iOS 11 Cop Button Won’t Make Friends With Any Cops

Courts have been pretty divided as to whether people can be forced to unlock their phones or computers and whether unlocking your phone can be considered forcing you to incriminate you in violation of the Fifth Amendment to the U.S. Constitution.

At this point, the general theory is that if your device is locked with a password, forcing you to reveal something you know is like testimony and violates the Fifth Amendment.

On the other side, if you lock your phone with a fingerprint or now a faceprint, you can be compelled to provide your finger or face to unlock the phone because that is like being forced to submit a DNA or blood sample and that doesn’t conflict with the Fifth Amendment in the court’s mind.

That being said, there is at least one person who has been in jail for two years for contempt of court for failing to unlock an encrypted hard drive in a child porn case.

So what if you want convenience but also don’t want the cops to be able to unlock your phone by solely pointing it at your face?

Enter the “cop button” in iOS 11 .

There is a not well documented but now well known feature that allows you to quickly disable biometric authentication and, optionally, dial 911.  I am sure that Apple will play up the quick way to dial 911 and play down the disable biometric login, but the cat is out of the bag.

So, how do you do it?  Press the power button FIVE times quickly and it will disable biometric unlock and OPTIONALLY, if you choose to configure it that way, call 911.

So when you see the lights and siren of the cop in your rear view mirror, you press the power button five times, toss the phone on the passenger seat and the phone now requires a password.

Compare this to the pre-iOS 11 way of having to reboot your phone, use the wrong finger enough times for it to lock you out or disable touch ID in settings.  This is far quicker and more discreet.

Even though many law enforcement members use Apple phones, this new feature is not likely to make Apple a lot of new friends in the law enforcement community.

Information for this post came from The Verge.

Montgomery County Hit With Ransomware – Pays $40-$50,000 To Get Files Back

Montgomery County, Alabama joined the ranks of probably millions of others and paid a ransom to get their data back after hackers threatened to erase their data if the ransom was not paid within 7 days.

While details are sketchy, reports are that the attack began Monday around 5PM (at the end of the day) and probably spent all nite encrypting data.  By Tuesday morning systems such as vehicle tags, car registrations and marriage and business licenses were down.  Reports said that 70 terabytes of data was encrypted with no one noticing it.

The Chairman of the County Commisioners, interviewed on the Montgomery Advertiser link below said it was an “unfortunate situation” and “you don’t think about these situations until they happen”, but now he says it is “kind of an emergency situation”.

While we can laugh at his response because it wasn’t our systems that are down, the reality is that all of his comments are pretty accurate.  Most businesses don’t have a disaster recovery program, an incident response program, tested backups or trained emergency resources already identified and contracted for.  In fairness, some businesses are prepared, but they are the minority.

The County CIO, Lou Ialacci said that they tried to restore from backups but were unable to for some reason not related to the attack.  Perhaps, the backups weren’t working or didn’t exist.

The Chairman of the County Commissioners NOW says that they are going to do whatever it takes to prevent this from recurring.

That comment is also not unusual – after the horse is out of the barn, down the round and the barn on fire, it gets pretty real for people.

The county also said not to worry – no data has been compromised.  Are they sure?  It wouldn’t be very hard to encrypt the data and then copy it to the cloud somewhere.  Since the hacker has the key, he or she can then decrypt it at their leisure.  Don’t know in this case, but it definitely happens some times.

In Montgomery County’s case, they had to pay the hackers 9 Bitcoin or about $40,000 to $50,000 in taxpayer dollars based on the then current Bitcoin price.

My guess is that Montgomery County was not specifically targeted by Vladimir Putin, so I think we can safely say this was an attack of opportunity.

The county is being pretty quiet as to what happened, but likely someone clicked on a link or opened an attachment and it was all over at that point.

The message here is that businesses especially and individuals too need to be prepared,  Anyone can get targeted.  The bad guys might send out 10 million emails and hope a few people click on it.  At $40-$50 thousand a pop, you don’t need very many people clicking to earn a very nice living.  Ten people click on it and you might make a cool half mil – tax free, I might add.

Are you prepared?

Are you sure?

Have you tested it?

You don’t want to be the next Montgomery County.

Information for this post came from the Montgomery Advertiser and TechTalk.

Why Using SMS Text Messages For Two Factor Authentication Is A Bad Idea

Signalling System 7 or SS7 is the communication system that telephone carriers, both cellular and land line, use behind the scenes to route calls.

Originally developed in 1975 – way before the Internet was popular – SS7 has virtually no security in it.  It counts on securing the connections between telephone company switches, which, in this day, is a really bad concept.

Hackers have demonstrated before that they could hijack text messages by exploiting SS7, but the white hat hacking group Positive Technologies wanted to see if they could empty a customer’s Bitcoin wallet starting only with the person’s name and their phone number – not exactly secret pieces of information.

Their objective was to break into someone’s Bitcoin wallet and steal their money.  Spoiler:  they succeeded.

