Tag Archives: CIA

News Bites for Week Ending November 9, 2018

Score One For Amazon Security!

People who have read my blog for a while know that I am a big fan of two factor authentication.  That little bit of extra security usually gets thrown out the window if you call in to customer service instead of logging in to the company’s web site.  Two factor is not a silver bullet, but it does help security, dramatically.

Apparently, at Amazon, two factor means two factor, even on the phone.

I was having a problem with a delivery and had to call in to get it handled.  They refused to do anything at all unless I confirmed the one time password (second factor). They said that even if I escalated the call to a supervisor, the system WOULD NOT ALLOW THEM to access my account without the second factor authentication.


Usually, companies decide that being customer friendly, even at the expense of massive fraud, is more important than security.

Thank you Amazon for being a tad bit more sane!

And, if you don’t have two factor authentication turned on for your Amazon account, you should.  Amazon accounts are a massive target for thieves.  They usually don’t use it to buy products, although I have seen that too, but they use it to guy electronic gift cards which get used immediately, before the fraud is reported.

Usually People Don’t Die From Security Failures, but in this Case, Dozens Did Die

This is not a joke;  this is a serious story and people did die as a result of poor Internet security.

Word is just now coming out that the CIA had a serious security breach of their Internet based covert communications system used by field people, for years.  Apparently, the Iranians figured out how the system worked and that exposed the identities of CIA sources and maybe agents.  Dozens of sources in countries hostile to the U.S. were rounded up and disappeared (meaning, likely, tortured and/or murdered).

Apparently, when the CIA set up this covert communications system, they didn’t consider that state actors might try to hack into it.  For four years they did, successfully.

In defense of the CIA, apparently, the system was not really designed for the way it wound up being used, but, one more time, convenience won out over security and until the CIA was able to figure out what the source of why people were disappearing, they didn’t stop it.

Sometimes people don’t grasp the consequences.  A quote from one former official:

The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

In May 2011, Iran said that they had broken up a ring of 30 CIA spies.

In a statement that is not very comforting, the article says that “the Iranian compromise led to significantly fewer CIA agents being killed than in China”.

This just goes to show that real security is hard to do and we need to remember that.  In this case, it appears that it cost a lot of people their lives.  Source: Yahoo News.

Sen. Ron Wyden Introduces Bill That Punishes CEOs with Possible Jail Time for Security and Privacy Lapses

The draft Consumer Data Protection Act Would give the FTC more power to hand down harsher penalties on companies that violate users’ privacy.

The bill includes a national “do not track” registry, similar to the do not call registry, that would allow people to opt out from tracking for all websites that store their data.

Wyden is targeting companies that make more than $50 million and store data on more than 1 million users.

Those companies would have to submit an annual data protection report (similar, I suspect to the Sarbanes or NY DFS requirements).

Executives that INTENTIONALLY mislead the government could be held criminally liable, fined up to $5 million and jailed for up to 20 years.  These executives include the CEO, CPO and CISO.  Source: CNN .

Colorado Cities and Counties Ignore FCC Warning

Last week I wrote about an FCC commissioner who said that city run Internet services risked resident’s freedom of speech (I assume because he figured the town would censor speech somehow, if they ran the Internet service).  This FCC commissioner didn’t address that many people in the U.S. only have the choice of one Internet provider (like me), not counting satellite Internet (which is a joke) and that lack of choice, it seems to me,  is a much bigger risk to consumers than locally run Internet, where the users meet the councilpeops running their Internet in the local cafe or grocery store and give them a piece of their mind.  I am not sure how to effectively give Comcast a piece of my mind.

Well,  in 2005, Comcast bribed (probably not in the legal sense) the Colorado legislature to make it illegal for cities and counties to run municipal Internets.  EXCEPT.  They put a back door in the Comcast Law that said the law was null and void if a municipality put a ballot measure out that approved offering municipal Internet services.

So far, about half of Colorado counties have passed such a measure and this week there are another 18 on various ballots.

This past September, the town of Salida, West of Colorado Springs and Pueblo, voted on such a measure.  It passed with 85% of the vote.

Apparently, Colorado voters don’t agree with the FCC.  Big surprise.  Source: Motherboard.

UK Hands Investigation Results Over to Ireland’s GDPR Police

It just hasn’t been a good year to be Facebook (the stock price is down to $150 from a high this year of $215).   A pro-Brexit organization was fined 135,000 Pounds for running misleading ads.  And, there is a BUT.  The British Information Commissioner’s Office (ICO) handed over the results of the investigation to Helen Dixon, the Irish Data Protection Commissioner as the Brits felt that was targeting of ads and monitoring of browsing habits (which I am sure that they are), in violation of GDPR.  So now Facebook has to deal with yet another GDPR investigation. Source: Forbes .

