Category Archives: Legal

Get Ready for Encryption Fireworks

Since the early 1990s, there has been a battle going on between the federal government and privacy advocates. Privacy advocates want strong encryption. The government wants weak encryption that it can break. Except of course for the encryption that they use.

They claim they need it is to hunt down terrorists, but that didn’t get any traction.

Then they claimed it was to hunt down pedophiles.

There are several bills in play right now and none of them really solve the problem. Not even a little bit.

One bill is the earnit act which, in typical Congressional fashion, kicks the can down the road. Since actually figuring out how to solve the problem of bad guys using encryption while at the same time protecting the rest of us, the earnit act proposes to create a commission to make recommendations to the Attorney General, who is not required to accept any of the recommendations and can create his own. Then if the tech community doesn’t accept whatever he says, they will lose the protection they have for content posted by users. Since Congress has like one person who understands tech out of 500, what they don’t seem to realize is that this will not achieve the goal that Republicans have getting more right wing content on the web. Instead what tech companies will have to do is dramatically restrict user posted content to make sure that they do not post any content from either side that would get them sued for helping pedophiles or promoting violence or whatever. Facebook will go back to what Zuckerberg originally planned it for – figuring out which girls he wanted to go out with or something slightly less PG than that. If they lose their immunity, they will restrict content.

If that happens, billions of dollars of investor capital value will go up in flames. I don’t have any Facebook or Twitter stock, but if you do and the bill passes, you should sell.

Sen. Graham introduced a new version of the bill to solve this problem. He wants to let the states decide. That way Twitter will have to comply with 50 state laws. That will definitely make things easier.

The Post says that legislators are far less sympathetic to tech companies and that may be true, but the President seems to like to use at least one tech company and if laws pass that remove protections, those companies are far more likely to censor him than they are now when they have immunity.

There are definitely two camps in Congress right now – those that want to protect people’s privacy and those that want to get rid of privacy because it is inconvenient to them.

Another bill, called the lead act, would literally ban strong encryption and make it a crime to use encryption that doesn’t have a backdoor.

Except, of course, crooks, how do I say this, DON’T CARE MUCH ABOUT THE LAW. So they will use strong encryption except for the dumb ones and we don’t really fix anything.

I am sure if the law requires a back door to private conversations, no crooks will ever discover how it works.

Kind of like how Apple tries to make it impossible to jailbreak their phones.

And their phones are typically jailbroken within 24-48 hours of a new software release.

I am not saying that there is not a problem. What I am saying is that there is no simple solution and rather than passing the buck to a committee or the states, figure out the answer. Even if it takes a couple of years. Figure out the right answer.

I must be thinking of a different organization than Congress. Credit: WaPo

Very Creative Phishing Attack

It all starts with a calendar invite, but there is a setup. The con is that your bank account has been compromised and you need to fix it.

The attack starts with an email titled (like) “Fraud Detection from Message Center”. This part of the attack uses a real but compromised Office 365 account, complete with legit email security like DKIM and SPF.

The invite is hosted on the real Office 365 and contains a link. Clicking on the link causes another relatively simple document to open with another link.

Since hackers are equal opportunity crooks, when the user clicks on this link, they get transferred to a phishing site hosted at Google where the user is presented with a very convincing Wells Fargo site page.

The user is then prompted for the login information, PIN, various account number details and email credentials.

Assuming the user falls for all of this, they are taken to a legitimate Wells Fargo login page designed to make the user think the account was secured, when in fact, the user just gave the hacker the keys to the cookie jar. And likely all of his or her money.

According to the security vendor (Cofence), this is not the first time that hackers have used Google’s infrastructure to host malware. Credit: SC Magazine

So what should you be doing?

Education. Education. Education.

Anti-phishing training should be a requirement at all companies and for all employees. At the low end there is free training, but for most companies, there is a moderate cost solution that is highly effective.

Some companies send the same phishing email to everyone, maybe once a quarter. That is not an effective approach to train employees. The program needs to be much more active in order to be effective.

As you can see from the sophistication of the attack above, the hackers are working overtime to steal your money.

You need to work equally hard to protect it.

If you need help with your anti-phishing training, please contact us.

Security News for the Week Ending June 26, 2020

Anonymous Gonna Rise Again. Question Mark?

