Category Archives: Uncategorized

FBI Releases 2021 Internet Crime Report

The FBI runs something called the IC3 or the Internet Crime Complaint Center. While they do occasionally catch bad guys, their main objective (they might argue with this) is to understand how big the problem is and share information with a lot of other law enforcement agencies. The bad news is that the problem is huge.

Last year people reported almost $7 billion in Internet crime – specifically…

Note that business email compromise attacks and email account compromises represents a third of the total.

But look at the growth curve. Between 2017 and 2021, the dollar value of crimes reported grew by 500%.

Now look at crimes REPORTED by age. This doesn’t necessarily map to actual crime numbers, but it could. It may just mean that older people are more likely to report crimes or it could mean that older people are better targets. Still it is a very interesting set of facts.

The report has more detailed information, but the big takeaways should be the dollar value of the crime and the shape of the curve. Neither of those is terribly comforting.

That means that it is up to you and me to educate ourselves and our families, add layers of security and think before we act.

Sources:

IC3 report: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

The Record and the FBI

FCC Gets The Huawei Replacement Bill – 3x What They Expected

At the tail end of the Trump administration, Congress passed a bill to get telecom carriers to remove Huawei network equipment from their networks as a national security issue – which it may well be.

Congress allocated a billion plus dollars to help small telecom providers with the costs of doing that.

The FCC thought that it would cost about $1.9 billion even though Congress didn’t allocate that much money.

While the goal was replace the Chinese equipment with American made equipment, the reality is that there are no American companies that make this kind of equipment, so the equipment that replaces the Chinese made stuff will come from Sweden, France and other countries, but not likely from the United States.

The FCC allocated $1.9 billion to fix the problem. Then the bill came in.

Small carriers and schools had from November 2021 to January 2022 to fill out the paperwork to get FCC help.

The bill, at this point, is over $5 billion.

While the FCC has not reviewed or approved those requests, lets say that they pare it down to 3 or 4 billion dollars. It is now up to Congress to address the gap.

It is not clear how the FCC will allocate the money that Congress gave it and what the carriers that don’t get money will do to comply with the law (likely one thing that they will do is sue the government, saying the government told them to do something and the government said they would pay for it and now they won’t).

Some carriers will tell the government to sue them, which could take a decade to resolve with appeals. In the mean time, if Congress really thinks this is a national security problem, it will continue to be a problem all that time.

Likely what will also happen, if carriers have to replace this equipment at their own expense, at least in the short term, is that rollout of new services and new features for these small and rural carriers, will just grind to a halt for years until they can pay off this ‘rip and replace’ bill.

What this translates to is an increase in the digital divide.

One of the other groups that can also get assistance in replacing this equipment is schools. Schools never hard extra money and now, if they have to replace this equipment on their own, it will mean that the poorer school districts will fall farther behind from the richer districts in terms of how they teach. This will mean that the kids in these poor districts will be at an even bigger disadvantage than they were before compared to their richer neighbors when they apply for college or join the workforce.

I think Congress wanted to do the right thing back in 2019, but I don’t think they understood the scope of the problem.

We will see what Congress does. Credit: The Register here and here

Security News for the Week Ending February 5, 2021

Are You the Victim of Covid Fraud?

As if Covid wasn’t bad enough, there are widespread stories of people getting tax forms for their Covid unemployment benefits -benefits they never applied for and never received, but which are considered taxable income. In California alone, crooks stole at least $11 billion in unemployment benefits by stealing people’s identities and getting the benefits deposited in accounts they control. But the victims will get the tax forms and have to deal with convincing their state and the IRS that they did not get those thousands in income. Credit: Brian Krebs

Paper – Now That’s Secure

Now that the Department of Justice has admitted that (likely) Russia hacked their confidential court filings, exposing search warrants, terrorism investigations and other stuff that should have remained sealed, they have a simple solution. Last week the federal court system issued an order that says that highly sensitive documents (likely those that the court would seal) must be filed on paper and any order or rule of any federal court or judge to the contrary is null and void. Problem solved. Credit: The Register

