Category Archives: Safety

It’s To Protect The Children

Law enforcement has been trying since at least the 1990’s when they jailed and tried to convict Phil Zimmerman for creating an open source encryption program called PGP, to put the encryption genie back in the bottle.

The problem is that encryption is math and math doesn’t care about politics.

If some governments were to ban encryption, there would be other countries where people who really wanted encryption could get it. And, while the math is hard, there are enough books published, enough algorithms available, that smart hackers could write their own.

Governments have been trying for decades to get software developers to create new math – math that allows for strong encryption but also gives law enforcement a master key to look at whatever they want to look at.

After all, if the TSA can’t even secure the physical keys that they use to open people’s suitcases at the airport, how likely is it that they can secure a master encryption key or keys.

So the solution is to scare people – or at least try to scare them.

Fear is a common tactic. Car makers who don’t want people to be able to repair their own cars said that allowing people to do that would embolden sexual predators (Massachusetts, 2017).

They are counting on people being fearful and not knowledgeable. Occasionally it works.

Britain is trying to scare people into giving up their right to privacy. At this point, we do not know whether it will work or not.

Rolling Stone is reporting that the UK government, at taxpayer expense, has hired the world famous advertising agency M&C Saatchi to create a major scare campaign.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

The UK Home Office said that they hired Saatchi to bring together organizations that “share our concerns about the impact end-to-end encryption would have on our ability to keep children safe“.

It is fair to say that encryption does make bulk data surveillance harder, but there already is a lot of end-to-end encryption already in place. Open source software like Telegram and Signal and commercial software like Whatsapp are just a couple of examples.

The government says that the plan is to create this media blitz “to make the public uneasy”. In other words, scare them into accepting even more surveillance than they are already under.

One slide from a campaign deck says that most of the public has never heard of end-to-end encryption, adding that “this means that people can be easily swayed”.

They also said that the campaign must not start a privacy vs safety debate, but I don’t think that objective is possible.

The opening phase of the government’s scare campaign is expected to start within days.

However privacy advocates plan to start their own campaign too.

This battle is not going to end anytime soon, but the best defense is an educated public.

If you have questions, please reach out to us.

Researcher Demonstrates How to Melt Power Lines in New York

Actually, they just used New York as an example, but the researchers literally melted the copper power lines. Once the power lines were vaporized, well, there was no more power.

The good news is that this was just a demonstration, but definitely a scary one.

Worse yet. The device the team hacked – it was the overload protection device. So, the device that was added to the electric grid to protect it became a traitor and attacked the grid – or at least watched quietly while the attack took place.

Start by realizing that there is no such thing as hardware any more. Yes there are metal things, but to make them work requires software. This software is what the team at Red Balloon attacked.

Schneider Electric, which makes this protection relay, has now released a patch for the bug.

Of course, getting it installed; well that is a different story.

The researchers tested two other protection relays but did not find anything significant in those two.

Credit: Yahoo News

An engineer at cybersecurity firm Mandiant said that even if a relay like this failed, power could be back up and running to affected customers within hours. I think this guy should stick to software, because he clearly does not understand hardware (the guy, Chris Sistrunk, is a technical manager at Mandiant and focuses on industrial control systems).

Here is where his thinking breaks down.

**IF** all that happens is the hacker causes one relay to fail, then yes, you can replace that relay quickly and fire up the power to the network behind it.

But what if, as in the demonstration, the overload causes miles of wire to melt. Does he really think that they can replace that wire in a few hours? I don’t think so.

As always, the devil is in the details.

I see announcements from CISA every week – dozens of them – for patches to industrial control system software and firmware.

Likely, many of those systems will never be patched because system operators are scared that if they do patch them, they will not come back online. This is not a completely unreasonable concern.

We are not just talking about electric. Water, sewer, natural gas, chemical plants, refineries and on and on. We already saw this with the Colonial Pipeline attack. It does not take much.

Bottom line, critical infrastructure managers need to work hard to stay ahead of the hackers.

The Latest Supply Chain Risk – Your Desk Phone

Senator Chris Van Hollen (Maryland) wrote a letter to Commerce Secretary Raimondo asking what she planned to do about this security vulnerability – the first we are hearing about it. Raimondo could ban the equipment, just like equipment made by Huawai and others.

Chinese electronics maker Yealink is not a household word like Huawei, but it may soon be.

Yealink’s phones are, apparently, popular in the United States, including at government agencies – federal, state and local, but they might have just a few security concerns.

Van Hollen’s letter references a report by Virginia-based Chain Security that scopes out hardware risk for a living.

The report says that Yealink’s Device Management Platform or DMP is what allows users to make calls and administrators to manage the phones.

HOWEVER, it also allows Yealink to secretly record those calls and also, for computer based phones, to track which websites users are visiting.

Concerned yet?

It turns out that even if you are using a physical phone, if the computer gets to the network through the phone, the phone can still track what websites you are visiting. Actually not CAN track you; rather it should be IS tracking you.