A hacker or hackers claiming to be affiliated the non-group Anonymous has posted a million documents coming from over 200 police departments and other law enforcement agencies. While the documents do no purport to show illegal activities, they are likely both embarrassing and also confidential. The fact that the police could not protect their own information is probably not great for their reputations either. Credit: Wired

Republican Senators Create Bill to End Use of Warrant-proof Encryption

Senators Lindsey Graham, Tom Cotton and Marsha Blackburn say that they plan to introduce a bill that will require service providers and device manufacturers to insert backdoors into their software and devices so that cops can decrypt the devices when they want to.

They have not published the bill yet and we have no idea whether it will get any traction, so who knows, but the main issue is that there is nothing to stop bad actors from installing software from web sites in countries that don’t really case about what Mrs Graham and Cotton or Ms. Blackburn want. Sure you will catch stupid crooks, but we catch them anyway. Credit: ZDNet

Pentagon Creates List of Companies Controlled by Chinese PLA

There is a 1999 law that requires the Pentagon to produce a list of companies controlled by the Chinese military. Always prompt, 21 years later the Pentagon has produced that list. Huawei is one of those companies, of course. At this point it is not clear what the White House will do with that list, but we assume that it will be used to add pressure to China. Credit: Time

Feds Ask FCC to Deny China Access to New Fiber Optic Cable from US

Team Telecom, that federation of executive branch agencies that has been completely toothless in stopping China from compromising our telecom has finally decided that to feels its Wheaties. Renamed CAFPUSTSS, they say we should not drop an undersea fiber cable in Hong Kong for China to tap. The proposed cable would have a speed of 144 terabits per second, otherwise known as way fast. If the White House has its way, the cable will go from the U.S. to the Philippines and Taiwan and bypass Hong Kong. Google owns the Taiwan segment and Facebook owns the Philippines segment, but China owns the proposed Hong Kong segment. Credit: CSO Online

Hackers Use Captcha to Thwart Detection

Captcha, those annoying puzzles/questions/pictures that websites use to try and distinguish bots from humans, is now being used by the baddies. The hackers are putting their malware, like infected spreadsheets, on websites behind a captcha, likely to try and avoid detection by the good guys. If the good guys automated testing cannot complete the captcha, it won’t test the content behind it, leaving it available for victims to download and get infected. Credit: ARS Technica

Ripple20 Vulnerability Affects 100s of Millions of IoT/IIoT and Medical Devices

If that headline doesn’t scare you, it should.

Ripple20 is a family of 19 vulnerabilities that are part of a library that is used in medical devices, home automation devices, oil & gas controls, networking devices and other industrial control devices.

The bugs are in a library that was developed in the 1990s and is integrated into all kinds of devices.

The problem is that these libraries are not something that a user – consumer or business – can do anything about. They are completely dependent on the manufacturer to fix it.

Likely many of these devices don’t even have a mechanism to update it.

To make things even more troubling, many times the buggy software was integrated into modules that then got integrated into products that then got sold to you and me. The software vendor has no idea where it got used and the integrator might not even know that the affected modules are in their product.

The product is a TCP/IP communications library – something that any device that is somehow connected to the Internet has in it.

So why were 19 vulnerabilities called Ripple20? Because, they say, of the ripple effect they will have in 2020. That is a bit of an understatement.

Some of the vulnerabilities have a risk rating of 10 out of 10 and others 9.8 out of 10.

While the software vendor has released patches for the current version of the software, what about products that were built 10 years ago for example? Those companies may not even be in business and even if they are, they likely don’t support a (pick a number) 10 year old, 15 year old or whatever age product. Assuming they know about the library.

Vendors that have released alerts include Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation and Cisco.

Expect more alerts over the coming months.

The industry is still working through the impact of the Urgent/11 family of similar bugs that were released about a year ago.

The government is working on some voluntary guidance for Software Bill of Materials standards that I am watching, but that is going to take years to gain any traction.

Businesses need to keep pushing vendors and vendors need to keep pushing their vendors for a Software Bill of Materials to be a standard part of all deliverables. Software developers need to step up their game too.

Until then, we are making it very easy for the hackers. They know what the vulnerabilities are. They know at least some of the vendors that are affected and, more importantly, they know that most of these products will never be patched. Likely in a matter of days or maybe a week then entire Internet will be scanned looking for vulnerable devices. Then hackers have years to exploit it.

While a hacker turning off your smart light bulb might be annoying, changing the settings on an insulin pump – well that could have more life altering effects.

Ponder this: Software vendors have zero liability for these bugs. Congress is considering changing that (it is a recommendation of the Cyberspace Solarium Report). Until that happens, don’t expect that to change.

Credit: ZDNet and JSOF

Your Cybersecurity is Likely Better Than the CIA’s Was. Or is?

