Corona Virus Will Reveal Something Unexpected

As the Corona Virus Covid-19 continues to do it’s thing, it  has already revealed a lot of uncomfortable truths – no doubt part of the reason the market has reacted the way it has.

So what are some of the things are we are seeing:

  • Large entertainment events such as SXSW and Cochella are being cancelled.
  • There is talk about sporting events being turned into online-only events
  • The next Democratic Party debate will be done without an audience
  • Schools are closing their classrooms and turning to online only
  • Entire countries are being quarantined
  • US mayors and governors are declaring states of emergency
  • Companies such as Google are telling workers to work from home
  • and many more

What is the impact of this?

Lets ignore the impact of a lot more cyber breaches because no one is prepared for dealing with all of this teleworking and people using the Internet from home — doing so in a way that is not even remotely secure.

No, what I am pointing to is the really, really sad state of the Internet in the United States.

Several FCC Commissioners testified to this fact before the Senate today.

WAIT!  Aren’t they the folks that are supposed to make the Internet Great Again?

[FCC Commissioner] Starks recommended that the FCC expedite approval of experimental licenses to expand existing wireless networks, pressure carriers to deliver cell towers on wheels (cows) to the hardest hit US communities, and launch a “connectivity and economic stimulus” plan to help speed up broadband deployment to the hardest hit US communities.

What is the problem?

In Congressional testimony earlier this year, former FCC lawyer Gigi Sohn estimated that some 141 million people in the US lack access to fixed broadband at speeds of 25 Mbps, the FCC’s base definition of broadband. A recent study indicated that roughly 42 million Americans have no access to either fixed or wireless broadband whatsoever, nearly double FCC estimates.

A lack of competition means US consumers pay some of the highest rates for broadband in the developed world. It also means that US internet service providers (ISPs) have very little incentive to shore up terrible customer service, expand broadband into rural markets, or avoid bad behavior like spurious surcharges or arbitrary broadband usage caps.

I live 30 minutes from downtown Denver.  Not exactly the middle of nowhere.





The only available Internet is less than broadband speed.  And it is expensive.

In case you think I am alone, read the green paragraph above.

141 million people in the U.S. lack fixed broadband Internet.  That is close to half the population.  42 million have no access to Internet at all.

So what do all of those quarantined people do?

Globally 300 million kids are out of school.

What does someone do when their school goes to Internet only and all they have is crappy or no Internet.

MAYBE THEY BECOME CRIMINALS.  Not an excuse, but a reasonable explanation.  Can’t work – no Internet.  Can’t go to school.  Can’t feed their family.  They will do what they need to do to survive.

Maybe you are thinking this is only a problem in rural Idaho.  Nope.

29% of the households in New York City don’t have broadband Internet.  46% of the families in New York City below the poverty don’t have Internet at all – feed your family or give them Internet.  The choice is obvious.

As US cities begin to follow suit [closing schools] over the next few weeks, American students are going to get a crash course in the availability and affordability problems that have long plagued US broadband, FCC Commissioner Jessica Rosenworcel told hearing attendees.

Likely the only other refuge of those kids that don’t have Internet at home is the library and some of those are closing due to Covid-19 too.

I have about zero confidence the government will do anything, but you can always hope.

The FCC released a report last fall that said that everyone has broadband Internet.  The have-nots are down from 26% to 21%.

How do you reconcile these numbers?

It’s easy.

The current FCC commissioner used to be a lawyer for Verizon.  Need I say more?  Of course, he is not alone.

The FCC has an interesting definition of broadband access.  First, they allow the carriers to self-report.  What could possibly go wrong.  Maybe we should let Congresspeople and Senators “report” the census in their districts.  I am sure it would be accurate and we would save a lot of money.

Second, If ONE PERSON in a zip code has broadband Internet, the report that the FCC puts out says that everyone in that zip code has it.  That is a bit of a mind blower.

There are many people in my zip code that covers many square miles that have broadband, therefore, in FCC speak, they allow the Internet providers to claim that everyone has it.

I am not counting on it getting better, but this may force the issue.

Always optimistic. 🙂

Source: Motherboard Vice

Facebooktwitterredditlinkedinmailby feather

Crypto Backdoors are Good – Except When The Other Side Has Them

Attorney General Barr and FBI Director Wray have been lobbying strongly for companies such as Facebook and Google to add backdoors to their cryptography so that they can eavesdrop on conversations when they need to.

But there are problems with backdoors to encryption.

Mostly, you cannot control who uses them.

Case in point Huawei.  The U.S. says that Huawei has a backdoor into their telephone gear.  One which, I might add, the U.S. requires them, by law, to put there – so this is not the first crypto backdoor rodeo.

But now the U.S. says that Huawei is using that backdoor that we made them install.  Probably on behalf of the Chinese government.

It is not clear to me why the U.S. thinks that if we make Google or Facebook or some other company install a crypto backdoor that we will be the only ones that use it.  That puts companies in a bind when some non-friendly government makes them decrypt conversations that might get people killed.

All this is just a lead in to today’s post.

