Kansas Man Killed by Police in Swatting Prank

UPDATE: A 25 year Los Angeles resident, Tyler Barriss, has been arrested by police.  Barriss has served time in California for making threats.  As a repeat offender and possibly being charged by both state and federal authorities, this idiot’s game is likely “game over” for the rest of his life.

Swatting, the practice of calling in a fake 911 call telling police that there is a kidnapping in progress or man with a gun has become all too common over the last few years.

This week an unarmed man was shot by police who had been told by the prankster that the man had shot his father and was holding his mother and brother hostage.

The man later died at a local hospital.

The practice of swatting has become too popular – hundreds of cases a year.  My guess is that Wichita being a relatively small city (under 400,000) probably has not had to deal with this issue.  SWAT in all but the very largest cities is under-trained and unfortunately,  can wind up in situations like this.  While the officer has been suspended, it is very unlikely that he will face any disciplinary action.  In the mean time, the family is left to deal with this crisis.

In this case the gamer who initiated the prank basically admitted it on Twitter just before he changed his Twitter handle.  I assume the police have his identity and IP addresses or will very soon (I assume Twitter will cooperate fully – having customers die because of something that happened on their platform is very bad for business).

The prankster admitted to the prank but disavowed responsibility in a tweet after the man was shot – see below.

Krebs on Security was able to capture several weeks worth of tweets and in a direct message conversation, the man admitted to making money doing this and also fake bomb threats.  I am sure that Brian will be turning over those messages along with the DM conversation that he had with the prankster to investigators.

This is one of those situations where the police have a wealth of information regarding the person who committed this crime.  In another case of swatting, a man in Maryland is facing 20 years in prison.

The issue here, is, besides that someone died needlessly, that there is no security in the 911 system or in Caller ID.  Both were designed decades ago with zero thought to security.    The odds of this problem being fixed any time soon (it would cost billions to fix) are about zero.

The best we can hope to do is educate the police.  And train them.  I hate to say this, but it appears that the officer who shot the man panicked.  The man never produced a gun and never pointed anything, apparently, at the police.  He was unarmed according to the Wichita Police Chief.

With regard to the guy who phoned in the false report – I hope he rots in jail for a very long time.  I have zero sympathy for him.

Whether the family of the dead man sues the police department is unknown, but if I were taking bets, I predict the City of Wichita will be writing a settlement check with a lot of zeros to make this go away.  Taxpayer dollars at work as most cities are self insured.  As an example, Denver, Colorado has written checks to the tune of tens of millions of dollars over the wrongful actions of police over the last few years.

Information for this post came from Krebs on Security.

Researchers Guess PINs With 99.5% Accuracy

To be fair, this test was based on choosing PINs from among a list of 50 random PINs.  The researchers collected a pool of data for 500 test PINs and used that along with the data collected from the test cases to guess the PIN used almost 100% of the time, on the first guess.

Still,  this is certainly concerning.  *IF* you give EITHER an Android or iPhone app permissions EVER to access sensors, then they can access those sensors for as long as the app is installed.  If the app is malicious, it could use that sensor data to capture your PIN.

These researchers used data from the phone’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor to figure out the PIN.  This test was a proof of concept, so even though the test had limits, if a hacker wanted to spend some effort on it, he or she could likely improve the effectiveness over what the researchers’ achieved.

The problem is that the app can access these sensors after you give them permission without any indication that they are doing that.

Longer PINs are not a cure either, according to the researchers.  All it takes is some work to build the table of data of sensor information for different possible PINs.  Longer PINs mean bigger tables, but unless the PIN is insanely long, the problem is manageable.

If the researchers tried to guess all 10,000 possible 4 digit PINs, their success rate went down to 83% within 20 tries.  This of course is no where near as good as 99.5%, but 83% is still pretty good.

Likely as researchers continue to test the limits of this capability it will force Google and Apple to make some changes.

So what can you do?

Obviously, longer passwords and PINs make things more difficult, but sometimes you don’t have a choice about that.

Two factor authentication has a HUGE positive effect on this because even if they can guess the PIN, that value won’t work the next time around.

Finally, set your device down on a hard surface and do not move it while you are entering that PIN.  That way the various sensors have much less data to work with.

Information for this post came from Bleeping Computer.


Russian AV Software Banned While FBI Uses Russian Fingerprint Software

Gene Kaspersky’s anti-virus software has been banned from being used by the Federal government mostly because an NSA software developer went “off the reservation”, took some classified software home and loaded it on a personally owned PC running Kaspersky’s AV software configured by the developer to share potentially malicious software with Kaspersky, thereby compromising an entire development project (see article here).

That was enough to get Kaspersky’s software banned from the government.

In the meantime, it appears, the FBI and 18,000 other law enforcement agencies are running fingerprint software developed by a French company who partnered, secretly, with a Russian company.

The Russian company has closes ties to Putin, The Kremlin and the FSB.

The FBI opted to buy the fingerprint software from Paris based Safran rather than from a U.S. based company.

The Paris company partnered with Russian company Papillion to improve its software capabilities but decided to keep that fact completely secret.  Papillion boasts on its web site about working with the FSB, the successor to the KGB.  In the agreement between the two companies, it says that they need to keep the agreement secret because if it came out that the Russian software was in use it might doom the French company’s bid.

Apparently, according to documents which are part of a whistleblower lawsuit, the Russian company signed a document that there were no backdoors in their code.  That, I am sure, will handle all issues.

At risk here is the fingerprint and related data of tens of millions of Americans and others who’s fingerprints are stored by those 18,000 law enforcement agencies.

After all, if the FSB front company signed a piece of paper that their software had no backdoors in it, surely they would not lie about something like that, would they?

As the whistleblower suit proceeds we will know more.

