From Unsecure to Less Unsecure

Text messages, as many people know are not very secure.  If you are asking where we are meeting for lunch, you probably don’t care.  But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security.  While it does help some, it would be  a lot better if SMS messages were secure.

Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.

Enter RCS or Rich Communications Services.  RCS eliminates a lot of these shortcomings.  Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.

But the way the carriers are implementing it is not very secure as researchers are starting to point out.

While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.

So what are the carriers doing wrong?

SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December.  Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.

The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself.  This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard.  Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.

One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured.  In that case, there is no security, meaning any app can request the configuration and have access to your text messages.

Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses.  To try all the possible numbers takes about five minutes.

The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.

Which is good for users.

Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem.  Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure.  Source:  Vice





In Case You Thought Russia Was Done Meddling With Elections …

Politics is a pretty interesting game.

In the United States, almost everyone, except the President, thinks that Russia interfered with the 2016 US Presidential elections.

In the UK, there is a report – that the current Prime Minister Boris Johnson has refused to release – on Russian interference in British politics, with some accusing Johnson of a coverup.

Likely in both cases, there are additional agendas.

There is a British election this week after Johnson was unable to get Parliament to agree to his plan for leaving the EU (sound familiar?  The last British PM lost her job for the same reason).  And since politics is a full contact sport everywhere, Johnson’s competitor for the job, Jeremy Corbyn, released some documents that say that Johnson would offer to sell Britain’s National Health Service (NHS) to United States corporations in a trade deal with President Trump.  In Britain, the NHS is considered a national treasure and offering to privatize it to a foreign company is not considered a route to getting yourself elected.  Corbyn “declined” to say where he got the documents and the British government says that they think the documents are real.

One of the places these documents were posted was the social media site Reddit.

Reddit said this past week that the document leak was part of a Russian influence operation known as Secondary Infektion.  It is likely that Secondary Infektion is part of the Russian hacking group Sandworm (if you are interested in this kind of intrigue, I highly recommend the book Sandworm), which is part of Russia’s military Intelligence known as GRU.  As a result of their investigation, Reddit has banned 61 accounts.  Of course, there is nothing to stop the Russians from creating new accounts.

The combination of Johnson’s refusal to release the report on past Russian hacking of British elections and the posting of and Corbyn’s use of these new documents indicates that Russian interference in worldwide politics has not stopped or slowed down.

It also means that, short of a miracle, Russia will likely interfere with the US elections next year.  Using cyber theft (DNC emails, Clinton Emails, Boris Johnson documents) is far easier than hacking into a whole bunch of election machines and changing votes, so that is likely the route the Russians will take next year.

Whether Russia’s release of the Boris Johnson documents will affect this week’s British Prime Minister’s election is unknown and even if Johnson loses, he can blame many factors other than Russia for his loss.

Still, is shows that politics remains a full contact sport – a reality that is not likely to change anytime soon.

Information for this post came from the Guardian.


Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Feds Offer $5 Mil For Evil Corp. Leader

Not sure if this is inspired by the Mr. Robot Series (Evil Corp) or not, but this guy is in big trouble now.

He is being charged with conspiracy, conspiracy to commit fraud, wire fraud, bank fraud and intentional damage to a computer.

The feds say that he stole tens of millions using the banking trojans Dridex and Zeus.  He drives a custom Lamborghini, they say.

In addition to putting out the arrest warrant, Treasury is sanctioning his company.

While I don’t think that President Trump’s bestie, Vladimir Putin, is going to turn the guy over to us, as a high roller, the treasury sanctions mean that he cannot access the U.S. financial system – banks, credit cards, wire transfers, etc. will all be frozen if he  tries.  He also cannot travel to all of those beautiful, warm, scenic vacation spots he is used to.  I hear Kiev is nice this time  of year, however.  If he goes through customs in any country we have an extradition treaty with, he will be immediately arrested.  That recently happened when a Russian hacker visited Israel.  He is now in federal custody awaiting trial in the United States after spending 4 years in a nice Israeli prison.

$5 million is the largest reward the feds have ever offered for something like this.

Of course, in the decade that he has been active, he stole tens of millions of dollars from his victims by using those trojans to empty their bank accounts.  By 2015 Dridex was among the active banking trojans in the wild.

The trojan would transfer money to the account of a “money mule” and the mules would then forward the money on to the bad guys, keeping a slice for themselves.

The trojan targeted banks, companies, cities; even non-profits, as well as individuals.

Separately, the FBI issued an alert about this trojan.  It is pretty active, stealing people’s money.  Still.   It can interfere with your web browsing (redirecting you to attacker controlled web sites), among other nasty actions.  This version can even lead to a ransomware attack, encrypting files on your computer.   Sometimes the attack is combined with Powershell Empire, which allows it to do reconnaissance and move laterally to other machines on your network.  This combination would allow it to encrypt all computers on your network.