Billions of Emails/Passwords for Free

Someone has posted a file with 3.2 unique emails and passwords in clear text on a popular hacking forum. This data is a combination of many breaches but is a great input for password stuffing attacks since people love to reuse passwords. For users, this is one more reason to use two factor authentication. Credit: Cybernews

Voting Machine Vendor Smartmatic Sues Fox for $2.7 Bil

Voting machine vendor Smartmatic is suing the Fox network, its hosts individually and Trump lawyers Sidney Powell and Rudy Giuliani for $2.4 billion after these folks made unsubstantiated claims that Smartmatic’s software changed millions of votes from Trump to Biden. Smartmatic says that this is not about the money; they want vindication, so this could get more than a bit nasty. Credit: The Register

T-Mobile is Being Very Aggressive in Deploying 5G

T-Mobile plans to spend $40 billion in the next 3-4 years upgrading its network to 5G and faster 4G. Some of that will be recovered by decommissioning Sprint’s old network. But speed is the issue. Their “low band” 5G is slightly faster than 4G. Their “mid band” might give a couple hundred megabits per second which is quite respectable for cell phones and its “high band” will give you gigabit. But their president of technology says this will take decades to blanket the entire country. For the moment, they appear to be ahead of AT&T and Verizon. Credit: SDX Central

15 Signs You’ve Been Hacked

Here is an interesting list that CSO Magazine created. Create your own list first and see how many match.

#1 – You see a ransomware message on your screen. Seeing a message like that can ruin your day and if it is one of the new ransomware 2.0 strains, your day just got really bad.

#2 – You get a fake anti-virus pop-up message. Usually a message pops up that your device (phone, computer) is infected and if you will only click this link, all will be right with the world. If you fall for it and click, if you weren’t infected before, you are infected now.

#3 – You see unknown browser toolbars. Ones that you did not install. Sometimes these are just there to generate ad clicks, but sometimes they are more nefarious. In any case, get rid of them.

#4 – You Internet searches are redirected. That is because the hackers that infected your system are getting paid to misdirect you. Usually, it is no worse that that.

#5 – You see random frequent popups. Boy this one is old school. Again they are trying to get you to click on stuff – either to install more malware or get paid for the clicks or steal your data. In any case, not good.

#6 – Your friends get social media invites that you didn’t send. Likely the person’s profile is a fake and accepting that friend request will have “fringe benefits” and not the good type.

#7 – Your online password doesn’t work. If you are sure the password that you are entering is correct, consider that a hacker compromised your account and changed your password to lock you out.

#8 – You see an unexpected software installation. It could be that the install is legit. It is equally possible that the installation is rogue, potentially unwanted or malicious. Check out what is going on.

#9 – Your mouse moves without you touching it. If the mouse movement is completely random, it could be a hardware problem. If the mouse starts making clicks – clicks that work – you HAVE been hacked. For sure.

#10 – Your anti-malware, task manager or register editor stops working. This is not a coincidence. Promise. Assuming this is the case, a repair is in order and may be difficult to ensure that you really have all of it removed.

#11 – Your online account is missing money. Probably a lot of money. Not a good sign. Typically they will empty the account. To an offshore bank.

#12 – You are notified by someone else that you have been hacked. Like the FBI notified the DNC in 2016. Not a good sign. Sometimes it may be a credit card processor. No matter who, it is probably a bad sign.

#13 – Your confidential data shows up in a place where it doesn’t belong. Like in the news or on the dark web. I am not sure there is a best case/worst case scenario here. Just worse and worser, if that is a word.

#14 – Your credentials show up in a password dump. Depending on the credentials, it could be someone else’s system that got hacked, but if it is internal credentials, it is probably yours.

#15 – Your observe strange traffic patterns on your network. This is never a good sign and likely an indicator that someone other than the good guys is involved.

If you observe any of these situations, contact your security provider or IT department immediately. If it is on your personal PC, you probably will need professional assistance. What you don’t want to do is think you have the bad guys disabled when all you have done is lulled yourself into a false sense of security.

For a lot more information, see this article in CSO Online.