How did they do it?

Using Google’s find a person service, the researchers were able to find the user’s GMail email address.

Then, using hacks that they had created earlier, they were able to hack into a carrier’s network in Europe.  Once inside the carrier’s network, they were able to route text messages in America to themselves.

That done, they were able to request a password reset for the user’s GMail account.  Now that they “owned” the user’s GMail account they were able to do password resets on other accounts such as Bitcoin wallets and Bank accounts.

Both of these hacks were possible because the second factor being used was an SMS text message.  Since the hackers were inside the carrier’s network, they were able to read text messages at will.

Once they had the user’s password and had intercepted text messages destined to the user’s phone, they can log on to the user’s bank accounts or Bitcoin wallet and empty them out.

Lets say that you are security conscious and you choose another option for your second factor – say a voice call to your land line.  Ignoring for a moment that the same SS7 hack will allow the bad guys to call forward your land line and obtain the verification code, there is yet another security problem.

The carriers or web site operators want to be customer friendly.  Friendly and secure are usually at odds with one another.  This is one such case.

Have you ever seen a web site that says “we offer an online password reset feature that will allow you to reset your password from (say) your phone, but since you are a security conscious user and understand that this feature is a security nightmare, we will give you the option to permanently disable this feature“?   I didn’t think so.    Therefore, even though YOU choose not to use SMS messages as a second factor, it doesn’t mean that the web site won’t let a hacker use that option.

These tests were done with demo accounts and no money was harmed in the creation of this hack – but that’s because these guys were the good guys.  There are a lot of variables to consider, but the purpose of the test was to demonstrate what is possible.

In fact, using SMS text messages as a second factor is considered so weak that the National Institute of Standards and Technology (NIST) has said that no new government systems are allowed to use SMS text messages as the second factor to authenticate a user.

It will take a while to get web site operators to get the message, but the more pressure we apply to those web site providers, the quicker this problem be fixed.

All that being said, even a text message based two factor authentication is way better than using just a password.

Information for this post came from The Register.


CCleaner Malware Adds New Risk For Users

CCleaner is a very popular disk utility that allows a user to securely erase certain content from their hard drives – like deleted files and cookies, among many other things.

Coming in both a free and paid version, CCleaner has been used safely by users for years.

Last month, however, hackers managed to inject malware into the CCleaner download.  This malware was not just any garden variety malware, but rather highly targeted to very select tech and telecom companies.

To improve security, CCleaner digitally signs all downloads and this infected one is no exception.  That means that the bad guys managed to insert the malware into the development cycle prior to the code being signed and in a way that it was not detected during testing.

The infected code was downloaded over two million times!

Without going into the gory details (you can read the Ars Technica article linked below if you want that information), the malware inside the official release of CCleaner, once installed, downloaded a second stage malware but only to a very select, few individuals.

The software included a list of companies to doubly infect, including Intel, Sony, Samsung and a handful of others.  The folks that own CCleaner have detected 40 of these doubly infected PCs, but, of course, there might be others.

It is likely that an attack as sophisticated and targeted as this one is state sponsored.  Current guess is China.

It SEEMS like this attack has been contained, but what if the attackers were not focused on stealing intellectual property from specific tech firms.  What if the hackers were bent on doing damage.  Let’s say the software erased or encrypted the data on those two million computers instead and rather than doing that on only 40;  what if it did that to all of them.  And, what if, it didn’t provide any way to get the data back.  Likely that would have cost, compliance, brand damage, and maybe, even, health and life safety implications.

If YOU develop software, you could be the next CCleaner.  You could be distributing very nasty malware.

What if it happened to your PC?  Or the software that you distribute?  Are you ready to deal with it?

Information for this post came from Ars Technica.

Deloitte Touche Hacked, Customer Data Exposed

Update to who may be affected.  On October 10th, 2017, the Guardian is reporting that while Deloitte has only admitted that they have notified six clients, sources are saying that the server that was compromised contained emails for 350 clients, the US Departments of State, Energy, Homeland Security and Defense, The US Postal Service, The National Institutes of Health, Fannie Mae and Freddie Mac, among many others.  Deloitte did not deny that any of these clients had information in the system that was hacked, but it says that none of these organizations was “impacted”, whatever that means.  They said that the attackers only targeted a small fraction of the emails stored on the platform.  The sources who spoke with the Guardian contested these claims.  No doubt, to be continued.  Link:  .

Timeline update:  Deloitte discovered the breach in March of 2017, but it is believed that hackers had been inside the cybersecurity consulting firm’s systems since the prior October or November, so it took Deloitte about 6 months to discover the breach.  They hired the law firm of Hogan Lovells in April to help them investigate and manage the spin and it took another 5 months for the secret to leak out.  One assumes that they notified affected customers more quickly than we found out about it. 

In what has to be very embarrassing situation, Deloitte was forced to admit that their corporate email was hacked because an administrator didn’t think that using multi-factor authentication was important and corporate policy, apparently, did not require it.

