Tag Archives: Espionage

Security News for the Week Ending April 2, 2021

SolarWinds Hackers Got Emails of Former Acting Illegal Head of DHS

Chad Wolf, former temporary acting head of DHS, that a federal court said was illegally appointed, has another item for his resume. When the Russians hacked DHS by way of SolarWinds, they obtained Wolf’s emails. Try to comprehend, for a moment, the intelligence value to Russia of whatever was in his email. DHS has not commented on that subject, but suffice it to say, this is not good. Credit: Cybernews

US Special Operations Command Buys Location Data

SOCOM paid $500,000 to buy data harvested from apps on your phone. The company, Anomaly 6, is pretty secretive. The WSJ picked up the contract info, so they are probably getting more attention than they had gotten in the last year. Founded by ex-military and location industry execs, it seems to have contracts with DoD and the intelligence community. SOCOM says that the $589,500 deal was an evaluation of their data for an overseas environment. SOCOM does a lot of work tracking down bad guys in the Middle East and Africa, so you can probably connect the dots. No one is saying and this is likely no more illegal than SOCOM buying pens from Staples – for better or for worse. Credit: Vice

A Potential Resume Generating Event

Strategic Command, the folks responsible for launching nuclear missiles, sent the following Tweet

;l;;gmlxzssaw .

Is this a launch code on Twitter? No. but here is a real world danger of Work From Home. Note to self – lock your computer before leaving.

Image

Intel Sued Over Capturing User Keystroke data

Have you ever visited a web site, started filling out a form but didn’t submit it, and the site owner contacted you anyway. The way they do that is via software on the web site that records your keystrokes as you type. One of the companies that does that is Intel. Another is Google. There is a current class action lawsuit in Florida that accuses Intel of wiretapping. I’m not a lawyer, but that seems like a stretch. Still, if you are using keystroke monitoring software on your website, you probably should watch this lawsuit closely. Credit: Threatpost

Sierra Wireless Withdraws Financial Guidance Completely After Ransomware

Sierra Wireless, a major Internet of Things vendor, reported that they were the target of ransomware last week. As a result, they halted production at their manufacturing plants. Not only did the attack shut down many of their internal systems, but it forced the company to withdraw the financial performance numbers that they had released just a month earlier. There are a couple of potential reasons why they shut manufacturing down. One of those reasons might be that they are concerned that the attackers were able to compromise code going into those products and they did not want to be the next SolarWinds. Credit: SC Magazine

Security News for the Week Ending January 29, 2021

Adult Web Site Hacked; 2 Million Records Leaked

Most visitors to adult web sites do not want to be “outed”, but that is exactly what happened to 2 million customers of MyFreeCams. While the data stolen (username, email, UNENCRYPTED passwords and account balance) is not that sensitive, the fact that someone has an account there at all could be used to blackmail their customers. As is too often the case, the site discovered the breach when the media asked them if the data they had was legit. Ouch. Credit: Cybernews

FBI’s Goal of Weakened Encryption Might Backfire on All of Us

A group associated with Hezbollah known as Lebanese Cedar has hacked telephone companies and Internet providers in the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority and the UAE. At least. Reports have identified at least 250 servers that were compromised by the group. If the FBI gets their way and we add more holes in the security scheme, that will only make the job of hacking us and ransomware easier for terrorists. That doesn’t seem like a great plan. Contrary to their wishes, there is no way to create a hole that only the good guys can use. Credit: ZDNet

Open Source Library Flaws Used by DoD & IC for Satellite Imagery Could Lead to Takeovers

Nitro is a software library used by the Defense Department and Intelligence Community to store, transmit and exchange satellite images. Researchers at GRIMM discovered the bugs in Nitro which they think could have led to system takeovers. The good news is that the researchers, who were working with DHS CISA alerted the vendor and they released a fixed version the following day. Credit: SC Magazine

Air Force Intelligence Officer Planned to Sell Secrets to Russia

Elizabeth Jo Shirley, an Air Force Intelligence Officer, kidnapped her daughter to Mexico and planned to defect to Russia with top-secret information. She worked at the NSA, Department of Energy and other government agencies for nearly 20 years before she went rogue. She was sentenced to 97 months. Credit: The Register

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Chinese National Hacks Boeing For 6 Years – Pleads Guilty

Su Bin, a Chinese national, pleaded guilty this week to hacking into Boeing and other companies in an effort to steal plans related to Boeing fighter jets and military transport planes.

While there were other co-conspirators, Su Bin appears to be the only one indicted.  The DOJ did say that the data was sent to China.

Su Bin was arrested in Canada in 2014 and stayed in jail in Canada for two years.  I am not sure what his thinking was, but he waived extradition last month and then plead guilty to those charges this month.

While I have no evidence of this, the Chinese government likely made him an offer he could not refuse, to quote the Godfather.  If he has family in China, that can be a powerful club for the Chinese government to Wield.  They just want this to disappear.

One of the things that came out from this is that he was inside Boeing’s network for 6 years.  For a company as security conscious as Boeing is, that is a long time to go undetected.

While he could get 5 years in U.S. prison, he could go home after that a hero for helping China build the Y-20, a knockoff of our C-17.  He also gets credit for the two years he spent in Canadian prison, so the 5 years is likely only 3 years.

Frank Cilluffo, director of GWU’s  Center For Cyber and Homeland Security, said that prosecuting hackers can serve as a deterrent to future theft of U.S. trade secrets.  I have bad news for him.  Soldiers, and that is what he is, get shot and blown up way too often, but we still have an army.  As does China.  To think think that this will deter soliders from completing their mission is naive.  That doesn’ t mean we shouldn’t indict and prosecute these guys, but I doubt it will make any difference, other than, possibly, having them conduct their hacking from countries that will not extradite them.  That is a bigger problem.  It is harder for us to see what they are doing halfway around the world.

We should also consider that our guys do the same things in China and other countries.  Espionage is a time honored theme.  In this country, we can trace it back to Benedict Arnold and in other countries, it goes back as far as recorded history goes.  I don’t think that sentencing a soldier to a few years in a relatively nice U.S. prison (unlike, say, Chinese prisons), is much of a deterrent.

The real question at hand is how many Su Bins are operating in this country and other countries, stealing industry’s intellectual property – whether that is technology, industrial process, financial or other data.  For U.S. businesses, this should be a reality check that yes, the bad guys are after our stuff and will take it if we let them.

 

Information for this story came from Federal Computer Weekly.