Wikileaks Publishes CIA Hacking Tools – Round One

It seems like the spy-guys (or is it spy-people) can’t seem to catch a break.  First it was Snowden; more recently it was Martin – both Booz Allen contractors at the NSA.  Now it is the CIA.  Wikileaks published thousands of documents, which appear to be real, describing CIA hacking tools.  This includes, supposedly, at least a dozen ‘zero-day’ attacks for a variety of platforms including iPhone, Android and Windows.

Assuming this is all real, this will definitely make the CIA’s job harder as vendors patch holes that the CIA has known about for an unknown amount of time – maybe years – and decided to use the attacks rather than telling the vendors and letting them fix the bugs.  This has been the argument about having U.S. Cyber Command being responsible for both hacking and defending us.  Under President Obama there was a protocol to follow that formalized the process of whether they revealed a bug or kept it secret.  That protocol did not stop them from keeping secrets as today’s leaks prove.  That is part of what Wikileaks wants to reveal.  Some people will consider that good; others will consider it bad.

The first set of documents, which Wikileaks calls Vault 7, contains about 8,700 documents of what they call Year Zero.  The documents are purported to come from inside CIA Langley.

This series of documents follows a preview disclosure last month describing the CIA’s efforts to target French political parties and candidates during the 2012 elections – which sounds very similar to what we are accusing Russia of doing here, last year.  What the CIA wanted to do with the information was not disclosed.

Apparently, the CIA’s hacker division called the Center for Cyber Intelligence (CCI), had over 5,000 users and had developed over a thousand hacking tools.

For what it is worth, Wikileaks says that their source wants to start a debate about whether the CIA has exceeded its authority and whether there is sufficient oversight. Clearly if the CIA develops a tool and the bad guys figure it out, that tool is out of control and there may not be a way to get the genie back in the bottle.

Wikileaks says that it has redacted some information and decided not to release the actual tools because of the risk that represents.

The CIA’s Engineering Development Group (EDG), which is part of CCI, is part of the Directorate for Digital Innovation, one of five directorates inside the CIA.

One of the tools that was disclosed is a tool to infect smart TVs so that they become covert eavesdropping devices, even when supposedly powered off.

Another project was to take over control of cars to perform covert and likely totally undetectable assassinations.  There have been rumors about this in the past when there were some explainable car crashes that killed high profile individuals.

While the iPhone only represents about 15% of the global smart phone market, apparently the CIA has a whole branch dedicated to hacking them.  This is likely due to the status symbol that the iPhone represents in government circles.

The CIA also has techniques to bypass the encryption of apps like Signal, Whatsapp, Wiebo, Confide and others.  They do this not by cracking the encryption, but likely by covertly installing eavesdropping software on the phones to capture the data before it is encrypted or after it is decrypted.

After Snowden revealed that the intelligence community was hoarding zero day vulnerabilities, the Obama administration agreed to a process to decide which vulnerabilities to disclose, but, according to Wikileaks, the CIA did not follow those protocols and continued to hoard zero day vulnerabilities.

There is a huge amount of information released and reporters will likely be reviewing it for weeks, but Wikileaks says that there is much more to come.  How much and when is not clear.

To me, what is most interesting is not that the CIA is doing this – everyone is doing this – but rather, even after Manning, after Snowden, and after Martin, just to name a few massive leaks, the intelligence community doesn’t seem to be able to stop the leaks.

What President Trump will do is not clear.

What Snowden said that he did and I assume what Wikileaks is doing also, is to distribute encrypted copies of unredacted documents to hundreds of media sources with the system set up to automatically distribute the keys if something bad happens to Wikileaks or its embattled founder, Julian Assange.  I don’t know if this is true, but it is that only thing that makes sense to explain why Assange is still alive and Wikileaks is still online.  *IF* it is known to the intelligence community that Wikileaks is in possession of some sort of nuclear option, they are likely to tread much more lightly around Wikileaks.  Given what they have already published, this is certainly not out of the question.

Information for this post came from a Wikileaks Press Release.

Facebooktwitterredditlinkedinmailby feather

Zombie Smartphones Take Out Entire 911 Call Centers

We tend to think of 911 as ubiquitous across the United States.  In reality, the thousands of PSAPs, as 911 contact centers are formally known, are a patchwork of aged technology that makes many of us cringe.