While it is unknown, it is suspected that Yealink is a Sysadmin for the DMP, hence has to power to do anything that any other admin can do.

Yealink’s service agreement requires users (like US Government employees with one of their phones on his or her desk) to accept China’s laws, including a term that allows for the active monitoring of users when required by the ‘national interest’ of China.

The phone also does not digitally sign software updates, so if someone can convince the phone to accept an update, it has no way of knowing whether that update is legitimate or not.

Even scarier is Verizon’s response to this revelation: A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”

Does that mean that Verizon is in cahoots with China?

If all of this wasn’t bad enough, the phone sends encrypted messages to China three times a day.

The Commerce Department responded to the Senator saying that they take this stuff seriously.

Whatever the hell that means.

My guess is that this is probably not a lot different than other tech that may be in your office or home – which means that you might want to be more aggressive in reviewing the security of those tech toys.

Credit: Defense One

New Attack Exploits Microsoft Software Signing Verification

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Why the Internet Does Not Replace Common Sense

Some people say that common sense isn’t so common anymore. Sometimes the Internet doesn’t seem to have much common sense, so those people might be right.

Hopefully most adults can distinguish between smart things to do and not so smart things to do, but not always.

Right after Apple and Google split over Google maps and Apple tried to create their own version of it, the maps told people to do things that they shouldn’t and the term death by GPS was coined. It is a thing and it really happened. More than once.

But kids do not have the experience, sometimes, to figure out the difference between smart and not so smart.

Enter Amazon.

According to Kristin Livdahl, a mother of a 10-year-old child and a writer, her daughter asked Alexa, a digital Amazon Echo assistant, for a challenge to do. Kristin and her daughter were doing physical challenges to warm up and her 10-year-old asked Alexa for more.

Here is what Alexa suggested:

“The challenge is simple: plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs,” Alexa said and set the timer for 20 minutes to complete the challenge.

Besides the possibility of setting the house on fire or electrocuting herself, it seems like an okay challenge – not.

Apparently Alexa stole it from an old challenge that was circulating on TikTok a while back.

Amazon told the BBC that they are fixing the problem. Good plan.

This just points out the fact that you should not trust everything you read or hear. Hopefully most adults already understand this, but given the number of adults that fall for a whole variety of scams, I am not so sure about that. More importantly, you need to train your kids not to. Kids don’t have the experience you do and kids are subject to peer pressure, among other things. Just think about what might have happened to this 10-year-old might if things went a little differently. Luckily, it did not. That doesn’t mean that next time won’t be different. Credit: Cyber News

Romance Scam+Crypto=Pig Butchering

Romance scams have been around since, well, there has been romance. But there is a new version of the scam traced to the Chinese mafia.

Start with the traditional online dating site romance scam. Chat with your mark, flirt, but don’t actually meet in person. They typically target shy, lonely people – preferably with money – who can be convinced fairly easily that not meeting in person is okay. This is pretty important since the person who is targeting the mark doesn’t really exist or is not as represented on the dating app.

What is new is adding cryptocurrency trading into the mix. You can probably figure out how it works. The scammer starts chatting with the mark about cryptocurrency and how much money she (in this case) has made in the last few months. The mark gets excited about making money (hence the pig analogy – actually they blew the analogy, but I will explain that later). The scammer tells the mark about this app that the scammer is using to make all this money.

What the mark doesn’t know is that the scammer controls the app.

The mark makes some trades in the app and makes some crypto profit. The scammer allows the mark to withdraw that money so that that app seems legit.

The mark starts getting greedy and invests more and more money using the app, but for whatever reason (likely over confidence) does not withdraw any of the profits.

The profits (at least in the app) continue to build and finally the mark tries to cash out. This is where the scammer comes up with excuses (in the disguise of the app owner) – coming up with different reasons why the mark can’t cash out. In one case, the mark was told that he had to pay back the money that the site loaned him (I am guessing there is a margin play here too) before he can cash out. That is, of course, a chicken and egg problem. I can pay you if I can cash out but I can’t cash out until I pay you. If the victim does give the scammer the extra money to pay the loan, the scammer comes up with a different reason. And keeps the mark’s additional money.

One victim lost over a million and a half dollars in this scam (see the 7News article below).

Remember that none of this crypto stuff is insured and very little of it is regulated. It is definitely buyer beware.

Back to the name. The name of the scam in Chinese is sha zhu pan or “pig butchering”.

Remember that the US expression is pigs get fat and hogs get slaughtered, but I suspect that distinction is lost in translation. But the expression is accurate. If you take some profits and then exit (get fat), then that might work, or at least you will lose less money. But because the marks get greedy (hoggish), they get slaughtered.

I would not be surprised if the mark made $50k or $100k that the scammers would come up with an excuse to not pay out, but the mark gets greedy and gets sucked into the scam and stops thinking rationally.

People need to understand that apps are not controlled and you, for the most part, have no idea who is running an app or what motive they have. Be careful.

Credit: The US Sun and Denver 7 News