The Vault 7 leak, in which Wikileaks posted information about a large number of CIA hacking tools was possibly the worst national security compromise the Agency has ever seen.

Not only did it reveal our techniques for hacking foreign systems but the hackers repurposed those tools and hacked American and other friendly companies and governments.

The CIA had to create a whole new series of tools that used different exploits, assuming that is even completely possible.

While the Vault 7 leaks did not distribute source code, it did disclose Tactics, Techniques and Procedures (TTPs). This gives the other side all kinds of clues into our thinking, what software we think is vulnerable and our approach to hacking.

Joshua Schulte was arrested and tried for the leak but was only convicted on a few of the lesser charges. Why?

Because the CIA had horrible internal security practices.

An internal CIA report reviewing the breach said that bad cyber practices led to the disclosure of at least 180 GB of hacking tools and documentation.

The report said that the Agency shared administrative passwords and had no control of removable storage, for example.

While if you do that, it is a problem, if the CIA does that, well, it is a disaster.

The Intelligence Community has a historical love, maybe obsession is a better word, for OFFENSIVE security (hacking the bad guys) and not much interest in DEFENSIVE security.

A redacted, but still damning, version of the report has been released.

Following Tom Lehrer’s song of Wernher Von Braun’s thoughts about rockets (“Once the rockets are up, who cares where they come down”), the report says:

“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.

Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The report also says that there were deficiencies in the Agency’s procedures for detecting rogue insiders, which allowed the insider to take all of the data out and give it to Wikileaks.

According to Senator Wyden, who released the redacted report, years later the Agency’s security is not a whole lot better.

So maybe your security is not so bad. At least when your stuff gets compromised, you aren’t helping the Russians and Chinese.

That is probably not the metric that you want to use for your security program.

And why did Schulte’s trial end in a mistrial for many of the charges? Because the CIA’s security was so bad that they could not convince the jury definitively that Schulte took the information.

Credit: The Register

Security News for the Week Ending June 12, 2020

Singapore Updates Contact Tracing App

Singapore is not exactly a democracy, so this isn’t a complete surprise. They are updating their contact tracing app to include foreigner’s passport number and scanning of barcodes to facilitate tracking when someone enters a store or mall or restaurant. They would like the program to run in the background, but Apple does not allow Bluetooth to be active in the background, so the software doesn’t work right on iPhones. So, for iPhone users, people who don’t have smartphones and people who won’t install the app, they are working on building a wearable device to perform the same function and possibly issuing a device to everyone in the country. Credit: ZDNet

Indian IT Company Ran Hack for Hire Operation

BellTroX, a small Indian IT company based in Delhi, ran (allegedly) a hack-for-hire operation that targeted thousands of high profile politicians, investors and journalists on six continents over the last 7 years. Initially thought to be state sponsored, investigators now think they were just in it for the money. The group is known as Dark Basin by researchers, who have begun to unravel their work and notify hacked individuals. Credit: The Hacker News

Thanos Ransomware as a Service Weaponizes RIPlace Vulnerability

Thanos Ransomware as a Service tool weaponizes the Windows RIPlace attack tactic. RIPlace is a technique that uses a legacy API to bypass enpoint protection (AKA anti-virus) tools. That that Thanos is available as a service to any wanna hacker, expect to see even more ransomware attacks. The Thanos developer continues to add features including a light version (as in less features) and a company (full featured) version. Credit: Threatpost

Copy Protection Comes in Many Flavors

GE has, apparently, “copy protected” the water filters for their refrigerators so that you cannot use a $13 filter that is physically the same and have to pay GE $55 for their filter.

One customer was sufficiently annoyed that he bought a domain, and explained how to “hack” GE’s refrigerator. All you have to do it take GE’s RFID tag off a legit filter and put it in the right place on the fake GE filter. I am not sure if it is legal, but that was one ticked off user. Credit: Vice

Federal Agencies Spending Millions on Crossbow

Crossbow, AKA Stingray, version 2, has been purchased by multiple federal agencies including ICE. Stingray is a device made by Harris to intercept cell phone traffic and is used by the military. They are also being used by federal, state and local governments, including during protests. Think of it as a cell tower in a small suitcase. Whether version 1 or version 2, they can be used to track down fugitives or surveil anyone, anywhere. We have reports of finding many Stingrays around Washington, DC, likely placed there by UNfriendly countries. Harris was so keen to keep information about the Stingray quiet that police regularly dropped charges rather than reveal information. Assume that Crossbow will be the same. Credit: Vice