A Public Safety Answering Point is run locally by a city or county and dispatches fire, police, ambulance and other emergency services for a local jurisdiction.

One overnight last October saw the biggest ever attack on PSAPs nationwide that we have ever seen.  Unfortunately, it was trivial to launch the attack and very difficult to defend against.

In Olympia, Washington that night, dispatcher Jennifer Rodgers watched the calls stack up by the dozens instead of the normal 1 or 2 calls that she would normally see on their dispatch screen.

As calls went unanswered, alarms went off alerting dispatchers of the problem, but there was nothing that they could do about it.

People were calling 911, then hanging up, then calling again,  Dispatchers had no way to know what was happening and no way to do anything about it.

Finally, after 15 minutes, the dispatcher was able to get a caller to stay on the phone long enough for them to begin to understand what was going on.  She told the teenager to have her dad call from a landline – where the dispatcher would instantly get a name, number and address.  The caller said that she did not mean to call 911 and wasn’t even touching the phone.

For at least 12 hours in the overnight of October 25-26, contact centers in a dozen states from California to Texas to Florida were being hammered.

In Surprise, Arizona, near Phoenix, the call center received 174 calls in the hour between 10 PM and 11 PM, instead of the normal 24 calls.

Due to the limitations of cellular services, 911 dispatchers cannot pinpoint the location of wireless callers, but even if they could, if they are getting thousands of calls across dozens of states, there is no way that they could dispatch police to find the phones in question.  And then what would they do?  For SOME Android phones you could remove the battery to stop the malware, but for the rest of the phones, it isn’t so easy.  I suppose we could equip first responders with RFID shielding bags to put these phones in.  Sure.  Right!

As of 2105, only around 400 out of over 6,000 PSAPs had a cybersecurity plan.  In 38 states, according to the FCC, no money was spent on cybersecurity for 911 call centers.

According to Rear Admiral David Simpson, who oversaw emergency management and cybersecurity at the FCC during the Obama administration, this is an emerging crisis.

As I reported months ago, last year researchers at Israel’s David Ben Gurion University concluded that as few as 6,000 smartphones infected with malware could take down the 911 PSAP call centers in an entire state for days.

If Russia wanted to cause some real panic in the United States, all it would take would be to infect, say a quarter of one percent of the smartphones in the U.S. with malware that continuously called 911 call centers and hang up.  While it might not directly kill anyone, it would certainly make the lives of first responders very difficult.

It turns out that this “attack” was started by a guy who forwarded what he thought was a prank link in a Twitter message to a couple thousand of his Twitter followers.

What if the link was more subtle?  What if it masqueraded as a call to action and was forward and refowarded to an audience of millions.

Many 911 PSAPs are still using old copper wire based “POTS” phones with no budget to upgrade.

Let’s hope the bad guys choose not to launch an attack because I am pretty convinced that if they attacked, they would succeed.

Information for this post came from TodayEVERY.

Facebooktwitterredditlinkedinmailby feather

What Does Mike Pence’s Use of A Personal Email Account Teach Us?

The Washington Post is reporting that Vice President Mike Pence used a personal email account to conduct government business when he was Governor of Indiana.

The Veep says that his use of a personal email account is different than Clinton’s use of a personal email account and I do not want to turn this into a political blog.  Pence said he didn’t break the law and I believe him.  That doesn’t mean that doing what he did wasn’t extremely reckless.  There were emails between him and Homeland Security regarding very sensitive terrorism matters that have no place being discussed on AOL.

There are some similarities that can’t be ignored:

  • Both used personal email accounts for government business
  • It appears that neither one violated the law at the time by using personal email accounts.
  • Emails from both accounts were publicly disclosed – one by a hacker and one after the fact by the government.
  • Emails in both accounts contained sensitive information, although, some of Clinton’s emails may have contained classified information even though none were marked with classified markings (either of which is a problem!)
  • Both email accounts contained emails, the content of which, according to each owner, was too sensitive to release publicly.

One thing that is different is that Pence’s email was known to be hacked while Clinton’s email is only speculated to possibly have been hacked.

