‘Proud Boys’ Threaten Florida Voters (Maybe)

Some Florida voters who are registered Democrats have received emails supposedly from the Proud Boys with a subject line that says “Vote for Trump or else!”.

As many people know, there is no security in regular email, so it could be them or it could be, to quote the President from a different attack, a 300 pound guy in his parents basement.

The email goes on to say:

“You are currently registered as a Democrat, and we know this because we have gained access into the entire voting infrastructure. You will vote for Trump on Election Day or we will come after you. Change your party affiliation to Republican to let us know you received our message and will comply. We will know which candidate you voted for. I would take this seriously if I were you. Good luck.”

The first problem here is that they know that these people are a registered Democrat (if they are) because that information is publicly available. Your name, address and party affiliation is not protected information. This has nothing to do with any voting infrastructure being hacked.

They go on to say that you should change your party affiliation to let them know you will comply. Being a registered Republican has nothing to do with who you vote for, of course.

Finally, we will know which candidate you voted for is complete BS because not even the election officials know that information. Voting is anonymous, whether you vote by mail or in person, but especially if you vote in person because once you go into the voting booth, no one knows what you did.

While the email header said it came from info @ official proud boys . com, the IP address says it came from Estonia. None of this means anything since all of this can be forged.

The Proud Boys have said through some online channels that they are not responsible for this, but even they were, would they admit it? After all, voter intimidation in a federal election is a federal crime and my guess is that an aggressive prosecutor might go for domestic terrorism style charges. Among the penalties under the Patriot Act for domestic terrorism is civil asset forfeiture where the government can take your assets, even if you are not charged with a crime. You then have to fight to get them back. It is, in my opinion, a nasty law, but it is the current law.

Some of the Proud Boys leaders claimed it is a leftist plot. That is certainly possible, but it is equally possible that it really came from them. The President, when recently asked to condemn the Proud Boys, instead said “Proud Boys, stand back and stand by“, which the group took to mean an endorsement by the President, whether that was actually what he meant or not.

Supposedly, the FBI is investigating. How “hard” is unknown and even if they are, unless the people who did this were careless, it will take time to identify the senders.

We don’t know how many people received these emails and whether they were scared enough to change their vote or not. It does appear that Google is NOW blocking this as spam. Credit: Vice

Forensics – Proving a Negative

Note: I am going to try and keep this as non-political as possible.

Just weeks before the presidential election a New York newspaper published documents that they claimed belonged to Hunter Biden and documented supposedly potentially illegal business dealings he had in China and Ukraine (article here).

I grew up in New York and even when I was a kid, the New York Post was not exactly considered a newspaper of record, if you get what I mean. That by itself, raises alarm bells.

As the story goes, Hunter supposedly took some Macbooks, full of incriminating documents, to a Mac repair shop in Wilmington, DE, did not provide any identification and then abandoned them there. I have never claimed to be the brightest light bulb in the chandelier, but if I had a couple computers full of sensitive stuff, would I just take them to the local computer store and say fix them? And then abandon them?

The New York Post claims that the repair shop gave them a copy of the hard drive that Hunter abandoned at the repair shop (why?) and they gave it to Rudy Giuliani who gave it to the feds. Credit: Slate

One possibility is that everything in these stories are 100% true. Another possibility is that the Post was set up by someone, say, maybe the Russian GRU spy agency.

In any case, as often happens after a breach or a leak, forensics experts are called in to try and validate what happened.

They have to figure out if the documents are real or they are forged. With some of today’s technology, that can be hard to figure out.

For example, one of the most explosive emails released by the Post curiously was published in a way that hid one important verification tool called Domain Keys or DKIM. Also, the metadata that was displayed questions whether the file was the original or a doctored copy. If it was doctored, who doctored it – the Russians? Some middleman? The Post? Unknown.

“You’re trying to prove a negative,” said Mike Weber, vice president of innovation at Coalfire. “It’s hard to prove data was never on your network.”

Is it possible digitally sign documents? Sure, for example, many of us have used the company Docusign to digitally sign a document. However, out of the tens of thousands of documents (including emails, text messages and computer files) that you have touched, say in the last year, how many were digitally signed by Docusign or a competitor? I bet it is a tiny percentage – bordering on zero.

