The Problem With Buying Chinese Electronics

Electronics made in China are often less expensive than products sold by western companies such as Cisco and Juniper.  But there may be a cost associated with that price.

The Chinese security firm Boyusec is working with the Chinese Ministry of State Security intelligence service in conducting cyber espionage, according to the Pentagon.  This would not be a surprise except that they are also working with the Chinese network equipment manufacturer Huawei that the Pentagon banned from DoD purchasing a few years ago.

While Huawei denies this, the Pentagon says that Huawei/Boyusec is putting back doors in Huawei networking gear so that the Chinese can spy on purchasers of Huawei equipment.  In addition to spying on customer’s phone and network traffic, using these backdoors also allow the Chinese to take control of these devices – likely to subtly reprogram them to allow them even more effective spying.

This follows a report earlier this month that software was found on more than 700 million phones, cars  and other smart devices that was manufactured by Shanghai Adups and used by Huawei, among others.  The software phoned home every three days and reported on the users calls, texts and other data.  Another Chinese technology manufacturer, ZTE, also uses the software.

The moral of the story  is that you should consider the reputation of the vendor that you are considering prior to making your purchase decision.

Sometimes that vendor is hard to detect.  If you buy a piece of electronic gear – such as those security web cams that took out Amazon and hundreds of other companies last month – had software and internal parts that were made by a vendor that didn’t care about security, but that company was not the name on the outside of the cameras – sold by many different companies.

Unfortunately, those vendors are price sensitive, so if they can find software for a few cents per device sold, they may decide to use it and not ask any questions about security.  After all, there is no liability in the United States if a company sells a product with poor or even no security.  That is up to the customer to figure out. 99% of the customers have no idea how to figure out whether a web cam or baby monitor is secure.  Unfortunately, what is needed is for companies to be held accountable for the security of these products.  This doesn’t mean that they should be clobbered for every bug found, but if they are ignoring reasonable commercial security practices, well, then, that might be a different story.  My two cents, for what it is worth.

Information for this post came from the FreeBeacon.

US Cyber Command Spends 90% on Offensive Cyber

Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.

Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how.  Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.

Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks.  Then they had to craft a warning to customers regarding the 300 products affected.  Finally, they had to come up with fixes, test them and get them into the distribution channel.

Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).

So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.

This has been the argument since the creation of USCYBERCOM.  USCYBERCOM is headed by the same person as the NSA –  Admiral Mike Rogers.

The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S.  In case of a ‘conflict of interest’, who wins?

The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.)  In fact, there were conversations about President Obama separating the two toward the end of his term.  This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper.  President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful.  We have no idea what President Trump thinks about the subject.

Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.

According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.

President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS.  Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.

Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.

In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.

In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret.  Almost any serious cyber bug could be said to have clear national security or law enforcement value.

In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies.  Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it?  Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.

Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.

From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.

This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.


Information for this post came fro Reuters.

Senate Reverses FCC Rule on ISP Privacy Requirements

Last year the FCC proposed a rule requiring Internet Providers to get your permission before selling your data.  The rule was set to go into effect in April.  The large ISPs – AT&T, Verizon, Comcast and others – didn’t like this rule since it affected their revenue.  They said that Facebook and Google didn’t need to get your permission, so why did they need to.

After President Trump’s inauguration, the control of the FCC changed and the new chairman, Ajit Pai, suspended the effective date of the rule and this week the Republican controlled Senate and House voted to permanently stop the FCC from implementing this rule or anything like it, now or in the future.

So what is the impact to you?

One needs to consider this.  Facebook or Google only has access to your data when you visit one of their websites or their partner websites.

On the other hand, your Internet provider has more information about you, such as:

  • Who you call, when you call, how long you talk, etc.
  • Who you text, when and potentially the content
  • For encrypted messaging like Whatsapp, who you are exchanging messages with and when
  • What web sites you visit, how often and when – even if the data itself is encrypted
  • Your location data – where you go and when and how long you stay there.
  • In fact, they can likely track anything you do online

With no rules, you cannot opt out of this data collection.

A couple of years ago Verizon and AT&T installed secret apps on your phone (Caller IQ, for example), super cookies and by inserting universal identifiers or UIDs, all to track your traffic.  They stopped some of that when it became public and the bad press outweighed the revenue.

Again, with no rules, ISPs can keep this data for as long as they want to keep it.  In addition, they can sell it to whoever they want to.  Or give it away.

