Tag Archives: Espionage

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Security News for the Week Ending April 2, 2021

SolarWinds Hackers Got Emails of Former Acting Illegal Head of DHS

Chad Wolf, former temporary acting head of DHS, that a federal court said was illegally appointed, has another item for his resume. When the Russians hacked DHS by way of SolarWinds, they obtained Wolf’s emails. Try to comprehend, for a moment, the intelligence value to Russia of whatever was in his email. DHS has not commented on that subject, but suffice it to say, this is not good. Credit: Cybernews

US Special Operations Command Buys Location Data

SOCOM paid $500,000 to buy data harvested from apps on your phone. The company, Anomaly 6, is pretty secretive. The WSJ picked up the contract info, so they are probably getting more attention than they had gotten in the last year. Founded by ex-military and location industry execs, it seems to have contracts with DoD and the intelligence community. SOCOM says that the $589,500 deal was an evaluation of their data for an overseas environment. SOCOM does a lot of work tracking down bad guys in the Middle East and Africa, so you can probably connect the dots. No one is saying and this is likely no more illegal than SOCOM buying pens from Staples – for better or for worse. Credit: Vice

A Potential Resume Generating Event

Strategic Command, the folks responsible for launching nuclear missiles, sent the following Tweet

;l;;gmlxzssaw .

Is this a launch code on Twitter? No. but here is a real world danger of Work From Home. Note to self – lock your computer before leaving.

Image

Intel Sued Over Capturing User Keystroke data

Have you ever visited a web site, started filling out a form but didn’t submit it, and the site owner contacted you anyway. The way they do that is via software on the web site that records your keystrokes as you type. One of the companies that does that is Intel. Another is Google. There is a current class action lawsuit in Florida that accuses Intel of wiretapping. I’m not a lawyer, but that seems like a stretch. Still, if you are using keystroke monitoring software on your website, you probably should watch this lawsuit closely. Credit: Threatpost

Sierra Wireless Withdraws Financial Guidance Completely After Ransomware

Sierra Wireless, a major Internet of Things vendor, reported that they were the target of ransomware last week. As a result, they halted production at their manufacturing plants. Not only did the attack shut down many of their internal systems, but it forced the company to withdraw the financial performance numbers that they had released just a month earlier. There are a couple of potential reasons why they shut manufacturing down. One of those reasons might be that they are concerned that the attackers were able to compromise code going into those products and they did not want to be the next SolarWinds. Credit: SC Magazine

Security News for the Week Ending January 29, 2021

Adult Web Site Hacked; 2 Million Records Leaked

Most visitors to adult web sites do not want to be “outed”, but that is exactly what happened to 2 million customers of MyFreeCams. While the data stolen (username, email, UNENCRYPTED passwords and account balance) is not that sensitive, the fact that someone has an account there at all could be used to blackmail their customers. As is too often the case, the site discovered the breach when the media asked them if the data they had was legit. Ouch. Credit: Cybernews

FBI’s Goal of Weakened Encryption Might Backfire on All of Us

A group associated with Hezbollah known as Lebanese Cedar has hacked telephone companies and Internet providers in the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority and the UAE. At least. Reports have identified at least 250 servers that were compromised by the group. If the FBI gets their way and we add more holes in the security scheme, that will only make the job of hacking us and ransomware easier for terrorists. That doesn’t seem like a great plan. Contrary to their wishes, there is no way to create a hole that only the good guys can use. Credit: ZDNet

Open Source Library Flaws Used by DoD & IC for Satellite Imagery Could Lead to Takeovers

Nitro is a software library used by the Defense Department and Intelligence Community to store, transmit and exchange satellite images. Researchers at GRIMM discovered the bugs in Nitro which they think could have led to system takeovers. The good news is that the researchers, who were working with DHS CISA alerted the vendor and they released a fixed version the following day. Credit: SC Magazine

Air Force Intelligence Officer Planned to Sell Secrets to Russia

Elizabeth Jo Shirley, an Air Force Intelligence Officer, kidnapped her daughter to Mexico and planned to defect to Russia with top-secret information. She worked at the NSA, Department of Energy and other government agencies for nearly 20 years before she went rogue. She was sentenced to 97 months. Credit: The Register

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Chinese National Hacks Boeing For 6 Years – Pleads Guilty

Su Bin, a Chinese national, pleaded guilty this week to hacking into Boeing and other companies in an effort to steal plans related to Boeing fighter jets and military transport planes.

While there were other co-conspirators, Su Bin appears to be the only one indicted.  The DOJ did say that the data was sent to China.

Su Bin was arrested in Canada in 2014 and stayed in jail in Canada for two years.  I am not sure what his thinking was, but he waived extradition last month and then plead guilty to those charges this month.

While I have no evidence of this, the Chinese government likely made him an offer he could not refuse, to quote the Godfather.  If he has family in China, that can be a powerful club for the Chinese government to Wield.  They just want this to disappear.

One of the things that came out from this is that he was inside Boeing’s network for 6 years.  For a company as security conscious as Boeing is, that is a long time to go undetected.

While he could get 5 years in U.S. prison, he could go home after that a hero for helping China build the Y-20, a knockoff of our C-17.  He also gets credit for the two years he spent in Canadian prison, so the 5 years is likely only 3 years.

Frank Cilluffo, director of GWU’s  Center For Cyber and Homeland Security, said that prosecuting hackers can serve as a deterrent to future theft of U.S. trade secrets.  I have bad news for him.  Soldiers, and that is what he is, get shot and blown up way too often, but we still have an army.  As does China.  To think think that this will deter soliders from completing their mission is naive.  That doesn’ t mean we shouldn’t indict and prosecute these guys, but I doubt it will make any difference, other than, possibly, having them conduct their hacking from countries that will not extradite them.  That is a bigger problem.  It is harder for us to see what they are doing halfway around the world.

We should also consider that our guys do the same things in China and other countries.  Espionage is a time honored theme.  In this country, we can trace it back to Benedict Arnold and in other countries, it goes back as far as recorded history goes.  I don’t think that sentencing a soldier to a few years in a relatively nice U.S. prison (unlike, say, Chinese prisons), is much of a deterrent.

The real question at hand is how many Su Bins are operating in this country and other countries, stealing industry’s intellectual property – whether that is technology, industrial process, financial or other data.  For U.S. businesses, this should be a reality check that yes, the bad guys are after our stuff and will take it if we let them.

 

Information for this story came from Federal Computer Weekly.