Tag Archives: Encryption

Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week


Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register


vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.


Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.


Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

Facebooktwitterredditlinkedinmailby feather

The Feds Take Another Run At Getting Rid of Encryption


This is not really an opinion piece, but some people might think it is, so I will go for over disclosure and call it that.

The Feds really don’t like encryption.  It gets in their way when they want to do mass surveillance or even targeted surveillance.

For hundreds of years the Feds could listen in to any conversation that they wanted to, whether it was planting someone in the local pub to overhear your conversation, tapping your phone or more recently reading your email.

In concept, when done appropriately, this is a necessary evil.  I would not say it is a good thing, but there are bad people out there and you have to keep them in check.

In the 1990s a guy named Phil Zimmerman invented a piece of software called PGP.  It was free and it brought encryption to a lot more people than had it before.  It was far from easy to use, so most people didn’t use it, but still the government didn’t like it.  For five years the government tried to get Zimmerman locked up for inventing it (technically, they said that encryption was governed by the International Traffic in Arms Regulation (ITAR) and so you could not export it and since it was available on the Internet, he was exporting it).  The public never bought the argument and finally, in 1996, the government gave up.

Once the government realized that they could not put Phil’s genie back in the bottle, they came up with another idea called the Clipper chip.  The Clipper chip had a built in backdoor so the feds could decrypt anything that was encrypted using it.  People realized that encryption done that way wasn’t really private and never signed on to buying clipper chips.

In the mid 1990s the Feds noticed that phone companies were implementing digital central office phone switches and they could come into a phone company office and put a couple of alligator clips on your home phone line to listen to the mob, so Congress passed CALEA in 1994.  CALEA gave the phone companies billions of dollars (literally) to install digital back doors in their central offices.

Things got sort of quiet after that  with the FBI complaining to anyone who would listen, but Congress never listened for some reason.

Part of the logic might have been if encryption is so bad, crime must be going crazy, but that wasn’t true.  For the most part, in general, crime was level or maybe even going down a little – of course there were exceptions, but nothing massive to indicate that crooks were really smart and hiding all of their actions.

Over the last ten years or so, the FBI and various Justice Department folks said that we needed to put a back door in encryption to find terrorists.  For whatever reason, people still didn’t believe them and Congress has been unwilling to mandate an encryption backdoor.

All during this time, encryption was becoming more and more ubiquitous, including encrypted phones, both Apple and Google.  They said that the world was going dark because of all of this encryption, yet they continue to find and arrest cyber criminals and terrorists.  Maybe not all of them, but a lot of them.

But the Feds are not giving up.  They want Facebook, Google, Apple and others to build in back doors to their messaging applications.

The reason they now want to add encryption back doors?  Its the children.  Poor. Defenseless.  Children.  After all the child molesters and kiddie porn freaks – surely they must be using encryption.  I guess they are.  I mean, what if they catch a kiddie porn pervert and his phone is encrypted.  Surely he will get off Scot free.

Well it turns out that even that isn’t quite true.  The New York City District Attorney signed a deal about two years ago with the Israeli company Cellebrite.  Cellebrite claims to be able to get the data off almost any phone, Android or iPhone.  Probably pretty accurate.  Now it has come out that New York is offering this phone-hacking-as-a-service to other law enforcement agencies as well.  But this is not as easy as vacuuming up all of the data from everyone and looking for anything that seems interesting.

Still the government does have tools.  Raytheon makes a box called a Stingray.  Originally it was designed for the Military to use in the Middle East and other hot spots to watch terrorists, but money wins out and Raytheon will sell it to law enforcement everywhere.  Recently, we have been watching a spy vs. spy game as it has come out that people have found numerous Stingray or Stingray-like devices all over DC, including around the White House.

That is the problem with stuff.  You can’t keep the genie in the bottle.  If we create an encryption back door and say that only the cops can use it, that will last for at least a few months before the secret is no  longer secret.

If you think we have all of this cyber crime now, with all of this encryption, you can’t imagine what it might be like if we don’t have secure encryption.  And this is definitely a genie that you will not be able to get back in the bottle.

Just my opinion.




Facebooktwitterredditlinkedinmailby feather

Is The Encryption Debate Over?

Attorney General Barr said that he wants an encryption back door and if it compromises your privacy, well, we are not talking about protecting nuclear launch codes.  So we  know where he stands.

What came as a bit of a surprise is that Facebook says that they are going to build a back door into WhatsApp.  Not sure why.  Where is the pressure?  Who has the compromising pictures? Likely it is just greed.  They want to be able to operate in every country and since there are a number – a small number right now – that won’t let them operate without allowing those governments to spy on their users, the simple answer is to cave.

Here is what Facebook says they are going to do.  They are not going to, technically, insert a back door.  They might even claim this is a service to their users.

Think about this for a moment.  Right now WhatsApp cannot read your messages so they can’t target ads at you.  If they did know what you are saying, they could use or sell that data to advertisers.  That is just one possible use.

They are going to modify their app to do “content moderation”.  Content moderation is a covert word for censorship.  If China, for example, doesn’t want anyone to say anything bad about Xi, the moderation software will look for people saying bad things about him and stop it.

Since this happens on the user’s device, the encryption is not an issue because the user can decrypt stuff on their device.

Then, to make sure that the government will allow them to operate, they will send any banned content to a central moderation facility (AKA the government censors) to figure out who the local goon squad should come visit.

Obviously, the country can tell Facebook what they want them to look for.

Now say that you decide that you don’t like that and you switch to Signal.

The government could go to Signal and say “if you don’t want to be blocked you have to do content moderation.  It has nothing to do with your encryption.  Don’t say you can’t do it, because Facebook is doing it”.  At that point, privacy is pretty much done with.

It is *possible* that Signal, since it is not a commercial profit making company, might say go for it, block us.  That is not great for Signal, but, it might be better than compromising their principles.  Who knows.

Any government, no matter how repressive, now has a way to demand that software vendors give the their back door.

Facebook won’t say when this will be deployed – assuming it is not already deployed.  Why?  Because it might cause their customers to leave and that would, kind of, defeat the purpose.  I can already see the handwriting on the wall, so I am working to migrate away from WhatsApp and delete the application.

The total end game here could be to force Apple and Google to add “content moderation” to the operating system.  That is really what the repressive regimes like China and other repressive regimes (including, apparently, the US) would like to happen.

Stay tuned.  It is not clear how this is going to come down, but we certainly have a roadmap.

Source: Forbes.

Facebooktwitterredditlinkedinmailby feather

Over 90 Percent of IoT Data Transactions Are Not Encrypted

According to a report released by  cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.

This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.

The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.

These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.

Given that, what should you do?

First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.

Next you need to create a policy regarding what devices you are going to allow.  There is no right or wrong answer, but it should be a conscious decision.

Finally, you should isolate all of those devices onto the anything-but network.  Meaning, anything but your trusted internal company networks.  You probably want to group these into multiple anything-but networks.  For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..

While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for.  Then you have to figure out how the heck you can patch them.

And, if you CAN turn on encryption, you should probably do so.

Doesn’t this sound like fun?  Source: Zscaler.



Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.


China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.


Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather