Category Archives: Uncategorized

Can You Really Remove Stuff From the Internet

In one case, the answer is probably.  If I want to delete one of my blog posts, I can probably do that.  But not if someone copied it.  Which I can’t control.  Then they can upload it again.  I can send a DCMA take-down notice to the hosting provider, which they might ignore if they are not in the U.S.  Even if they do take it down, someone can repost it someplace else.

And, while the Digital Millenium Copyright Act (DCMA) gives strong protections to the owner of the copyright, you still have to know your stuff is online.  If the person doesn’t really want you to take it down, it is hard.

Which brings me to today’s story.

There is a porn company called Girls Do Porn that lied to women, conning them into acting in porn videos with the claim that  the videos would not be online and no one would ever see them.  Targeting college kids who needed the money, some succumbed to the almighty dollar.

Turns out the people who produced these videos were liars and the videos were available on the web if you subscribed.

Of course the women who acted in these videos had no idea.

UNTIL   …

On May 1, 2016, in the middle of final exams, a young woman got a text message that would change her life forever. It included a screenshot of a pornographic video posted online, featuring her. Panicking, she quickly tried to justify what she had done. “They said it would only be in Australia,” she told her friend, according to court documents. “I only did it for money.”

Eventually, 22 women sued Girls Do Porn and got a $13 million judgement.  The owner of Girls Do Porn, Michael Pratt, was charged with federal sex trafficking crimes and is a wanted fugitive.  The feds will probably catch up with him years from now when he makes a mistake.

In the mean time, these women have to deal with the consequences of the decisions they made.

One of the ways that Pratt generated traffic to his site was to post trailers for his videos on the very popular porn site called Pornhub.  That site even had a “channel” for Pratt’s content (Pratt wasn’t special, channels are a feature of the site).

After the verdict, Pratt’s site was taken down and Pornhub removed his “Channel” but that is not the end of the story.

Many of these videos are still available on Pornhub.  Unofficially.

Pornhub, which makes money from ads surrounding these videos, claims that the women can easily request these videos be taken down.  Sure.  Right.  BS!

Of course, they would have to know where each and every copy of the video is located.  And Pornhub is only one of a billion places where the video might be hosted.

Pornhub says that they “fingerprint” the video after a takedown request so that it cannot be uploaded again, but change one bit in the the video and the fingerprint is no longer the same.

When YouTube was first starting they did the same thing.  They  allowed people to post movies and other copyrighted content.  In fact, they encouraged it for the same reason that Pornhub does – it makes them money.

In YouTube’s case, they ticked off the wrong people – movie studios.

After spending tens of millions of dollars in legal fees over many years, they got a multi-billion dollar verdict against YouTube and Google decided that they really needed to fix the problem.  Of course, by then, they didn’t need pirated content to get people to the web site, so they were okay with cracking down on the practice.

In the case of these college coeds, they can’t afford tens of millions in legal fees.  In the case above, the video spread like wildfire across the college campus where she was a student.  Even the administration decided they needed to watch it for some unknown reason.

I guess the moral of the story is that it is often really hard to remove things from the Internet.  Google my name and you will find stories about me from 25 years ago.  Mind you, I have not tried to take any of them down, but if I wanted to, it would take a lot of effort.

In the case of these videos, they are not indexed by search engines under the victim’s name, so how do they even know they are online?  Until someone finds it and shares the information.  Too late then.

Section 230 of the DMCA gives websites broad immunity from being sued and that immunity is probably needed in order for many parts of the web not to shut down.  If Facebook could be sued for something a user posted, they would not be in business.   Neither would tens of thousands of sites that if they received just one lawsuit, they would be out of business.

For more details of the story of this particular case,  see this article on Vice.

Many states have revenge porn laws to try and address this problem, but getting a DA to attempt to find some kid in his parent’s basement who knows where and prosecute him for posting one or two videos.  Good luck.  That only happens in high profile cases.

