Does Quantum Computing Mean the End of Encryption

If you believe all of the news reports, quantum computers are here and can break Quantum Computing Mean the End of Encryption all of the encryption that we have ever used.

A bit hyperbolic.

Dorothy Denning, a very well know security researcher who has written 4 books and over 200 articles while teaching at Purdue, Georgetown and the Naval Postgraduate School wrote a very readable article on the subject.

She explains what is and what is not real and why.  In English.

She makes a distinction between symetric key encryption like AES and public key encryption.  For AES,  there are reasonable solutions to the problem.

For public key encryption, one algorithm is based on the supposedly hard problem of factoring numbers.  So far the largest number that they have factored is 15 (4 bits).  Given that most public key encryption is 1,024 or 2,048 bits, they are not quite there. yet.

One study said that quantum computers would need to be 100,000 times faster and 100 times less error prone.

But they will get there.

However, the National Institute of Standards (NIST) is evaluating 69 new potential post quantum encryption algorithms.  They plan draft standard by 2024 if not sooner.

So as long as quantum computers don’t get 100,000 times faster and 100 times more reliable in the next 5 years or so, we are probably OK.

Read Dr. Denning’s article here.  Put your mind at ease.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

U.S. Considering Nationwide Ban on Chinese Telecom Gear

As the trade war between the U.S. and China heats up, President Trump is considering issuing an executive order banning all U.S. companies from buying telecommunications gear from companies deemed to be a national security threat.

Right now this threat is deemed to be a targeted attack against two Chinese vendors – ZTE and Huawei.

The executive order would invoke the International Emergency Economic Powers Act and I would expect that if  the order is issued, lawsuits will ensue.

I assume that China would reciprocate and ban, say, Cisco, which would not make John Chambers happy.

But that’s not the big issue.

It is also possible that the executive order could require telecommunications providers to remove existing banned gear at their own cost.  It is not clear if that is legal.

While big telecom carriers have, for the most part stopped buying ZTE and Huewei gear, it is the little carriers that will be hurt the most.

The little carriers have used the Chinese gear because U.S. equipment sometimes cost them 400% of the cost of the Chinese gear.

That likely will translate to price increases for the customers of those carriers.  In many cases, like with me, those carriers are the only choice that is available so switching to a different, less expensive carrier is not an option.

Part of the executive order under consideration is a requirement to replace existing Chinese telecom gear.  The Rural Wireless Association, a trade group for these carriers estimated that it would cost those carriers up to $1 billion to replace the banned equipment, if that is required and would take several years.  Two ways that cost could be paid are price increases or delays in rolling out new higher speed networks.

Currently, the fastest Internet connection I can get is 20 megabits per second, which is not even classified as broadband by the FCC (broadband is defined as 25 megabits or higher), so I am not really worried about the gigabit gear that this ban is targeting,

I am not a big fan of Chinese networking gear so I can’t really argue with the idea of a ban.  I am not in favor of forcing private U.S. companies to replace existing equipment at their cost and I am sure that, if that happens, those companies will sue the government, which will be messy.

One thing that will likely happen out of this ban (if it happens) is a slower rollout of faster 5G network – possibly years or decades longer.

The U.S. currently ranks 44th in mobile download speed (see here), which is not very impressive.

This would continue the U.S.’s not very exciting role as a third world country when it comes to Internet access.  Due to higher costs, only some people in very high density areas will get newer, faster service and the rest of us will get Internet service comparable to, say, Syria.  That is not a very exciting prospect.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Malware Disguises Itself as Amazon Order Confirmation Email

Merry Christmas!

The hackers, of course, do not take Christmas off and are working hard to ruin yours.

Today’s story is about a very active spam campaign that is disguised as Amazon order confirmations.  The first stage of the campaign looks something like this with different subject lines:

Notice that you have to click on ORDER DETAILS to see what the order is.  For many people thinking they didn’t order anything, they get concerned that their account has been hacked and will click on it.  From Amazon’s side, they are always changing things, so people might think “there the fools in Seattle go changing things again” and not give it much more thought.

If you hover over almost all of the links, it will show the legit Amazon links.  Except for the order details link.

It downloads a Microsoft Office Word document.

Think about that for a minute.   Times up!  Does that reasonably seem like something Amazon have ever done in their entire existence?  NO!  That is the first clue.

Then it tells the reader to enable macros (what Microsoft calls enable content now).  That should be a really big red flag.  But not to some.  They don’t read the software license agreements and other legal documents that they are bound by so why read this.

That fires off stage three.  A Powershell script downloads the Emotet malware.  The hackers give it different names, but so far it is always Emotet.

Emotet grew to fame as a banking trojan – stealing passwords to empty your bank account out.

Now it is logging all of your keystrokes, silently, sending your userids, passwords, contacts, emails, texts, etc. to Indonesia and U.S. servers which were previously compromised.

So what are my tips regarding this?

Hover over the link to validate what site it is going to.

Better still, open a new browser window and go to HTTPS://www.amazon.com yourself.  If you don’t see the order, it isn’t Amazon.

If someone asks you to enable macros, just don’t do it.  There are rare occasions, possibly at work, but make sure to validate it independently – like call the help desk.

This virus is particularly nasty and you really want to avoid it  if you can. 

Now that this has been exposed, look for variations on this theme – like a Netflix email instead of an Amazon email.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

When Employees Leave

Here is a scary thought:

According to research, 59% of employees who leave will steal proprietary data, 20% will sell passwords to an outsider and 44% will do so for $1,000.

If you don’t already have a employee termination checklist, consider this the perfect start for that list:

  1. Cancel the employee’s accounts.  Now that companies are using a lot of cloud services, it is no longer sufficient to just cancel their Windows domain account or Google account.  Think Dropbox and Slack and a hundred other services.
  2. Disable the employees access badge.  This seems like a duh, but people sometimes forget.
  3. Remove people from any lists that a third party has.  If the person was authorized to call a vendor and make something happen, make sure that they are removed from ALL of those lists.
  4. Check system and building logs for the three months prior to the employee leaving for unusual activity.  That includes the logs for cloud services.
  5. Conduct an exit interview.  While you can’t force someone to do that, most people will and you might get some useful information.
  6. If the person is being terminated, document this contemporaneously in the employee’s personnel file.  These people are the most likely to sue and the most likely to steal data.  If the person had an idea that this was coming, see #4 above.
  7. If the person is being laid off, they are less likely to sue than if they are being fired, but equally likely to steal data.  See number 6 above, then number 4.
  8. Remind people that they still have to comply with any confidentiality agreements that they signed (they did sign one, right?).  Just because they are leaving for any reason does not remove the responsibility to keep confidential stuff confidential.
  9. Make sure that you pay the person what they are owned.  Every state has different rules, but sometimes if you fire someone you have to get them their check at that moment.  Not the next day or the next pay period.  That alone can give someone the right to sue you.   Make sure you give people back their possessions and collect all company property.   Even if you don’t get company property back, in most states you cannot withhold their paycheck.
  10. Make sure that the company and all employees don’t disclose confidential information about the departing employee.  Doing so can leave the company open to lawsuits.

Finally, if you have any questions, consult a knowledgeable attorney.

As you read this list, think about what you can and can’t do today and then fix it.  For example if you fired Joe tomorrow, do you know ALL (yes, ALL) of the accounts that he has access to.  That is just an example.

While this list is not complete, it is a good start.  Create your list now if you don’t have one or update your list if you do.  Then see if it needs to be updated periodically.

Information for this post came from the New Orleans City Business blog

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.

 

Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.

 

Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).

 

Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.

 

Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

Facebooktwitterredditlinkedinmailby feather