manufacturer needs to release it to the carrier.  The carrier needs to test it with their bloatware. That usually takes months.

Assuming the phone is still supported at all.


Google really needs to put it’s foot down here and force everyone to deal with this reality going forward.  I am not counting on that, however.

Hopefully, with all of the press this is receiving, the carriers will be worried about getting sued for not timely closing vulnerabilities that were well known and for which there were patches readily available.  We will see.


Information for this post came from Dark Reading and Forbes.