Education is important so that people understand what can happen.  That helps them make wise decisions.

While this is more egregious than the problem with kids sharing nude selfies in middle school, the results are similar – a lot of emotional distress for the victims.  Probably, similar promises were made.  Oh, come on.  I won’t share it.  You get the idea.

Parents, please sit down with your kids and help the understand the consequences.  There is no easy way to unring the bell.  The consequences for the victims can be tragic.

Facebooktwitterredditlinkedinmailby feather

Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Apple is Trying to Catch up With Windows

Update: Apparently if you are running macOS 10.13 and apply the patch to fix the root problem and then upgrade to 10.13.1, that patch gets undone, so you have to reapply the patch.  In addition, the patch does not take effect unless you reboot.  Just another bit of the mess.

The Mac OS has generally been considered a secure operating system, but lately Apple has been trying to imitate their friends from Redmond and not in a good way.

The first MacOS bug found recently is a new bug.  Linux and Unix administrator accounts are called ROOT, unlike Windows and other operating systems which call the account ADMIN or ADMINISTRATOR.  Apparently in the current version of MacOS, High Sierra, if you entered the user name of ROOT with no password, you got an error message, but if you entered it a second time with no password, it let you in with full administrative permissions.

Initially, people thought that this exploit required that you have local access to the computer, but it turned out that if you had remote access turned on as many or most corporate computers do, the attack would work remotely as well.

Apparently the OS detected there was no ROOT account and created one with no password.  The quick fix was to create a ROOT account with a complex password.

Apple quickly created a fix that was automatically and silently installed (I guess that is both good and bad), but that fix broke some other things and Apple had to release a fix to the fix.  That second fix had to be manually installed and required some advanced gyrations on the part of the user.

The good news was that Apple was able to fix the bug quickly once they were told about it.  The bad news is that if a user’s PC was compromised before the installed the patch – which statistically is possible but unlikely – then the only solution is to wipe the disk and start over.

But this was only the start of last month’s problems for Apple.

The second MacOS bug, which also granted users unlimited ROOT access had been around for at least a decade (sound like Windows again?), maybe two decades. or more.

The person who found it was neither a professional hacker nor a professional security researcher, but rather a self titled hobbyist.  This means that other people (and not the well intentioned ones) could have known about it for 20 years or more.

The bug was in the IOHIDF family of software.  This software has been a problem child in the past.  The hobbyist who discovered it released a proof of concept for all of the hackers to follow at the same time he announced the bug.

As of 17 hours ago, Apple had yet to comment on it, but I assume that their engineers are busy working on how to fix it.

Right now it counts as an 0-day, and a nasty one.  0-days are bugs that were not (publicly) known about prior to the announcement.  Except that in this case, it was probably known about by others, such as the Chinese, Russians or American spies and possibly exploited – maybe for many years.

For a while, Apple computers seemed to be immune to bugs.  I don’t think that is necessarily because the software is super secure, but rather because it is a niche player with a small market share (less than 8 percent according to NetMarketShare).  As other operating systems were attacked and started fixing bugs, MacOS became the next target of opportunity.

So, in this case, one bug is fixed, albeit a bit bumpily and the other is still open.

Happy New Year Mac users!

Information for this post came from CNet, The Guardian and BetaNews.

 

Facebooktwitterredditlinkedinmailby feather

Congress Votes to Kick The Can Down The Road on Spying

Section 702 of the Foreign Intelligence Surveillance Act allows the intelligence community to collect intelligence on non-Americans outside the United States without a warrant.  As the intelligence community hoovers up huge quantities of data (they just built a new facility in Utah so that they could bring enough storage online to hold all the data), it is inevitable that they will collect information on Americans, absent a warrant, absent probable cause.  They say there are controls in place to protect Americans, but those controls do not, some say, match the requirements of the Fourth Amendment to the U.S. Constitution.