There is a Swiss company, Crypto AG, that built encryption hardware for governments.  Apparently the crypto was pretty strong. And the company, being neutral, sold it to countries that the U.S. was friendly to.  And not friendly to.

So how could we break the crypto?

Secretly, the CIA, in partnership with West German Intelligence, bought the company.  This enabled them to do, well, whatever they might want to do.  Such as sabotaging the software so that Germany and the U.S., as well as some other governments could read other governments supposedly secure communications.  Ones that were protected by systems that they paid Crypto AG a lot of money to secure.

Talk about supply chain risk.  Holy cow.

Crypto AG sold their systems to as many as 120 countries, so, for the CIA, it was a target rich environment.  They knew what agencies in which governments were using their systems and had installed backdoors to allow them to decrypt those supposedly secure messages.

In this case, it was the good guys who had the master key, but they were read the messages of our allies in addition to our adversaries.

If they didn’t sell their systems to the good guys, the bad guys would get suspicious.

But this is kind of how the spy business works.  Sometimes collateral damage is OK.

But this is also the problem with crypto backdoors.  Once you have them, it is hard to control how they are  used.  Source: Washington Post

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending March 6, 2020

Let’s Encrypt Became Let’s Revoke and Then Let’s Confuse

Let’s encrypt sent out an alert early this week that they were going to revoke 3 million HTTPS certificates on March 4th.  That was going to happen because of a software bug on their part which meant that they possibly issued certificates when they should not have.  They executed a very aggressive notification process to web site owners and just before the deadline, 1.7 million of those certificates were updated.  Another million of these certificates were “duplicates” which they did not explain, but which I think means that they issued two certificates to the same site in the error window, which is likely because their certificates only last 90 days.  That only leaves a few hundred thousand potentially bad certificates and worst case, those will only be valid for another 90 days and most likely much less.  As a result Let’s Revoke became Let’s Change Our Minds and they decided not to revoke those remaining certificates.  Confused?  Me too.  By threatening to revoke certificates they got web site owners to update their certificates without having to actually revoke them.

The root issue was that in some cases web site owners had created a DNS CAA record which specifies WHO is allowed to issue certificates for that web site (EVERYONE SHOULD DO THIS) and Let’s Encrypt was not authorized to issue certificates for those sites.  There was no issue with the security of the certificates issued.  Source: Ars Technica

Feds Warn Foreign Actors With “Sharp Consequences” if They Interfere With 2020 Elections

The heads of the State Department, Justice Department, DoD, Office of the Director of National Intelligence, Homeland Security, FBI, NSA and CISA issued a joint statement this week threatening sharp consequences if foreign actors attempt to influence public sentiment or shape voter perceptions ahead of Super Tuesday.

First of all, that is an empty threat, since they issued it one day before Super Tuesday.

Second, these same people came before Congress last week and said that foreign actors were already doing it, so bring on the sharp consequences already – they are doing exactly that.

It is fair to say that the level of Federal effort to try and reduce foreign influence is significantly better than it was in 2016, but we also need to remember that the U.S. has been doing the exact same thing around the world for decades;  the tools are just better now. Source: DoD

Researchers Find 70 Chrome Browser Extensions Stealing Your Data – Google Says That is Not Right

Security researcher Jamila Kaya working with folks from Cisco’s Duo Security identified 71 Chrome browser extensions that were downloaded more than 1.7 million times. Those extensions uploaded user’s private data without permission.  This was used as part of a malvertising (malware laced advertising) campaign.  The extensions connected the user’s browsers to a command and control server to infect user’s computers.

The not quite right part is that Google, after being informed, found another 430 extensions doing the same thing.

The good news is that Google not only removed the extensions from the Chrome store but also, with the click of a few keys, deauthorized those extensions in all of the affected browsers, effectively instantly shutting down the data stream.  For now.


China Says U.S. Has Been Hacking Them Since 2008

Qihoo 360, a prominent cybersecurity firm says that the CIA has been hacking Chinese businesses and government agencies going back to 2008.  Targeted industries include aviation, research, petroleum and Internet companies.  They claim that the CIA is able to track real time global flight status, passenger information, trade freight and other related information.

They are basing this on behavioral fingerprints which match software from the Vault 7 leak that Joshua Schulte is on trial for right now and which the Intelligence Community says caused us a lot of damage because it exposed our tools, techniques and practices.

We should not forget that gathering intelligence is the CIA’s job, so this is not surprising, but the information comes at a time when the U.S. is pressing China not to hack us.  Source: The Hacker News

Have I Been Pwned is NO LONGER FOR SALE

Troy Hunt has been trying to sell his Have I Been Pwned web site for about a year now, but had some strong requirements for any buyers.  He thought he had a buyer lined up, but after 11 months, that deal fell through.  Rather than start over, Troy worked out a way that he could still operate the site but have it be less intrusive on his time.  In celebration, he added 1.7 billion records to the database (there are a LOT of breached records, folks).  Troy is a good guy, the site is a very useful tool and I am glad he figured out a way to keep the site alive.  Source: Threatpost

Facebooktwitterredditlinkedinmailby feather

The Law is Playing Catch Up When It Comes to Revenge Porn

In spring 2018 Chenoa Cooper started writing addresses down on slips of paper and her friends knew that if she was running late, she couldn’t warn them.