Can You Really Remove Stuff From the Internet

In one case, the answer is probably.  If I want to delete one of my blog posts, I can probably do that.  But not if someone copied it.  Which I can’t control.  Then they can upload it again.  I can send a DCMA take-down notice to the hosting provider, which they might ignore if they are not in the U.S.  Even if they do take it down, someone can repost it someplace else.

And, while the Digital Millenium Copyright Act (DCMA) gives strong protections to the owner of the copyright, you still have to know your stuff is online.  If the person doesn’t really want you to take it down, it is hard.

Which brings me to today’s story.

There is a porn company called Girls Do Porn that lied to women, conning them into acting in porn videos with the claim that  the videos would not be online and no one would ever see them.  Targeting college kids who needed the money, some succumbed to the almighty dollar.

Turns out the people who produced these videos were liars and the videos were available on the web if you subscribed.

Of course the women who acted in these videos had no idea.

UNTIL   …

On May 1, 2016, in the middle of final exams, a young woman got a text message that would change her life forever. It included a screenshot of a pornographic video posted online, featuring her. Panicking, she quickly tried to justify what she had done. “They said it would only be in Australia,” she told her friend, according to court documents. “I only did it for money.”

Eventually, 22 women sued Girls Do Porn and got a $13 million judgement.  The owner of Girls Do Porn, Michael Pratt, was charged with federal sex trafficking crimes and is a wanted fugitive.  The feds will probably catch up with him years from now when he makes a mistake.

In the mean time, these women have to deal with the consequences of the decisions they made.

One of the ways that Pratt generated traffic to his site was to post trailers for his videos on the very popular porn site called Pornhub.  That site even had a “channel” for Pratt’s content (Pratt wasn’t special, channels are a feature of the site).

After the verdict, Pratt’s site was taken down and Pornhub removed his “Channel” but that is not the end of the story.

Many of these videos are still available on Pornhub.  Unofficially.

Pornhub, which makes money from ads surrounding these videos, claims that the women can easily request these videos be taken down.  Sure.  Right.  BS!

Of course, they would have to know where each and every copy of the video is located.  And Pornhub is only one of a billion places where the video might be hosted.

Pornhub says that they “fingerprint” the video after a takedown request so that it cannot be uploaded again, but change one bit in the the video and the fingerprint is no longer the same.

When YouTube was first starting they did the same thing.  They  allowed people to post movies and other copyrighted content.  In fact, they encouraged it for the same reason that Pornhub does – it makes them money.

In YouTube’s case, they ticked off the wrong people – movie studios.

After spending tens of millions of dollars in legal fees over many years, they got a multi-billion dollar verdict against YouTube and Google decided that they really needed to fix the problem.  Of course, by then, they didn’t need pirated content to get people to the web site, so they were okay with cracking down on the practice.

In the case of these college coeds, they can’t afford tens of millions in legal fees.  In the case above, the video spread like wildfire across the college campus where she was a student.  Even the administration decided they needed to watch it for some unknown reason.

I guess the moral of the story is that it is often really hard to remove things from the Internet.  Google my name and you will find stories about me from 25 years ago.  Mind you, I have not tried to take any of them down, but if I wanted to, it would take a lot of effort.

In the case of these videos, they are not indexed by search engines under the victim’s name, so how do they even know they are online?  Until someone finds it and shares the information.  Too late then.

Section 230 of the DMCA gives websites broad immunity from being sued and that immunity is probably needed in order for many parts of the web not to shut down.  If Facebook could be sued for something a user posted, they would not be in business.   Neither would tens of thousands of sites that if they received just one lawsuit, they would be out of business.

For more details of the story of this particular case,  see this article on Vice.

Many states have revenge porn laws to try and address this problem, but getting a DA to attempt to find some kid in his parent’s basement who knows where and prosecute him for posting one or two videos.  Good luck.  That only happens in high profile cases.

Education is important so that people understand what can happen.  That helps them make wise decisions.

While this is more egregious than the problem with kids sharing nude selfies in middle school, the results are similar – a lot of emotional distress for the victims.  Probably, similar promises were made.  Oh, come on.  I won’t share it.  You get the idea.

Parents, please sit down with your kids and help the understand the consequences.  There is no easy way to unring the bell.  The consequences for the victims can be tragic.

Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.