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.



Wikileaks Releases Mac, Linux and Unix Malware

In the continuing saga of Vault 7 – the leaking of CIA hacking tools, Wikileaks made Mac, Linux and Unix users feel welcome.  Instead of leaking Windows and Android malicious code, they leaked Mac, Linux and Unix tools instead.  I guess they are equal opportunity leakers.

In this case they just leaked the manuals so that people could understand what the tools do but not be able to do it themselves.

Tool number one is named Achilles.  Achilles is an interesting tool.  Lets say that you wanted to install a piece of malware but you didn’t want to be detected.  Achilles allows you to “bind” a payload executable to a Mac DMG files.  When the user runs the DMG file, it installs the appropriate software but adds a little extra – some malware of the CIA’s choosing.  But then – and this is the interesting part – it then unbinds the malware payload from the DMG file so that the next time it is used to install the product, all that user gets is the actual software.  Achilles generates what is called a one time payload.  This dramatically reduces the probability of being detected.  What this does not do is give you a way of getting the malicious package onto the target system.  That has to be done using a different tool.

Tool number two is called Aeris and that is for Linux or POSIX systems.  It runs on a variety of Linux or POSIX systems including Debian, Red Hat, Solaris, FreeBSD and CentOS.  This particular part of the hacking ecosystem is designed to exfiltrate data from the target system over an encrypted channel.  Collecting the data is left for some other tool in the toolbox.

Tool number three is called SeaPea and targets Mac OS X systems.  It is a rootkit, meaning that it is likely undetectable by normal anti-malware software and it persists across reboots.  It can also hide files, open network connections and launch other malicious code.  It dates back several years and was designed to work with OS X Snow Leopard and Lion.  That, of course, does not mean that it hasn’t been updated work with newer versions but rather “dates” when this documentation was stolen.

What this means is that, not surprisingly, the CIA wants to be able to hack any operating system – they are not counting on users running any OS in particular.

While the CIA folks are good, they are likely on par with other spy organizations – sometimes better than some and sometimes not as good as others.  We should assume that the other folks, both good and bad – Russia, China, Ukraine as well as Germany, England and Israel, for example – have similar abilities.

Given the continuing dribbling of software and documentation over months, it seems likely that Wikileaks is not done yet and will likely leak more.  What we don’t know is how much of the CIA’s hacking arsenal this is.  Is it 5 percent or 50 percent?  25 percent or 75 percent.  We don’t know and likely never will know.  My GUESS (and hope) is that it is on the lower range of possible percentages, but who knows.

What this does mean is that there is likely a huge number of security holes in a whole range of operating systems that have not been patched – ones that both the good guys and the bad guys are exploiting.  While I am not so concerned about the good guys, I am VERY concerned about the bad guys.

Information for this post came from Bleeping Computer.

How the CIA – Or Others – Can Hack Your Internet Router

When was the last time you patched your Internet router?  Probably never.  That is what the CIA is counting on.  As well as foreign governments and just plain hackers.

But when it comes to the CIA, they are probably not interested in you.  That may not be the case when it comes to the other categories of folks mentioned above.  Hackers want valuables;  foreign governments may want your intellectual property.

In this case Wikileaks continued its steady flow of stolen CIA documents called Vault 7.  The documents talk about vulnerabilities in certain brands of routers and and WiFi access points.

Apparently the CIA likes hacking routers because it is highly unlikely that you would detect it since there are no indications that it has been compromised.  After all, other than a couple of blinking lights, most routers have no user interface at all.

According to the leak, the CIA tool is called Claymore and it figures out what model router you have and then runs a suite of attacks against it – tailored to that router.  If it succeeds, it now owns your router and can make it do whatever they want.

For example, once the CIA hacks the router it can install its own software which might route all of your traffic through one of their monitoring points.  If they are replacing the software in the router, they could do anything they want.

I hear you – I don’t have anything the CIA wants.

That could be true.  Likely it is.

But do you have anything that an average-bear hacker might be interested in?  Does your business?

While the CIA folks are sharp, this attack ain’t rocket science.  In fact it is sort of junior high.  The particular tools that they are using might be sophisticated, but the are leveraging the fact that most people do not patch their routers.  Ever!

So what should you do?