So what can you or I learn from this situation and what might we do differently?

The first thing is to understand that normal email – in VP Pence’s case, it was an AOL account and in Clinton’s case it was a personally managed email server – is likely not very secure. Period.

Second is that if you plan to use email for sensitive information – which apparently both people did – you need to take extreme measures to protect it – which apparently neither person did.

Third, when it comes to the intersection of security and convenience, if you are going to use email for sensitive communications, security needs to win.  In neither case did that happen.

In THEORY (but only in theory), the privately run email server of Hillary Clinton COULD HAVE BEEN more secure than a public email server run by AOL because AOL has designed it’s email service to be used by grandma to get pictures of her grand-kids and a private email server can be designed to do whatever the owner decides is important.

If you are an executive of a company, of a state or of a country, you need to either understand enough about cybersecurity to make critical decisions (which is unlikely to be the case) or consider security important enough that you have people on your team who you can trust and count on to do that for you.

Public email servers like Google, Microsoft and AOL will NEVER be able to do that – it isn’t what you are paying for (which is pretty much zero).   You do, in fact, get what you pay for in this case.

While the Veep likely broke no laws by using a personal email account, if those emails were too sensitive to publicly release,  then the use of a public, consumer grade email solution shows, at a minimum, extremely poor judgement.

Executives need to become modestly technically adept and surround themselves with people who have the appropriate technical skills.  Then they need to do what those people tell them to do.

It seems like neither Pence nor Clinton did that.

For executives in private industry, it is unlikely that they will have classified emails in their inbox, but it is highly likely that they will have emails that are too sensitive for public release.

So why the <bleep> are they sending that kind of stuff over public email.  Regardless of what Google or any other general purpose public email provider might say, in reality, with the exception of a handful (literally) of security oriented email providers – all very small – no commercial email is encrypted in a way that you should consider safe from compromise and disclosure.

THAT is the message I want to deliver today.  It has nothing to do with either Pence or Clinton.  They are just the opportunity to discuss the issue.

So, executives —

SECURITY or CONVENIENCE – pick one.  And if you pick convenience and your emails show up in Wikileaks or the New York Times, don’t say you were not warned.

Consider yourself warned.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Stewart International Airport Data Breach Self Inflicted

Stewart  International Airport has a long history.   In 1930 Thomas Stewart convinced his Uncle to donate land for an airport to the city.  In 1939 the U.S. Military Academy at West Point  built the first airfield at Stewart and in 1948 it became Stewart Air Force Base.  In 1970 the State of New York bought it and in 1989, American Airlines became the first commercial airline to offer service.  It is now a cargo facility, U.S. mail hub and an overflow New York City regional airport run by the Port Authority of New York and New Jersey.


 

 

 

Enough of the history lesson.

The airport, which is about an hour or two drive north of Manhattan near Newburgh, NY, is in the news for a different and much less positive reason.

The airport was using a Buffalo network attached storage system to back up its servers.  Unfortunately, somehow, this particular one was made visible to the Internet.  Apparently, I assume, unknown to the airport’s IT department – of one person according to the researcher who found the drive.

On the drive were unprotected, unencrypted backups of the airports servers.

This includes hundreds of gigabytes of data like email, HR files, payroll, security documents, screening protocols – all the stuff that you would expect to find on a backup, but you would not expect to be connected to the Internet.

The data was exposed for a year, so who knows who might have that data now.  Maybe there are firewall logs, but likely not.  Even if there were, they likely were not kept long enough.  That’s why the new New York financial services security regulation requires institutions to keep logs for at least five years.

Stewart has more than it’s share of high profile arrivals.  After all, it is highly unlikely you could shut down all traffic in and out of John F. Kennedy International for a VIP, but you could likely shut down Stewart for 30-60 minutes to build a secure corridor.  Of course, the VIP plans were also in the backups.

Also in the backup was a file with a list of network passwords.  The file was not encrypted.

In these days of saving money, the Port Authority has outsourced the operation of Stewart to a private company, AVPorts.