Now Deloitte is paying Hogan Lovells who knows how much money to figure out what data was stolen so that they can notify the appropriate clients.

In addition to emails, the Guardian says that hackers had access to userids and passwords, IP addresses, architectural diagrams for businesses and health information. Some of the emails had attachments with sensitive security and design information.

Apparently Deloitte only told a handful of partners and lawyers about the breach.  One can only assume that was to contain the damage.  Unfortunately for Deloitte, you cannot keep information like this secret for long.

Deloitte hired Hogan Lovells in April to provide them with advice on a possible cybersecurity incident and the fallout from that. Apparently, you can keep something like this secret for about four or five months.

Deloitte told the Guardian that only a handful of customers were affected;  so far, they claim, they have notified 6 customers.

Deloitte’s CyberIntelligence Center provides clients with 24×7 business focused operational security.  I wonder if they are their own customer.

In 2012 Deloitte was ranked the number one cyber security consultant in the world (the article says they were ranked the best;  that is not correct.  They were ranked number one by sales volume).

For them to have to admit that hackers stole confidential client data from their email system because they were not following what is considered industry standard practices….

While they are not saying very much about what happened, apparently an administrator’s password was hacked and because they were not using two factor authentication, that was all that was required for 5 million emails belonging to 240,000 employees were potentially compromised.

Deloitte says that the number of emails compromised was a small fraction of the 5 million number.  Is 2 million a small fraction?  They are not saying.  One has to presume that because they are being very coy with the numbers, the answer must look pretty bad for Deloitte.

Deloitte has the resources to recover from this, even if they lose clients and it costs them a couple hundred million dollars.

For most companies, a breach like this could represent fatal event.

What would this do to your company?

Are you even prepared to respond to an event like this?  Deloitte can afford Hogan Lovells billable rate (likely in the $500 an hour range), but can you?

Have you implemented “best commercial cyber security practices”?  Implementing two factor authentication for email administrators is probably not “best” commercial cyber security practice, but it is likely considered “average” cyber security practice.

Deloitte wasn’t even doing that good.

How about you?

Information for this post came from the Guardian.


Hackers Shut Down Entire School District For Days

All schools in Flathead County, Montana schools were closed on September 14 and 15 and all extracurricular activities and athletic events cancelled as a result of a ransom threat from the well known hacker(s) called The Dark Overlord.

This was not a ransomware attack where the district’s data would have been encrypted, demanding a ransom to decrypt it.

Instead the hackers broke into the district’s server (the district has 15,000 students;  I suppose it is possible that it only has one server, or at least the server they hacked had those records in it) and stole addresses, medical records, behavioral records, and other data from past and present students, staff and parents.

They sent threatening messages to parents saying that the hackers would kill as many people as possible if the ransom was not paid.

The hackers demanded $75,000 in Bitcoin if paid quickly, $100,000 in Bitcoin if someone wrote an embarrassing letter and $150,000 in Bitcoin if paid out over a year.

Given that the ransom notes were sent to parents, the cat was out of the bag.  The Sheriff decided, as a result, to release the ransom note sent to the District Board.

Historically, The Dark Overlord – if that who is really doing this – has not resorted to threatening to kill people.  This would be a new low.

After several days, the police, working with other law enforcement agencies, decided that the hacker(s) were not local to northern Montana and therefore, as a result, would not realistically be able to carry out the threat to  kill children and schools resumed after being closed Thursday and Friday and sports and extracurricular events being cancelled on Saturday and Sunday as well.

The hacker(s) contacted the Flathead Beacon, the local newspaper and in a conversation, the hacker(s) said the goal was to kill as many people as possible in a place where no one would expect.

The hacker said that he wanted people to live in a state of fear before he makes his move.

When asked if this was politically motivated, the hacker claimed that the goal was to exterminate human life and smear the government.

Law enforcement said that all district schools were taking necessary precautions to ensure that no data breach occurs.  I am somewhat skeptical of this claim, unless they turned off and unplugged all the other computers, since the district was already breached.

Law enforcement said that they feel that there is no threat to the physical safety of our children.

This is totally a crap shoot on their part.  The odds are in their favor, which is a good thing, but there are no guarantees.

That fact is a problem.  I am going to side with them and hope this is an empty threat.  At least this time.

As long as organizations make it as easy as taking candy from a baby to break into their computer networks, they are making it easy for the hackers.  Once hackers are armed with stolen data (either by encrypting it or actually stealing it), they have many more options than before.

Hopefully, this is a one-off and not a trend and hopefully this is one mentally deranged individual, but whether that is true is unknown.

Whatever this is, it is certainly an escalation of hostilities.  *IF* this an indication of what hackers might do in the future, that represents a scary future.

Assuming this was a target of opportunity, and it likely was  – a small school district in rural Montana is unlikely to be a strategic target – then our objective has to be to make it difficult for that random cyber attack to succeed.

Information for this post came from the Flathead Beacon and Naked Security.