  1. Change the default password.  PLEASE!  That is the first thing that hackers are going to try and do.
  2. Find out how to upgrade your router and do that monthly, if not more often.
  3. Better yet, pick a router that automatically looks for and installs its patches.  Then you don’t have to deal with it.

While this is not going to stop everyone, at least the hacker will have to be out of elementary school to break in.

Information for this post came from Wired.

US Cyber Command Spends 90% on Offensive Cyber

Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.

Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how.  Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.

Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks.  Then they had to craft a warning to customers regarding the 300 products affected.  Finally, they had to come up with fixes, test them and get them into the distribution channel.

Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).

So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.

This has been the argument since the creation of USCYBERCOM.  USCYBERCOM is headed by the same person as the NSA –  Admiral Mike Rogers.

The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S.  In case of a ‘conflict of interest’, who wins?

The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.)  In fact, there were conversations about President Obama separating the two toward the end of his term.  This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper.  President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful.  We have no idea what President Trump thinks about the subject.

Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.

According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.

President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS.  Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.

Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.

In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.

In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret.  Almost any serious cyber bug could be said to have clear national security or law enforcement value.

In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies.  Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it?  Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.

Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.

From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.

This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.


Information for this post came fro Reuters.

Not a Great Week For Apple Users

UPDATE:  Apple says that a preliminary assessment of the most recent Wikileaks document dump shows old, fixed flaws for iPhone and Mac.  Some of the documents released had a date of 2008, so that those flaws are fixed is not completely surprising.  I am sure that Apple is continuing to review those documents.  Unlike the first Wikileaks dump where they still haven’t given Apple the data needed to figure out whether those flaws are still working, in this dump Apple, apparently, had enough information to figure out how the attack worked, so they could tell if they had fixed it.  Wikileaks tactics may be to dribble out information from the oldest (and likely least valuable because they fixed) vulnerabilities to the newest ones (likely not fixed), so no computer vendor should relax just yet.

A group of hackers is threatening to wipe the devices of more than 600 million Apple users on April 7th using hacked Apple account passwords.

According to the hackers 220 million of the credentials have been verified to work.

Initially, the hackers asked for $75,000 in Bitcoin or Etherium, but they have raised that “request” to $150,000.

Apparently, Apple has told them that they don’t pay bad guys.

It is not clear what Apple’s plan is.

One thing that the could do is force everyone to turn on two factor authentication, but that would cause a wee bit of chaos.  Alternatively, they could force a billion users to change their passwords between now and April 7.  No big deal.  RIGHT!

As a user, I would say it is every person for themselves and we would suggest a couple of things:

  1. Change your password.  Now!
  2. Enable two factor authentication.  Yes, it is a little bit extra work, but probably worthwhile
  3. Make backups of your Apple devices and store them offline and disconnected from the net.

It is possible that Apple has a plan.  It is also possible that the hackers are lying, but there is (or was) a video on YouTube showing someone testing accounts with passwords not hidden behind ****s and that demonstrates some degree of reality.

Changing your password alone MAY NOT be sufficient if the hacker has a way inside Apple to obtain changed passwords.

This is all speculative, but assuming that you don’t want to wake up on April 7th to a wiped device, planning ahead seems like a good idea.

The second Apple news story of the week is that WikiLeaks posted more information about the CIA hacking tools and there are details of compromised iPhones and Macs that were hacked in the distribution channel before the original buyers ever saw them in a way that even doing a factory reset would not remove (i.e. a hack of the firmware itself).

The hack the story talked about required physical access to the devices, but knowledgeable people have told me that hacking which requires them to have physical access and implanting hardware is so last year, so we can assume that the CIA has upgraded this capability to allow them to do the same thing without needing physical access.

Why would the CIA want to hack iPhones instead of Android phones?

Well first, why would you assume this is INSTEAD rather than IN ADDITION TO Androids?  Likely they can deal with either.

Second, the likely reason for going after Apple devices is not that they are more or less secure, but rather that they are status symbols in many parts of the world.  That means that people that the CIA is interested in knowing a lot about are likely iPhone/Mac users.  There are other reasons too, but that one is probably good enough.  If you are interested in the details, read the WikiLeaks Post.  It is pretty fascinating.

What that means is that Apple users are now in the cross hairs and who knows what the boys and girls from “The Company” might be looking at.  Just sayin’.  I would say, in general, they are not looking at U.S. citizens unless they have a reason.

So for those people who thought Apple devices were immune from hacking, I would say that you are probably in the same boat as the rest of us.  Sorry.

Information for this post came from Mac World and WikiLeaks.