I also assume that FBI, NSA and contractor software and security experts are pouring through that software with a high power microscope.

However, one more time, it points out the critical nature of understanding the software supply chain.  Every piece of software developed has a software supply chain and we can certainly cover our eyes and pretend it is not a problem.  I don’t think that is working out so well for the FBI right now.

Information for this post came from Buzzfeed.

Enterprises Using AD Connect at Risk of Stealthy Admins

Researchers have discovered a problem with AD Connect in an Office 365 hybrid AD environment.  In this situation, hybrid means both onsite Active Directory and cloud Active Directory.  This is the environment that most Office 365 users who federate accounts use.

The bug was discovered earlier this month by Preempt, a vendor of cyber security tools.

The result is users with unexpected and undesired elevated privileges.  While many tools will detect normal AD administrators, this particular flaw creates admins that are not obvious.

In this case, the flaw grants users elevated privileges through  Domain Discretionary Access Control List (DACL) configuration.  Preempt calls them stealthy administrators.

Curiously, this bug is only present if users installed AD Connect in EXPRESS MODE.

This is in addition to the problems related to AD Writeback (Microsoft KB 4033453) which grants Azure admins complete control over on premise AD.

As people rush to the cloud it is not surprising that there are unintended consequences.  The cloud is still very new.  The Internet is very new.  In the grand scheme of things, computers are relatively new. And, cloud computing itself is moving at an incredible velocity.

What there is to do is stay on top of these issues and apply the appropriate fixes as they are released.  An not panic.  It does not appear that this is the kind of flaw that is easy for hackers to exploit.

In the meantime, Preempt has created a free tool that allows admins to detect any accidentally created stealthy admins;  the link to the tool can be found in the article below.

Information for this post came from Preempt.

Congress Votes to Kick The Can Down The Road on Spying

Section 702 of the Foreign Intelligence Surveillance Act allows the intelligence community to collect intelligence on non-Americans outside the United States without a warrant.  As the intelligence community hoovers up huge quantities of data (they just built a new facility in Utah so that they could bring enough storage online to hold all the data), it is inevitable that they will collect information on Americans, absent a warrant, absent probable cause.  They say there are controls in place to protect Americans, but those controls do not, some say, match the requirements of the Fourth Amendment to the U.S. Constitution.

The Congress, in 2008, had the wisdom to require that Section 702 be renewed every few years.  The result of that is to force a debate and make Congress-critters go on record voting for or against whatever the revised 702 requires.  The last vote to renew Section 702 was in 2012 and it is set to expire on December 31, 2017, about 7 days from now.

In Congress there are several different factions right now:

  • One group wants to renew Section 702 as is and make it permanent.
  • Another group wants to require the FBI to get a court order before viewing information on Americans – information that they hope to use in criminal cases.
  • Others want the FBI to go to the Foreign Intelligence Surveillance Court to weigh in on the legality of query on Americans, pretty much a rubber stamp approval.
  • Finally others want to scrap it entirely.

So Congress does what it does best and renewed Section 702 for another 28 days and went on vacation.

Congress, is on vacation until January 8th and with absolutely no agreement on what to do and only 10 days between when Congress returns and the expiration, do not be surprised if Congress kicks the can down the road again and extends it another 30 days.

Unlike some bills in Congress, this is not an Elephants vs. Donkeys issue;  this is a privacy rights vs. national security issue.

The House Freedom Caucus Chairman told the media that no long term extension would get through Congress at this time.

Republican Sen. Rand Paul and Democratic Sen. Ron Wyden want to bring the fight to the floor.

My personal opinion is that Congress is unlikely to let Section 702 expire.  I just don’t think that is going to happen.  But what form of restrictions are going to be put in place – that is a much harder question to answer.


Information for this post came from the Washington Post.



Mirai Botnet Creators Plead Guilty

The creators of the Mirai botnet pleaded guilty earlier this month in an Anchorage courtroom.

The Mirai botnet unleashed a distributed denial of service attack on the French cellular carrier OVH and another DDoS attack against DYN, the DNS provider for Amazon, Netflix and many other heavy duty web sites.

The DDoS attacks took those and other sites down, confusing and inconveniencing users.  For a while, the feds those this was going to turn into an attack on critical infrastructure.

But the interesting part is what Paul Harvey used to call “the rest of the story”.

Mirai was created by a Princeton University student and two others.  But the why is the interesting part.  They were running a Minecraft server and in order to make more money, they had to get more kids to sign up for their server rather than their competitors.  The easy way to do this – take out their competitor’s Minecraft servers.  And take them out, they did.  Along with a LOT more.

In the first 20 hours, Mirai took over 65,000 Internet of Things devices.  It then DOUBLED in size every 76 minutes, eventually stabilizing at around 200,000 to 300,000 devices.  At it’s highest level, it was controlling 600,000 devices.

The scary thing is that the attack was not very sophisticated.  The Reaper attack that I wrote about the other day is way more sophisticated and way more dangerous if it is weaponized.

When Mirai went after OVH, the attack peaked at 1.1 terabits per second of garbage traffic.  Before then, a large DDoS attack was in the 10 to 50 gigabits per second range, so this attack was probably 20 to 100 times the size of what was considered a large attack.

For some sites like Brian Krebs, who was also attacked, the attack was so large that their DDoS prevention services – in Brian’s case, Akamai – shut down his web site.  Brian was off the air until Google stepped in to host him.  For Google’s engineers, this was likely considered a challenge.  After all, I am sure that Google faces lots of attacks themselves and if they could stop this attack (almost 700 gigabits per second), then they would be able to stop a similar attack against them.

We do not know what kind of sentences these three will face, but I am completely OK if it is a very long one.  They did some serious damage.

Information for this post came from Wired.