If you do not have access to the FBI alert, contact me;  I cannot post it publicly but I can provide a copy to appropriate people.

While the FBI is not saying, given the size of the reward offered and also the alert, there must be a lot of (stolen) money involved.

Information for this post came from Threat Post and the FBI.

Senate Republican Proposes Federal Privacy Bill

In an interesting turn of events, Republican US Senator Roger Wicker’s staff has written a draft federal privacy bill.   It’s main goal is to overturn California’s privacy law that goes into effect in January.

Of course, there are only 28 days between now and January 1, so I would be really surprised if the bill made it through the House and Senate and gets signed by the President.  Still it is interesting.

Wicker, who heads the Senate Commerce Committee, says it offers more detailed consumer protections, covers more companies, and has more explicit requirements that companies collect the minimum amount of personal data needed for their purpose.

*IF* that is true, I can’t imagine that Facebook, Google and the like will sign on to supported it, but who knows.

I have not seen a copy of the draft, although the Senator has given Reuters a copy.

One challenge is this:  The Democrats won’t support a bill that preempts state law and the Republicans won’t support one that doesn’t preempt state law.  I am not sure how you resolve that.

Reuters says the draft covers any company doing business across state lines (a one person company?  Non-profits?), expands the definition of sensitive information to include biometrics, requires companies to have clear and conspicuous privacy policies (that no one reads) and would allow consumers to request to have inaccurate information corrected.

What I don’t see, from the Reuters article, is that consumers have any rights in their data.  No right to get a copy of their data, no right to stop companies from selling their data, no right to have their data deleted, etc.  BUT, I have not seen the actual draft bill.

If those rights are not there, I can’t see how Wicker can say with a straight face that the bill is better than California’s current law, unless he means better for Google, Facebook and others.

There also does not appear to be any right for consumers to sue.

If the consumers don’t have any rights from under this law and if it preempts state law, then I think that the Facebooks and Googles of the world will support it, even if it isn’t perfect.

Wicker’s committee is holding a hearing Wednesday which will include lawyers from Microsoft and Walmart.

Wicker said “If there is something weak here, if there are other protections that need to be added, let’s add them, but let’s make it a nationwide standard.”

If he is serious, that is great, but I think that companies that earn all of their money by selling your data are not very interested in giving consumers rights to their data or the right to sue.

I said months ago that I doubted that a federal law would be passed and signed anytime soon.  The two sides are still far apart.  However, I could be wrong.

Stay tuned!  Source: Reuters



British Nuke Plant Attack Kept Quiet

The nuclear power industry has always been nervous about people’s fear of some form of nuclear meltdown.  Whether it was Three Mile Island or Chernobyl, the spectre of something bad happening at a nuclear plant has been the story of made for TV movies.

The UK Telegraph newspaper has obtained information, using a freedom of information request, that indicates that the UK National Cyber Security Center, part of the GCHQ (sort of equivalent to the US NSA), has been helping a British nuclear plant recover from a cyber attack.

This news comes after reports last year from the FBI and DHS that the Russians (and not the Chinese) have been have been attacking our critical infrastructure, at least since 2016.

Because they are worried that people will freak out, they are keeping the details of who was hacked and what was hacked secret.  I am sure that will make people feel better.  Unless the attack was really bad.  In which case not knowing and speculating might be better than knowing.

The document, from a Nuclear Decommissioning Agency Board Meeting was dated March 13, 2019.  The Telegraph says that it is likely the first KNOWN successful cyber attack on a British nuclear plant.  I am not sure how comforting that is.  They are not suggesting that it is the first successful attack but rather the first successful attack that we have heard about.

Since no one is providing details, we don’t know whether this is a Chernobyl-style issue or a random computer virus on an office computer.  On the other  hand, if they had to ask GCHQ for help, I am guessing that it is not an office virus.

One security expert pointed out that if you assume whichever nuke plant or plants were hacked are no less secure than the ones that haven’t been hacked YET, it isn’t smart to tell other hackers how this or these plants were hacked.

This follows on to the revelation in October that an Indian nuclear plant was hacked – after they first said that reports of a hack was a lie.  I guess the lie was by the Indian government.

This also follows the WSJ article that said that  more than a dozen US utilities were targeted (I assume successfully) by hackers recently

In fairness we should not forget that the US hacked Iran’s nuclear program years ago.  We would say that we are the good guys, so that is okay.  Not everyone might agree with that interpretation, including Russia, so they might say that the US legitimized hacking the nuclear industry.  Source: The Telegraph .