The Congress, in 2008, had the wisdom to require that Section 702 be renewed every few years.  The result of that is to force a debate and make Congress-critters go on record voting for or against whatever the revised 702 requires.  The last vote to renew Section 702 was in 2012 and it is set to expire on December 31, 2017, about 7 days from now.

In Congress there are several different factions right now:

  • One group wants to renew Section 702 as is and make it permanent.
  • Another group wants to require the FBI to get a court order before viewing information on Americans – information that they hope to use in criminal cases.
  • Others want the FBI to go to the Foreign Intelligence Surveillance Court to weigh in on the legality of query on Americans, pretty much a rubber stamp approval.
  • Finally others want to scrap it entirely.

So Congress does what it does best and renewed Section 702 for another 28 days and went on vacation.

Congress, is on vacation until January 8th and with absolutely no agreement on what to do and only 10 days between when Congress returns and the expiration, do not be surprised if Congress kicks the can down the road again and extends it another 30 days.

Unlike some bills in Congress, this is not an Elephants vs. Donkeys issue;  this is a privacy rights vs. national security issue.

The House Freedom Caucus Chairman told the media that no long term extension would get through Congress at this time.

Republican Sen. Rand Paul and Democratic Sen. Ron Wyden want to bring the fight to the floor.

My personal opinion is that Congress is unlikely to let Section 702 expire.  I just don’t think that is going to happen.  But what form of restrictions are going to be put in place – that is a much harder question to answer.

 

Information for this post came from the Washington Post.

 

 

Facebooktwitterredditlinkedinmailby feather

Mecklenburg County Hit With Ransomware Attack

Mecklenburg County, North Carolina, home to Charlotte, was hit with a ransomware attack that the county was clearly unprepared to handle.

The good news, if there is any in a situation like this, is that the attackers only compromised about 48 out of the county’s 500 servers, but other servers were shut down to make sure the ransomware didn’t spread to those servers.

The bad news, and there is much more of that, is that the county says it will be some time in 2018 before they get everything put back together.

Some reports say that the attackers wanted two bitcoins or about $30,000, but other reports say they wanted two bitcoins per server, which would have put the bill in the millions.  The county has decided not to pay the ransom.

The county said that because of a backup system, the hack didn’t compromise any personal information.  Clearly, the county officials do not understand how technology works.

This is also one reason why these local governmental organizations can be picked off pretty easily.  Likely due to staffing, money and lack of executive support, these local governments have  poor to non-existent cyber security, disaster recovery and business continuity programs.

Examples of the effects of the backup system that was in place are that calls to the domestic violence hotline are going to voice mail and being picked up later by counselors.

The county jail is having to process inmates in and out of the jail using paper forms.  I am highly confident that nothing will go wrong.

Social Services is having to recreate rides scheduled for seniors and many of those ride requests have been forever lost.

Payments to the tax department have to be made by cash or check and building inspections are using paper forms.

The goal is to attempt to get life preserving services up first and the rest of the services restored in 2018.

Mecklenburg is far from alone in this plight.  City and County governments, especially, do not have either the budget or the expertise to deal with modern day, real world cyber attacks.  All they can do is hope that no one clicks on an infected link in an attack email.

The private sector is in better but not great shape.  They are much more motivated to have systems that work and not spend the millions of dollars that I am sure Mecklenburg is spending to rebuild servers from scratch.  Businesses also don’t want to lose customers.  When Fedex got hit with the WannaCry virus, customers switched to their competitors.  Many of those will never come back.  Mecklenburg doesn’t have that problem – there is no competing government to switch to.

For private businesses, these attacks can be the difference between a profit and a loss, staying in business or going out of business.  Fedex, in the example above, spent $300 million recovering from WannaCry last quarter and will spend an equal amount this quarter.  Many businesses cannot afford the bills that these attacks generate and just go out of business.

Information for this post came from  The Washington Post  and NBC News.

Facebooktwitterredditlinkedinmailby feather