Tag Archives: DHS

Security News for the Week Ending April 2, 2021

SolarWinds Hackers Got Emails of Former Acting Illegal Head of DHS

Chad Wolf, former temporary acting head of DHS, that a federal court said was illegally appointed, has another item for his resume. When the Russians hacked DHS by way of SolarWinds, they obtained Wolf’s emails. Try to comprehend, for a moment, the intelligence value to Russia of whatever was in his email. DHS has not commented on that subject, but suffice it to say, this is not good. Credit: Cybernews

US Special Operations Command Buys Location Data

SOCOM paid $500,000 to buy data harvested from apps on your phone. The company, Anomaly 6, is pretty secretive. The WSJ picked up the contract info, so they are probably getting more attention than they had gotten in the last year. Founded by ex-military and location industry execs, it seems to have contracts with DoD and the intelligence community. SOCOM says that the $589,500 deal was an evaluation of their data for an overseas environment. SOCOM does a lot of work tracking down bad guys in the Middle East and Africa, so you can probably connect the dots. No one is saying and this is likely no more illegal than SOCOM buying pens from Staples – for better or for worse. Credit: Vice

A Potential Resume Generating Event

Strategic Command, the folks responsible for launching nuclear missiles, sent the following Tweet

;l;;gmlxzssaw .

Is this a launch code on Twitter? No. but here is a real world danger of Work From Home. Note to self – lock your computer before leaving.

Image

Intel Sued Over Capturing User Keystroke data

Have you ever visited a web site, started filling out a form but didn’t submit it, and the site owner contacted you anyway. The way they do that is via software on the web site that records your keystrokes as you type. One of the companies that does that is Intel. Another is Google. There is a current class action lawsuit in Florida that accuses Intel of wiretapping. I’m not a lawyer, but that seems like a stretch. Still, if you are using keystroke monitoring software on your website, you probably should watch this lawsuit closely. Credit: Threatpost

Sierra Wireless Withdraws Financial Guidance Completely After Ransomware

Sierra Wireless, a major Internet of Things vendor, reported that they were the target of ransomware last week. As a result, they halted production at their manufacturing plants. Not only did the attack shut down many of their internal systems, but it forced the company to withdraw the financial performance numbers that they had released just a month earlier. There are a couple of potential reasons why they shut manufacturing down. One of those reasons might be that they are concerned that the attackers were able to compromise code going into those products and they did not want to be the next SolarWinds. Credit: SC Magazine

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

DHS Says Federal Networks Susceptible to Attack

DHS released a report this week regarding BOD 16-02.  A BOD or Binding Operational Directive is DHS’s way of telling executive branch agencies that they have to do something.  Like really.

In this case the issue is that hackers were abusing bugs in Internet routers, specifically Cisco routers.  Why Cisco?  Because they are the biggest gorilla in the game.  If you can successfully attack Cisco, the world is your oyster.

The report dates back to 2016, but it wasn’t released until this week.  The bugs date back to 2014 and 2016.  Cisco has patched the bugs.  Many agencies had not applied the patches.  Hence the BOD.  Get off your butts and apply the patches.

OK, so what does this  mean to you?

In general, your Internet gateway is the drawbridge to your medieval castle.  Leave the drawbridge down and the bad guys can get across the moat.

Even in medieval days, the drawbridge was only one defense.  Today, the firewall is also only one layer of defense.  Still, it is an important layer.

For many businesses (and especially consumers), patching their Internet gateway (router or firewall) and patching their WiFi router (sometimes the same device but sometimes different devices) is not something they do, and if they do, they don’t do it regularly.

All patching is important, but patching any Internet facing device is critical because the attacker doesn’t need to get inside your network before launching the attack.  They start from outside and they work their way in.

One important thing to know.  At least with Cisco, and probably some other vendors, if you are not paying for an annual support contract, they will not give you the security patches that they have released to fix the bugs that should not have been there in the first place.  My answer to that?  Pick a different vendor – there are lots.  Juniper, Sonicwall, Ubiquiti, Fortinet, Baarracuda, Palo Alto, pfSense.  Different vendors make sense for different users, but there are lots of choices.

So what is an Internet facing device?

Firewalls.

Routers.

WiFi Access Points.

Webcams that can be accessed from the Internet.

And likely other devices inside your home or business,

Start out by doing a careful inventory of anything that has a network cable or is connected to your WiFi.  Then see which ones of these devices can connect to the Internet.  Those are the high priorities.

There is one thing that you can do, going forward.  Buy devices that automatically update themselves.

Like the Ring Video Doorbell.  There was a vulnerability discovered recently (like in the last 6 months or so).  Ring fixed and patched every doorbell ever sold in roughly 48 hours. 

The Google Home Wifi controller is another example.

Do your research BEFORE you buy.  Ask questions.  And, if you don’t get the right answers, move on.  Vote with your wallet.  Eventually, that will get manufacturer’s attention.

Information for this post came from Federal Computer Weekly.