Obviously, this does not overturn any other laws, but in general, there are very few rules in this arena.  This is especially true when it comes to meta data.  There is a difference between selling your emails and selling the fact that you sent an email at this time to this person.

There are also no rules regarding who they can sell (or give) this data to.  Could be your employer or your insurance company or even law enforcement.

Recently we saw that Scotland Yard hired hackers in India via the Indian police to hack journalists they were interested in eavesdropping on.

Assuming your ISP decides to collect and keep this data, there is no reason why the police couldn’t either ask them nicely for it or subpoena it.  We have already seen cases where the police want the data in your Amazon Echo and even the data in your smart water heater, so why not this data?

Could your insurance company or employer ‘acquire’ this data, directly or indirectly?  I don’t see why not.

And, you apparently have no way to opt out –  unless the ISP voluntarily decides to give you that option and I would not count on that.  I do not expect this to change during the current administration, but it could if enough people complain.

We live in an interesting world.

Information for this post came from PC Magazine.

Nest Security Cameras Can Be Easily Blacked Out

Security researchers have figured out three different ways to disable Nest Security Cameras (Nest is part of Google).  As of a few days ago, Google said they were working on patches and would push them out shortly.  But it speaks to the more general problem of wireless security.

In the Nest situation, there are three vulnerabilities.  The researcher, Jason, Doyle, notified Google in October but there are still no fixes – 5 months later.  If the bug had been found by Google’s own bug hunters in Project Zero, they would have started having a wall-eyed cat fit in January.

But it points to the lack of security in IoT in general, the challenge of getting companies to patch IoT bugs (there is no revenue after the initial sale) and later getting users to actually install the patches (I hope Nest automatically looks for and installs patches with no user involvement,  but I don’t know).

The first bug is pretty simple. Get into bluetooth range and ping the camera with an overly long Wi-FI SSID parameter.  This causes the camera to crash and reboot.  While it is rebooting, you are clear to break in.  Keep doing it and you could be clear for days.

The second bug is related.  Send a long Wi-Fi password and the camera crashes and reboots also – same deal as above.

The third bug can be exploited by telling the camera to connect to a new network.  This causes it to disconnect from the current network (and stop recording).  Since the new network is bogus, it will eventually reconnect to the old network, but in the meantime, it won’t record.

I have a variant to the last one.  If the burglar brings a local Wi-Fi hotspot with him or her, the Nest, I would guess, would connect to it, but since that hotspot doesn’t an Internet connection, it can’t transmit.  In that case, it might  not reconnect to the old network – I don’t know.

Since these cameras ASSUME that they always have an Internet connection, they don’t deal well with not having one.

While these attacks require the hacker to be in bluetooth range, since they are trying to break into the house, that is likely not a problem.

Why Google doesn’t turn off Bluetooth after the camera is initially configured is not clear either.

This is just an example of the challenges of Wireless camera systems.  Another example would be overpower the Wi-Fi connection to force the camera to connect to a rogue hotspot or no hotspot.  There are lots of other attacks.  Hard wired cameras are better – if the burglars can’t easily get to the wires to cut them.

Many alarm and camera systems use cellular connections to transmit alarms.  While cellular is good, it is not foolproof.  Bring a cellular jammer with you (yes, they are illegal, but so is breaking into someone’s house or office) and the alarm won’t be able transmit images or alarms.

On the other hand, wireless is much easier to install (you don’t have to run wires), so less expensive.  This goes for cameras and alarm systems also.

But the vendors don’t talk about the fact that they are also less reliable.

In part, it depends on your level of paranoia.  And also the quality of the manufacturer.  Likely there are several to many manufacturers. If you are expecting junkies to break into your house or office, they probably won’t worry about disabling cameras or alarms.  Pros, on the other hand – they might worry and likely have the smarts to disable your entire system.

For many systems, there can be multiple manufacturers.  One camera might come from vendor ‘A’, but a different camera might come from Vendor ‘B’.  Same thing with alarms.  A door sensor could come from one vendor while a motion sensor might come from another.  It used to be that these sensors were dumb – you make or break the connection and the panel generates an alarm. Now, at a minimum, it needs to have enough software to connect to the right network and then transmit the alarm.  Many cameras an sensors are much smarter than that.  Smarter also means buggier.

While Google will, eventually, issue a patch, what about the hundreds of other wireless camera vendors and thousands of other alarm piece part vendors who aren’t quite so reputable.

