DNS Hijacking Malware targets iPhones, Android and Desktops

While most of the general user base has never heard of DNS and of those that have, only a few of those understand how it works, that has not stopped the hackers from very effectively abusing it against everyone.

Very simply, DNS maps the www.xyz.com names that people use in their browsers into the IP addresses that computers use and if that process can be corrupted, well, then, we have trouble  in River City.

Well, it can be corrupted and it has been corrupted and we do have trouble.  In River City.  And elsewhere.

The malware called Roaming Mantis now works on iPhones, Android Phones and desktops, in addition to Internet routers.

The attacks fool users into installing infected software and from that point, they can pretty much do anything they want.

Information for this post came from Hacker News.

So what should you do to protect yourself?

First, protect your router:

Use a strong password and NOT the default one.

Turn off the feature that allows you to administer your router FROM THE INTERNET, usually called remote administration.

Even though it is super tempting sometimes, do not install apps on your phone or computer that do not come from known reputable sources.

When you go to a site that asks for your credentials, attempt to verify the site.  Look closely at the URL for typos, look for the secure indicator, if your anti-virus software tests web sites, look at those results.  Mostly, just slow down a bit and see if what you are being asked to do seems logical.

Beyond that, you are likely going to need expert help.

Friday News Bites for May 18, 2018

Signal Does it Right

Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face.  It’s really nice.”  But even nice code isn’t perfect.  Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download.  I wish every vendor moved at this speed.  Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).

Google Gets It RIght – Probably.  Finally.

One of my big complaints about Android is the lack of consistent patching from vendor to vendor.  Some vendors were even caught lying saying that they had patched software that was not patched.  Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement.  Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The  Hacker News).

Facebook isn’t the Only One Selling Your Data

The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors.  Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown.  While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off.  And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors.  Sounds like a win for everyone but you and me.  They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal.  While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why.  (Source: ZDNET).

Securus Attacked By Hackers

Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked.  We also don’t know if the attacker was somehow thinking that they deserved it.

One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers.  Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.

We also don’t know what else the attacker took or what he plans to do with it.

Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).

For the Second Time in a Week – Another Critical Signal Bug

Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 .  Yup!  That means that they found another bug – a critical one – that could reveal data and even Windows passwords.

Does this mean that Signal is bad?  Actually not,  Think about the number of patches for Windows that Microsoft has released over the years.  The number is likely in the tens of thousands.  Signal has released 10.  BUT, no software is perfect.  Or invincible.  So upgrade your copy of Signal and don’t assume that Signal is invincible.   It is not.  It is good, but that is different. (Source: The Hacker News).

Facebook is in More Hot Water

Glad I am not Mark Zuckerberg,

Well, maybe.  I think I would like to have his bank account 🙂

Facebook is making some efforts to rehabilitate it’s image within the fundamental constraint that it is selling your data for a living.  While pretending that it is all for your benefit.

As part of this rehab effort, Facebook is reviewing tens of thousands (or more) of apps to find ones that are misusing data.

So far, they have “suspended” about 200 apps.

One app, myPersonality, has likely misused large amounts of data on millions of users over the last 3-4 years.  It, too, is now suspended.

To quote someone (there is a debate as to who) :  With Great Power Comes Great Responsibility.

This may be a defining moment for Facebook.

So what should you do?

The greatest power is the power wielded by the Internet user.  Facebook can only collect information that you provide it. Same for Google.  Sometimes the information is provided willingly.  Other times it is much less obvious, like when Google collects information about what web pages you visit and for how long.

Hopefully, for most people, it is becoming painfully obvious that YOU are the product.

So be careful about what apps you install, what data you provide and to whom.  Or not.  But, if not, understand the implications.  

One thing you should assume.  If you provide information to an app or a public web site, it could become public.   If that is a problem, don’t provide the information.

Information for this post came from The Register.

Are YOU Acting as a Call Forwarding Agent for a Hacker?

If you watch those spy movies, they always seem to show the hackers routing their traffic from computer to computer, making it hard to impossible to find them.

While it is way harder that it seems in the movies, it is very doable.

But in a boned-headed move, many home router manufacturers have enabled a feature – and possibly gave you no way to turn it off – that helps the hackers do this.