DHS Issues New Rules For Searching Electronic Devices

In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent.  That is a pretty small number.

In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year.  Still it is a very small number.

In the first half of FY 2017 14,993 travelers had their devices searched.   Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched.  That will be about 350% of the 2015 numbers.

Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.

One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched.  With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines.  Far from rules, but better than what was known before.

The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices.  If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.

In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.

And, they can also search your device when you leave the country, but I suspect that is much less frequent.

The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband.  Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.

Under the new rules, agents can search information stored ON the device, using the software on the device.  This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is.  The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.

Unless they have reasonable suspicion – whatever that means.  Then they can use advanced search techniques – which I assume means that they can use forensic tools.

They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).

The document also says that agents should take care not to make changes to the device.  I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted.  Advanced searches should be done in the presence of a supervisor, if available.  Searches should also be done in the presence of device owner unless there are reasons not to allow this.

If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information.  Prior to searching  those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed.  While they will still search that information, they will segregate it so that it might, possibly, be better protected.

At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.

All of this process needs to be documented on specific CBP forms.  That alone will probably discourage agents from poking around.  Filling out government forms is no fun.

Business confidential and trade secret information needs to be protected as well.

All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.

If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later.  Another reason not to reuse passwords.

If the device owner will not unlock the device, CBP can try to break into it.

Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.

If CBP keeps your device, they need to give you a receipt.

If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.

So what should you do?

That kind of depends on your level of paranoia and what is stored on your device.

In general, try to avoid taking sensitive or embarrassing information across the border.  For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think).  Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.

If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.

Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.

Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy.  This is not because they are evil, but because they are part of a large bureaucracy.  Large scale operations have some benefits, but privacy is not one of them.

Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.

Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.

Information for this post came from CBP and CNN.

DHS and FBI Announce Threats to Energy and Critical Infrastructure

In what is an unusual move by the FBI and DHS, CERT released a security bulletin saying that attackers were going after government entities and critical infrastructure and had been doing so at least since May.

They said this is a multi-stage attack, going after low security and small networks and then moving inside those networks to attack other higher value assets.

Since at least May, the attackers have been going after critical targets like energy, water, aviation, nuclear and critical manufacturing.  In addition, they are also targeting government entities.

The attacks start by going after “staging targets” – possibly suppliers or other vendors with less secure networks and use those compromised networks to target the ultimate target.

Using the standard cyber kill chain attack model, there are five phases to the attack:

  1. Reconnaissance – gather information on the organization and potential weaknesses of, in this case, specific, targeted organizations.
  2. Weaponization – use spear phishing emails (in this case) get into the target’s organization
  3. Delivery – Once inside the organization, use the beach head they have created to create a persistent base for further attacks.
  4. Exploitation – Once the beach head is established, use the base to exploit the organization – such as stealing credentials.
  5. Installation – Now that the network is fully compromised, download additional tools to expand the attack and use that company to launch attacks against other companies.

The FBI admitted, with no details, that some of the attacks have been successful.  The fact that they are issuing a very public announcement as opposed to a much quieter memo, say via Infragard, says that (a) the attacks have been more successful than they might want to admit, (b) that the attacks are going after smaller, less sophisticated organizations that have less sophisticated defenses and (c) the attacks are ongoing.

This means that organizations need to be on higher alert than they might be otherwise.  To steal a term from the Department of Defense, if your organization was at Defcon 4 before (the second LOWEST level of alert), now might be a good time to go to Defcon 3 or 2 (the second highest level of alert).

The bulletin provides specific IOCs (indicators of compromise) for each target industry segment.

If you need assistance, please contact us.

 

Information for this post came from CERT.

Newsbites: GoToMyPC, Carbonite, DHS and CISA and the FBI

Carbonite: Carbonite sent out an email to all customers to reset their passwords.  They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.

They say that based on their security review, they have no evidence that they have been hacked.

If none of these attempts to get in was successful, then why force millions of people to change their password?  Likely, at least some of these attempts were successful.

Source: Carbonite web site.

GoToMyPC:  GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.

Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.

Citrix provided little additional information about the situation.

Source: BBC News.

Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game.  Some recommendations are:

  1. Use a password manager so that you don’t have to remember all those passwords.  Many of them, such as LastPass, will automatically log you in, making the password step easier.  While this is a security risk in itself, it is likely less of a risk than using simple passwords.
  2. DO NOT reuse passwords across important sites like online backups, banking, email and remote access.  Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
  3. For any important web site, such as banking, Amazon and others, use two factor authentication.  I know it adds an extra step to the login process, but it makes stealing passwords much less useful.

DHS and CISA:  DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year.  The bill created a voluntary system trying to encourage businesses to share threat data with the government.  The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data.  Out of the 30 million or so businesses in the United States, so far 30 are using it.  That would be .0001 percent.  I think it is going to need some more users to be effective.  To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.

Source: IAPP.

FBI:  The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no.  Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.

Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want.  And it’s all happening in secret.”

The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them.  The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.

Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.

Source: IAPP