Even organizations like the Defense Department don’t sign everything.

The average person probably has no idea how any of that works and certainly isn’t going to spend a lot of money trying to use that. And if the documents were incriminating, might you encrypt them so that, say, a random computer repair person couldn’t read them.

It is true that companies like Best Buy work closely with the FBI, but they are looking for more obvious crimes like child porn, not memos that only make sense to someone with a lot of context.

Weber continues: Even in diligently designed systems, hackers could use access to a network to plant a document to meet the non-repudiation checks, cryptographic keys might fall out of a company’s control, and hackers could claim damaging leaked documents came from a vendor outside the encryption system.

And that, Weber says, assumes the most expensive, best implemented system of signatures and back-ups and evidence building is in place.

In this case, the Post did not make the DKIM signatures available. While they are not perfect and can be spoofed in a number of ways, especially by an organization like the GRU, they are a first line of confirmation.

This is the process that forensics experts get to deal with every day. Whether they are working for a company that got breached, or as part of a lawsuit or, as in this case, as part of a political campaign.

I am not going to make an assessment about this other than my previous comment about the Post; that is not the point of this post. What I am trying to point out is that attribution and validation is hard under the best of conditions.

In this case, since Rudy gave the disk, supposedly, to the FBI, they have access to some of the best forensics resources in the world if they think that is appropriate. In the case of the FBI, they likely have access to the resources of the National Security Agency, probably some of the best security experts in the world.

But there is another problem. Anyone who has watched a cop show on TV knows that the defense attorney gets his client off by claiming that the chain of evidence was not maintained. Between some computer repair shop in Delaware to someone to the Post to Rudy to whoever – there is no valid chain of custody. That makes things very difficult to validate.

We also need to be careful not take everything we read at face value. Maybe something is valid, and maybe it is not.

This does not mean that the Post is lying. I don’t know. It is certainly possible that they were set up. After all, the reporters at the Post are likely not security experts. If a reporter is presented with a potentially prize winning story or wanting to beat out the competition, he or she has to decide whether to run a story or not (along with his/her editor). Anyone remember the “Dewey Defeats Truman” newspaper headlines in 1948? Being first is not always best. But if you are first and right, that could be a career maker.

Forensics is part science and part art and it usually operates in less than optimal conditions. For more details see this article.

Security News for the Week Ending October 16, 2020

5 Eyes Ask For Crypto Backdoor – Again

Law enforcement does not like it if they cannot snoop whenever they want. It has been a problem since encryption started to be used by the masses. The CIA, for example, even went to go so far as to BUY the Swiss encryption company Crypto AG, insert backdoors into their hardware and sell it to both our allies and our adversaries for decades before circumstances changed and made that hardware less important. They didn’t tell our allies that we were snooping on them. Part of the game.

So it is no surprise that when consumer products contain decent crypto, these same folks are not happy and they have been fighting the battle ever since.

Now they are saying that these companies should allow them to snoop on everyone – which they will do responsibly, of course – is a matter of public safety and protecting children.

And, of course, unlike the TSA, NSA, CIA and others before them who lost control of those secrets, these secret backdoors that companies should provide will not get into the wild. Trust us! credit: SCMagazine

Apple Releases New 5G Phones That Use Non-Existent 5G Service

Okay, this is not a cybersecurity issue, but it is a hot button for me. You can now buy an iPhone 12 Max with Apple care for $1700+ with 5G support.

I guess if you want to spend your money and help the economy, go for it, but if you think that you will be able to surf the web on your phone 10 times faster than today as they claim, you can. But you will have to wait around 10 years.

The problem is that none of the carriers have FAST 5G infrastructure. Verizon, does have some fast 5G – it covers about one percent of the US population. So, if you want to have a new iPhone and be one of the cool kids, go for it. Just don’t expect to surf the web any faster than you do today. Credit: Cybernews

Microsoft Takes Down TrickBot Network

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.  There is a concern that the bot network, which has connections to Russia and has compromised at least a million computers may be used in an attempt by Russia to impact the U.S. Presidential elections.