Universal Plug and Play was invented by Microsoft to enable Xbox owners to build their own network of gamers without having to understand how home routers work.  Normally, home routers should block computers trying to connect to anything inside your network  from the Internet, but that is exactly what Microsoft needed for the Xbox, so they created a standard and convinced router makers to implement it.

As horrible a security decision as this is, what is worse is that some bone-headed router makers enabled this from the outside, not just from the inside.  According to Akamai, they have already found over 50,000 such routers.

Worse yet, the standard allows you to create a forwarding rule not just to some address behind the router, but to any address anywhere.

What this enables is the ability to use your router, if this feature is enabled, to act as a “call forwarder” and allow hackers to make their traffic look like it came from your network.

Of course, if this does happen and the hacker does something bad, since it looks like you were the one who attacked the XYZ, the feds will come to your door with their assault rifles and bullet proof vests. Just to ask you a couple of questions.

So, what should you do.

First, there is an easy and free test to see if your router is doing this.

Visit https://www.grc.com/shieldsupShields Up is a great tool, but right now just click on PROCEED and then when the next screen comes up, click on the big, gold “GRC’s Instant UPnP Exposure Test” button.  The test should take less than 30 seconds and if the box comes back GREEN, you are good.  Anything else, you have a problem.

If you do not understand how to configure network equipment, you are likely going to have to get a professional to help you, but *IF* UPnP can be turned off, the process should be pretty simple and quick.

Information for this post came from Bleeping Computer.

Washington Can’t Quite Figure Out Cybersecurity

In what is likely no surprise to anyone who watches Washington and especially this administration, there seems to be a bit of confusion regarding cyber security policy.  Is it any wonder, given that, that U.S. businesses are equally confused?

Case in point – ZTE.

ZTE is a Chinese electronics manufacturer with “close ties” to the communist Chinese government.  We should assume that is a covert way of saying that the government controls them.

The U.S. intelligence community, which this administration seems to ignore when convenient, has been saying that there is significant risk in using ZTE phones and electronics.  In fact, the head of the FBI told Americans when testifying before Congress earlier this year to steer clear of ZTE devices because of the risk.

Last month the DoD stopped selling ZTE phones at military base exchanges.

The FCC has taken steps to ban the use of federal funds to buy ZTE equipment.

And most recently, the Commerce Department banned U.S. companies from exporting chips to ZTE.

Not surprisingly, ZTE is, fundamentally, out of business.

In a slightly surprising move, especially in light of President Trump’s rhetoric about protecting American jobs and American technology, the President Tweeted on Sunday that he wants the Commerce Department to relax the ban on a company that steals U.S. technology, likely spies on Americans, kills U.S. jobs and violates the embargo on sales to North Korea.  Trump’s reasoning?

President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!

Other than that, Mrs. Lincoln, how was the play?

Republican Senator Rubio from Florida Tweeted:

Problem with ZTE isn’t jobs & trade, it’s national security & espionage. Any telecomm firm in can be forced to act as tool of Chinese espionage without any court order or any other review process. We are crazy to allow them to operate in U.S. without tighter restrictions 

He was far from alone.

What will ultimately happen is unknown, but it seems like it will be very favorable to the Chinese and a really bad deal for the U.S.  Similar to the President’s complaint about the Iran deal.  But, when it comes to politics, the rules are very strange.

The Washington swamp is at it’s normal configuration.

OK, given this, what should you do?

My recommendation is that even though ZTE devices are cheap (because the Communist Chinese government subsidizes them), stay away from them.  There are plenty of lower priced devices from other countries that function quite well.  Probably not as cheap as ZTE, but if you are concerned about American jobs, American technology and American information, don’t do it.  Do not reward the Communist Chinese government.

In fact, the smart money would say to avoid all Communist Chinese electronics – there is just no way of knowing if those devices are spying on you and the evidence is that they are.

But, you say, what do I have that they might want?  The answer to that is that, like the NSA, they never vacuumed up any data that they didn’t like.  Whether it is to look for patterns, to gain intelligence to use against you later or for other reasons unknown, they just do it.  The difference is that the NSA is most likely working for our side.

Information for this post came from The Washington Post.


Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?