In addition, if the burglars can kill your Internet connection (like cutting your cable or phone line, since these cameras have no local storage, you have no pictures of the bad guys.  If a camera somehow uses wireless Internet (like cellular), then the bad guys would have to disable both, but I am not aware of any consumer grade cameras that work that way.

It is important to understand the risks you have.  In this case, the Nest was supposed to protect you, but maybe didn’t.  For other wireless camera systems – well, who knows.

Information for this post came from The Register.

Can Border Agents Search Your Phone?

Bloomberg published a brief on the issue of border searches that was written for them by the international law firm of Morrison Foerster on the subject of border searches.

Given that lawyers wrote the piece, their concern is about protecting attorney-client confidential information at the border, but the subject applies to everyone.

According to Customs and Border Protection (CBP), they searched 4,444 cell phones in 2015 and 23,877 phones in 2016.  We don’t know if the shape of that curve will continue, but if it does, that would forecast over 100,000 phone searches in 2017.

Even if that curve is correct, that still is a tiny percentage of all of the people (and phones) that enter the U.S. in any given year, so the odds of you being chosen would seem to be very low.

Border agents searching phones is certainly not limited to the U.S. but statistics for other countries are not available.

According to Morrison Foerster, courts have held that, under U.S, law, CBP and Immigration and Customs Enforcement (ICE) agents may ask to search electronic devices at the border and may request individuals to disclose their password so they can conduct the search.  My definition of request includes the ability to decline.  I do not think their definition of request includes that option.

The courts have further said that they can conduct a manual search of any electronic device without a warrant and without reasonable suspicion.

If they want to conduct a forensic investigation (meaning using specialized software to look in the nooks and crannies of that electronic device, they must have “reasonable suspicion”.  That is defined to mean “a particularized and objective basis for suspecting the particular person stopped of criminal activity”.    This definition is not exactly crystal clear and the Supremes have not yet had the opportunity to rule on this subject.

Homeland Security, the department of which CBP and ICE are a part, did a privacy impact assessment for border searches of electronic devices in 2009 – a long time ago in tech years.

If the traveler claims that a device contains privileged material, either attorney-client or otherwise, the CBP agent must consult with either the Associate/Assistant Chief Counsel or the U.S. Attorney’s Office before doing the search.  How that helps is not really clear to me, but I would guess that it is a check and balance to make sure that they follow the rules.

ICE says that a claim of privilege doesn’t preclude a search, but that for some types of information including attorney-client privileged, proprietary business and medical information they have to use special handling – an undefined term.  Under certain limited situations, ICE policy requires the agent to contact the local ICE Chief Counsel’s office or local U.S. attorney before continuing the search.

Whether that will change anything or not is unclear and you will likely be detained until they get an answer back, which could be hours.  It is not likely to be days.

People have said that they have been detained for hours and not allowed to use their phone (which of course, if ICE or CBP took the phone would be hard anyway).

If you are one of those select few people that are asked to hand over your phone, know what your plan is.  You can decline to turn over the password knowing that you will likely be detained and eventually likely brought before a judge where you will have a chance to make your case, but understand that it is unlikely to go in your favor.

Here   is what the law firm of Morrison Foerster suggests – which is not a whole lot different than what I would suggest.

  1. If you are travelling internationally, consider taking a clean smartphone and/or laptop with no sensitive data on it.  That way they can look to their hearts content and you don’t care.
  2. If all sensitive data cannot be removed, remove as much sensitive data as possible from your phone or laptop and then overwrite the deleted files.  There is lots of software to do that.
  3. Inventory all sensitive data contained on any electronic devices that will be taken across a border.  This is a recommendation that I hadn’t thought about.  That way, if the device is searched or taken and copied, at least you know what has been compromised.
  4. Fully power down all electronic devices before passing through customs (U.S or any other country).  This makes it much less likely that technical software will be able to snoop on the device once they power it back up.
  5. If CBP or ICE requests to search your devices, let them know if there is privileged or business sensitive information on the devices.

I might suggest a few more ideas.

A.  For extremely sensitive information consider encryption and I don’t mean transparent encryption like Microsoft Bitlocker.  Transparent encryption will hand over the data with no other restriction once they log onto the device.  There are many forms of non-transparent encryption which will not reveal data to casual observers  without additional effort.  The trade-off is that non-transparent encryption means more work for you.

B. Store data in the cloud and don’t store it locally.  If you use this, make sure that you understand the security (and insecurity) features of the software and enable features that may not be enabled by default.  Understand what controls the cloud service provider may have.  An example of how NOT to do that is to use Dropbox since Dropbox, by default, caches names and in many cases the actual files, on the computer, defeating the whole objective.