That takedown lasted two days. The network is back operational again, causing mischief. This just points to the challenge of permanently stopping hackers who are living in unfriendly countries like Russia. Even with the best efforts of Microsoft and Cyber Command, it only stopped them for 2 days. Credit: ZDNet and Security Week.

And You Thought TSA was the Only Non-Secure Part of Flying? Wrong!

The aviation industry uses a system called ACAS internationally or TCAS in the U.S. It is a collision avoidance system which tells a pilot that there is another plane nearby and tells each pilot how to avoid a collision (up, down, left, right, fast, slow, etc.). Except that TCAS has no security in it and it can be spoofed by a bad guy to crash the plane. There is a new version coming out soon called ACAS X and it too can be fooled. So much for the basics of security. Credit: The Register

800,000 Sonicwall Appliances Can be Hacked by a Kid

The patch, which affects 800,000 Internet facing VPN servers, was released on Monday. The details were disclosed two days later, on Wednesday. In its simplest form, a kid can either crash the device or just make it not respond to commands. Worst case, a more skilled hacker may be able to execute arbitrary code, including bypassing login requirements. Sonicwall says that they are not AWARE OF any customers impacted YET. If I was running a Sonicwall appliance, I would treat this as an emergency and patch it as soon as possible. Credit: ZDNet

FCC Says Maybe We Should Regulate Social Media

The President signed an executive order a few months ago asking the FCC to look at whether social media companies like Twitter should lose their “section 230 immunity” if they are biased in their editing. It also asks the FCC to propose regulations regarding this. That was about six months ago.

I suspect that the FCC staff attorneys looked pretty hard to find anything in section 230 that gave them the authority to implement regulations like this. Note that the FCC does not regulate social media companies. There is nothing in the law that gives them that authority.

In fact, when Ajit Pai, the current chairman of the FCC came into office, he decided that the FCC didn’t even have authority to regulate Internet providers at all and so he decided to rescind the net neutrality regulations that were approved before he got there but had not yet gone into effect.

FCC Chairman Ajit Pai And FTC Chairman Joseph Simons Testify To Senate Appropriations Committee Hearing On Their Dept.’s Budget
Ajit Pai, Chairman of the FCC

To me, it seems like a pretty big leap to say that we don’t have the authority to regulate Internet providers at all to say that in spite of that, we need to regulate social media companies.

Not terribly surprisingly, this announcement comes one day before Twitter and Facebook are set to testify before a House committee.

Pai does say a lot of things that I think are completely valid.

He says that these companies make a whole bunch of “algorithmic decisions” that the public customers of those companies have almost no visibility into. I think that is correct.

He also says that consumers have no insight into privacy issues on how their data is used. Also true.

He says that the public deserves to know more and these companies need to provide more transparency. Hard to argue with.

On the other hand, Pai, with the stroke of a pen, removed these exact same controls that were set to go into effect on Internet providers. Can he have it both ways?

These social media companies are between a rock and a hard place. If they remove content they are said to be biased. If they leave content up, they are said to be pandering to extremists (and also to their advertising click counts).

All of this could be useful, however, if the House and Senate could, for once, do the job for which they are being paid, and pass legislation that addresses some of these issues. Removing section 230 immunity is one of those things that fall into the category of “be careful what you wish for”.

It certainly seems odd that Pai decided to make this announcement a couple of weeks before the election and on the eve of Twitter and Facebook testifying. It does not seem terribly “expeditiously” as the President asked Pai to do 5 months ago in his EO. Part of that is because an EO does not have the force of law. It is more like your boss sending you a memo to do something. Your boss might get made or he might even fire you, but that is about, for the most part, where it ends.

Also remember that Pai writing about the subject in his blog after 5 months is a whole lot different than him and the commission actually doing anything or even proposing anything or even saying they are going to start looking at anything. In fact, it is not clear what it means at all. Credit: The Verge

Guess What Vendors are NOT Doing – Leaving it to You

Orca Security scanned more than 2,200 virtual appliance images – the same ones that your company probably uses every day. The images represented over 500 vendors. They were found on the marketplaces at Amazon, Microsoft, Google and others. They included both open source and commercial (licensed) software.