The less money AVPorts spends on overhead like security, the more profit for the company.  AVPorts is privately owned, so we don’t know much about them, but they have operations all across the country from Newark Liberty, Tetterboro, Westchester County and New Haven on the east coast to Moffett Field in California.  As such, they ought to know better.  However, these are all second or third tier properties and, I suspect, to make money, they watch their nickels and dimes carefully.  If their customer (in this case, the Port Authority) doesn’t say they have to do something in the contract and their interpretation of the law says that it is not legally required, they might save money.  Hence, it appears, a one person IT operation.  I don’t care how good one person is, they are not going to have the bandwidth or expertise to deal with a complicated network.

For example, as a piece of critical infrastructure, they ought to be conducting third party, independent, penetration tests several times a year.  Maybe they do and the testers, somehow, missed this.  My guess is that there was neither a contractual nor a legal requirement to do one.  A decent but not great one might cost $25k every time they did one and if it was not mandated, they might save a hundred thousand bucks a year.

Many of our clients are required to conduct penetration tests at least annually for a variety of contractual and legal reasons and my guess is, depending on what was on that network, they actually may be legally required to do so as well.

It is possible that they hired a totally incompetent penetration tester who completely missed a publicly accessible network attached storage array, but if so, that company needs to get out of the penetration testing business.  Much more likely is that they did not hire anyone to do that.

Hackers do not play favorites.  If you are vulnerable, you are fair game.  These guys just happened to be unlucky.

It is not clear what the consequences of this breach will be.  I suspect that it is unlikely that the Port Authority will cancel their contract.  It is equally unlikely that there are even terms in the contract which would allow them to do that.

A couple of lessons here.

  1. Manage your third party vendors.
  2. Make sure you define the security requirements in your contracts.
  3. Trust.  But verify that your vendors are doing what they say they are doing.
  4. For your own company, if you are not hiring outside, independent, third party penetration testers to try and hack into your network, you should consider doing so.

I suspect that all of the airport owners that have contracts with AVPorts are now considering their options.

And, even if you are not an AVPorts client, how sure are you that you don’t have a similar problem?

While spending money every year on third party penetration tests is expensive, the reputational damage alone to a company like AVPorts, never mind the hard costs, dwarfs the costs of a pen test by probably two-three ORDERS OF MAGNITUDE.

Just food for thought.

 

Information for this post came from the Port of New York and New Jersey web site and ZDNet.

Facebooktwitterredditlinkedinmailby feather

The Cost of Cyber Breaches

In case you were of those who thought that there was no real cost to cyber breaches, you might want to ask Yahoo CEO Marissa Mayer and GC Ron Bell about that.

The Yahoo Board has decided not to award Mayer, CEO of Yahoo during all of the recent breaches and renegotiated Verizon deal, any cash bonus at all.  Exactly how much that is was not disclosed, but surely it was in the millions.

In addition to that, the Board voted not to give her an equity bonus (AKA stock or options).  The minimum value of that, according to CNN, was $12,000,000.00 .

Granted Mayer’s net worth is estimated to around $300 million according to Google, but no one wants to walk away from $10-$20 million.

In addition, Yahoo General Counsel Ron Bell has “resigned”.   According to the company, Yahoo did not make any “payments” to him in exchange for his leaving.

Yahoo’s Board said that the GC had sufficient information to warrant substantial further inquiry in 2014 – two years before the breaches were publicly announced.

In other Yahoo news, Yahoo released it’s 10-K and said that it recorded a charge of $16 million in 2016 related to the breach.  Given that the announcement of the breaches came late in the year (mid December for the big breach), maybe a number that small makes sense.  It will be much more interesting to hear how much they will spend in 2017, 2018 and 2019.

In addition, in that same 10-K, Yahoo said that it did not have any cyber breach insurance.  Seriously?  You’ve GOT to be kidding.

In many cases of a breach, the stock price dives and then rebounds for the most part so investors are not hurt, but in this case, the investors, too, were hurt.

First, the sale price was reduced by $350 million and the sale has been delayed for a year.  Second, Yahoo gets to pay 50% of most of the breach costs and lastly, Yahoo gets to foot the entire bill for the SEC investigation and fines and any shareholder suits.

How many other people at Yahoo were also sacrificial lambs will likely never be known.

Information for this post came from Venture Beat and  Variety.

Facebooktwitterredditlinkedinmailby feather