That is because she would leave her phone at home, it had become an abuse machine.

Graphic sexual photos and videos of her had been posted online.  Posted along with her name, email address and Facebook page.

Chenoa believes her ex-boyfriend was behind it.  She says he was furious that they had broken up and was the only other person who had the photos and videos that were posted.

It was the modern version writing a girl’s name and number on the bathroom stall wall, except that instead of just a few people seeing it, half the planet was able to see it.

Another problem is that once photos and videos like that are online, it is very difficult to remove them.

She said that she blocked so many things – hundreds or thousands of people – that she has lost track of it.

Whenever a new post went up, she relived the original virtual assault.

She would search for a computer to notify the hosting company of the image.

She would interact with strangers who sent her salacious emails to find out where they found her pictures and videos.

It was a never ending battle.

More importantly, the law was of very limited help.

The law doesn’t deal very well with new and the field of non-consensual porn or cyber-rape is VERY new.

She sued under a new New York City law that makes unlawful disclosure of an intimate image punishable by one year in jail and a $1,000 fine.  Of course, you have to be in NYC and you have to have a suspect.  And a willing DA.

Some states have no laws on the books and even in those states with strong laws, you have to be able to convince the DA that they are likely to win.  That might be harder to do than you think.

But it is even harder than that.

Every time a new image is posted, the victim has to start over.  Try to figure out who posted the revenge porn and again try to get law enforcement to prosecute.

The process to get the porn removed is hard and can take weeks.  The victim has to figure out each site’s process and convince the site that the posting is unauthorized.

Currently, there is no way to force a web site to take images or videos down, although many will – if you follow a complex process and are very persistent.

To give you an idea of how hard it is to get images or videos taken down, attorneys have resorted to copyright infringement.  *IF* the picture is a selfie then the victim can claim copyright infringement.  Using laws like the Digital Millennium Copyright Act and similar laws, lawyers can force sites to remove the images or videos. In that limited case, the takedown can happen very quickly – if the site is in the U.S.

If it is not a selfie, then the copyright belongs to the photographer.  For example, if in Chenoa’s case, if her ex-boyfriend took the picture, then she doesn’t own the copyright.

Also, the fact that the victim is demanding the takedown is likely a public record.  If the victim doesn’t want her (or his) name in the public record, then the copyright can be assigned to someone else, like a lawyer and then the lawyer can sue on his or her own behalf.

What counts as revenge porn varies from state to state.  In some states, you have to prove an intent to harm, for example.

Some say there are some first amendment free speech issues and even though I would argue that your rights end when you start harming me, the courts have been reluctant to mess with the first amendment.

Bills have been introduced at the federal level, but none have gone very far.

Unfortunately, I don’t think the law is going to help much anytime soon, which pretty much leaves the victims on their own to clean up the mess.  Which could go on for years.

One problem is identifying the poster.  Another is convincing the web site to take the content down – especially if the web site is not in the U.S.  A final problem is convincing overworked and understaffed prosecutors to take a case that they likely don’t understand, are unfamiliar with the law, may be hard to win and take a long time to prosecute.  Especially when they have murder cases to deal with.  Hopefully these problems get resolved and soon.  I hope.

For more information on this very important subject, read this article in Law360.  Normally articles on this site are behind a paywall, but in this case, it seems to be free.

Facebooktwitterredditlinkedinmailby feather

Hackers Breach Asus Routers and Include “Bonuses” When You Buy Access

The FBI has been tipped to a hack of around 130,000 Asus routers, details of which are available on the dark web – for sale.

To incentivize the sale, the crook has scored each router as to how useful it might be to launch attacks.

Access to these devices is being sold for as little as a few bucks per device, so that hackers illegal activities will trace back to your house and you get to explain to the FBI that it wasn’t you when they come visit.

But, as Ron Popeil used to say (if you are old enough to remember him – otherwise use Google), but wait, there’s more.

To incentivize crooks to buy his credentials, he is bundling the credentials with information on 500,000 Americans.

If that weren’t enough, he is also including a database full of credit card information.

This way the hacker can match YOUR router to YOUR credit card and YOUR personal information.  MUCH less likely to raise any red flags anywhere.

The data is available on a Russian web site, so there is zero chance that the feds can get the data taken down.  They could, of course, try to hack it, but that may or may not work.

The whole idea is to create a scenario that is low risk.  Routers that have not been used for much fraud, personal information and stolen credit cards.  A bit of a crook’s trifecta.

From a victim’s standpoint —

  1. If you have an Asus router, make sure the firmware is up to date
  2. Check your router to see if there are any user names added that are not supposed to be there
  3. Change the password on the router to something which is long and hard for a hacker to guess
  4. If you can, watch your router’s logs
  5. Finally, watch your credit cards for fraud
Facebooktwitterredditlinkedinmailby feather

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.


While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

Facebooktwitterredditlinkedinmailby feather