Orca created a scoring system that ran from 0 to 100. Companies (or images, actually) lost points for:

* Unsupported or no longer supported operating systems

* Contained 1 or more high profile vulnerabilities (from a list of 17 that they created)

* Contained 1 or more vulnerabilities with a CVSS score of 9 of higher (critical)

* Contained 1 or more vulnerabilities with a CVSS score between 7 and 9

Grades ran from A+ (really cool) to F (not so cool). Just like school.

They got an instant F if they:

– Used an unsupported operating system

– Had 4 of the 16 high-profile vulnerabilities

– Had 20 or more flaws with a CVSS score of 9 or higher

– Had 100 or more flaws with a CVSS score between 7 and 9

– or had more than 400 unique vulnerabilities

That seems pretty freaking generous to me. I’d cut those thresholds way down. 19 flaws with a CVSS score of 9 or higher is okay? I don’t think so.

Still, that was the threshold.

So what was the result?

15% graded an F

16% graded a D

25% graded a C

12% received a B

and 24% got an A; 8% got an A+

That means that less than half got above a C and 30% got a D or F. Less than 10% got a gold star.

In total, Orca’s scanning identified 401,571 vulnerabilities across 2,218 appliances.

Almost half had not been updated by the vendor in the last year and only 2.8% had been updated in the last month.

This test includes both security and non-security product vendors, but security vendors only scored a low B, on average.

There are more details in the article, but the bottom line, is that you really can’t trust vendors when it comes to security. That is not great news. Some hardened security appliances did score well, but again, how do you know when you install an image that you got from the vendors store?

First thought is to ask the vendor. Second thought is that you have to scan the virtual appliance before you connect it to the Internet.

Great. Something else for my to-do list. Credit: CSO Online

Sharing Passwords – Everyone Does It

Do you know the password to your spouse’s computer?

What about his or her social media accounts?

His or her email accounts?

Not married, just friends, maybe with benefits – what about his or her passwords?

We will get to work passwords in a minute.

ExpressVPN asked 1,500 American adults in an exclusive but not married relationship about their password sharing habits.

Couples, they say, share a variety of passwords and, most commonly, within the first six months of dating. What could possibly go wrong?

Here is what ExpressVPN found:

The most commonly shared passwords are for video streaming (78%).

Followed by mobile devices – nothing sensitive on your phone I am sure (64%).

Then comes music streaming (58%).

47% share social media passwords and 38% share email passwords.

Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).

Given that half of Americans who marry get divorced and lots of people don’t even get married any more, the idea of sharing passwords might have some “long term” problems – as in when one of you moves on.

Now lets move to work passwords. Everyone has their own userid and password, but in many companies, the way that account setup is done, so does IT and sometimes, even your boss knows. Sometimes, even your coworkers, even if that is against company policy.

FYI, if something bad happens and you want to prosecute the employee, if you are one of the above companies, you better have some really good evidence (it is possible, but hard).

In many companies, employees, especially within a department, share passwords to some cloud services, such as those that charge by the user.

And IT often has “system” passwords – ones that “have to” be shared.

And don’t forget passwords to Internet of Things devices like, for example, your Alexa.

Lets say that at some point the magic fades.

If you are not married you split. If you are married you get divorced. If you are employed, you leave, voluntarily or otherwise. If you are a vendor to a company, the company changes vendors.

In any of these cases, do you know what passwords are at risk? In many cases, the answer is no.

If the separation is “less than friendly” – whether work or personal – can you change the at risk passwords quickly?

Do you know if the other person has downloaded your data – business or personal – before the split?

Everyone wants to assume that people are honest and that bad things won’t happen but the percentage of employees, for example, who take data with them when they leave is high. In 2015 Biscom did a survey. 87% of employees took data with them that they created and 28% took data that others created. While these numbers are old, they are probably still in the ballpark.

Most companies don’t change passwords when employees leave because it is logistically challenging, but especially with IT folks, if they are disgruntled, they can and have done major damage. Likewise scorned lovers have done their share of damage too. All you need to do is check out the news from time to time.

Like I said, no one wants to think that relationships, business or personal, will end and even fewer think that they will end badly.

To quote Maya Angelou: “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”

Just a suggestion.

Credit: ZDnet