C. Talk to a computer security expert [like me 🙂 ] before you go to understand your options and the implications.  The general trade off will be security or convenience, pick one.

D. If the agent takes your computer or phone away – out of your sight – you can assume the device is now compromised.  Big companies understand this and employees are instructed to contact the security office.  Power down the device when you get it back and do not turn it back on. Hand it to corporate security as soon as possible.  Most large companies already have a plan to deal with this and will issue you new devices.  Just because you don’t see any changes does not mean there are no changes.

All of this, of course, depends on your level of paranoia.  If there is protected information on the device, you now need to decide if you have a security breach and if that breach is reportable under state laws.  Talk about a catch-22.  Contact legal counsel to help you  make this decision.  I suspect that if you talk to two lawyers about this subject, you will get three opinions – at least.

Clearly, the easiest answer is to minimize the amount of data and devices that you take across the border.

If you are worried about data being DELETED in this process, then definitely securely upload the data in real time (as close to the point of creation as possible). For example, if you are an investigative journalist and are worried about you data and sources, this would be my recommendation no matter what.  If the data is encrypted prior to unload, you control the encryption key and that key is not stored on the device, then this will provide the maximum protection.

Welcome to today’s world – not always simple.

Still, the odds of you having to fork over your device are low.  Unless you are that person who gets picked.

Information for this post came from MoFo’s web site.

Popcorn – A Different Kind of Ransomware

Ransomware, as I have said in past talks and blog posts is really nasty stuff.  And it was morphing.

First came vanilla ransomware.  We encrypt your files, you pay the ransom, we give you the key to decrypt it (usually) and most of the time (but not always) the decryption process works as described.  There is no guarantee that you won’t get reinfected or that the bad guys didn’t send a copy of your files to Outer Slovokia before encrypting them but most of the time, it works.

Now the variants – not in any particular order:

Nukeware – with nukeware you get a similar screen to ransomware saying that your files are encrypted and if you pay the ransom you will get them back, but, in reality, they have wiped your hard disk and no matter what, you are not getting your files back – at least not from the hackers.

Next comes Extortionware – with extortionware the bad guys understand that you might have a backup copy of your data and might tend to thumb your nose at them and not pay, but they have a great solution to that.  In this case they DO make a copy of your files and send them to Outer Slovokia.  The sting goes like this.  You have xx hours to pay the ransom (typically 48-96 hours).  If you don’t (because you have good backups), we will start leaking your private data on the web.  Whether these are pictures of you and your friends in their birthday suits or financial records or your email or confidential client files, you likely have stuff that you don’t want to show up on the web.  Even if you can get the stuff taken down, it likely will be seen and saved and reposted.  Imagine what would happen if someone posted Trump’s tax returns.  Sure Trump would get it taken down, but on how many other sites would it reappear – some likely out of reach of U.S. law.

This is a good time to point out that all ransomware is not fatal – although you rarely know if all of the hooks the bad guys attached are really gone.  One web site that can help tell you whether all is lost if you don’t have good backups is .  At this site you can upload some information and they will try to tell you what the ransomware is and if it is reversible.  This site is sponsored by Europol (the EU police) and some of the big security software companies.   Still, most ransomware is not easily reversible and you either have good backups, pay up or lose your data.

Now the new variant.


Popcorn encrypts your files like other ransomware.  They, at the moment, want one Bitcoin to free your data (about $950).

However, they offer you an option to get your files back for free. Seems nice.

Only it is not so nice.

They give you a unique link to send to your friends. If your friends click on it, their computers will be infected by the Popcorn ransomware.

If AT LEAST TWO of your friends pay the ransom, the hackers will unlock your files for free.  Sort of a get-out-of-jail-free card for you.

Lets assume you have a bit of evil in you and you send it to people who are, let’s say, not exactly your friends. Well maybe you won’t be sad if they get infected.

Of course, if you do it in a way that is traceable to you, you might get a visit from the local constabulary.  If you do it in a way that is not traceable to you, your friends are less likely to click on the link.  Of course, if you send this to your enemies, they probably won’t click on it anyway.

Still, it shows that the ransomware purveyors are certainly entrepreneurial.

Here is a screenshot of what one version of Popcorn shows after your computer is infected:

Their alternative to paying is creative.  Still backups and keeping them out in the first place are much better options.

Information for this post came from Wired.