Tag Archives: Fancy Bear

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

Senators, Staffers Next on Russia’s Cyber Hit List

According to the cyber security firm Trend Micro, the members of the U.S. Senate and their staff could be the next target of the Russian hacking group Fancy Bear – the same group linked to the DNC hack an election meddling across the Middle East  and Europe.

Trend says that digital breadcrumbs found so far in spear phishing campaigns link back to the Russian hacking group,

And, in a way, it makes perfect sense.  If the Russian’s objective is to meddle in elections across the globe, then the U.S. mid-term elections later this year would be a perfect target.  Spear phishing emails are pretty low tech but they lead to compromised userids and passwords (and was pretty lethal during last year’s elections).  Also consider that politicians and bureaucrats are addicted to email.  That makes them  a perfect target.

Some of the emails pretend to be Microsoft Exchange messages warning of expired passwords.  Low tech but pretty effective, unfortunately.

The researchers said that these spear phishing attacks looked a lot like the attacks rolling up to last year’s French elections.

If it ain’t broke, don’t fix it.  If it worked against the DNC,  if it worked against the French.  It is well known art.  It may well work against the Senate.

Senator Sasse (R-Neb) said that he thinks Putin is very happy that Washington is obsessed with partisan politics and is ignoring 2018 and 2020.  He is likely right.  To really fix things will require a lot of work and at least some money – something Washington doesn’t seem to be concerned about.  And it is a very distributed problem.  There are 50 states, 3600+ counties, the feds, government organizations, social media – a lot of targets of opportunities.

Which is not terribly surprising given that, before last year’s election there were only 5 people between both houses that had a computer science degree (I don’t know how the election changed things, but it likely didn’t change much).

Given all of the events coming up in the next year, including the Olympics and elections world wide and the apparent lack of interest in doing anything about it, we should assume that Russia will continue to be successful in their efforts influence politics – conspiracies or not.

Information for this post came from FCW.

If You Click on Bit.ly Shortened URLs, Here is Why You Should Stop. Now.

In case you still think that clicking on any of those shortened web page links (like http://bit.ly/4wx345) is a good idea, here comes the best reason ever NOT to click on those links.

It appears that the Hillary Clinton email leak may have been caused by clicking on one of those stupid shortened URLs.

The problem with shortened URLs is that you have no clue as to what you are clicking on.  You might think you are clicking on Google when in fact you are clicking on some web site in Moscow or Beijing.

Reports are that the Clinton email leak may have started with John Podesta.  He received an email that looked like a Google security alert.

The campaign’s IT team said that it was real.  Given what little has been released about the email, that seems like a terrible call, but in fairness, I wasn’t there.  The email told him that someone attempted to log on to his account from Ukraine and that he should change his password.

That’s all good except that the email did not come from Google.com but instead from accounts.googlemail.com .  The subject line said Someone has your password.

The email said that you should change your password immediately and a link titled CHANGE PASSWORD shows up – suggesting, not so subtly that John should click on the link.

However, the link was not to a Google page.  Instead it was to a shortened Bit.ly link, so if Podesta clicked on the link – Dell Secureworks says that the link was clicked on twice – he was sent to who knows where – and he may have entered his password, giving it to the Ruskies.

Dell’s Secureworks says that 108 of those emails went out and at least 20 of those links were clicked on.  They say that there were 213 of those Bit.ly links created but some were duplicates.

Secureworks says that the account that created those links belongs to Fancy Bear, one of the names for the Russian, state sponsored, hacking team also known as APT28.  While the US Gov has not officially attributed the attack to Russia, they have, apparently, using Ukraine as a proxy, started hacking back, attacking some of Putin’s staff.

My recommendation is that, if you care about your security, avoid clicking on those links.

If you really  have to click on one of those links, there are a number of services (google expand short url), but I don’t have any specific recommendations for which one is best.

Information for this post came from CNN.

Why Employee Training is a CRITICAL Component of Security Training

According to Buzzfeed, nine days after Hillary Clinton had won big on Super Tuesday, the Russians launched their cyber attack on her campaign.

The Russians sent malicious emails to all of her senior campaign staff.  The emails looked like standard Google GMail emails alerting to suspicious activity on their accounts and asked them to click on the link.  The link led to a page, likely hosted in Russia, that looked very much like a GMail password reset page.  Unless they checked the address in the address bar.

As soon as they entered their email and password, the Russians had full, unfettered access to all of their emails from that point forward.

POINT #1: Call me paranoid, but from a security standpoint does it really make sense to use GMail for the official campaign email system for a presidential campaign?  Sure, that make sense for uncle Joe in Pittsburgh, but did it never occur to anyone that this might not be very smart?

POINT #2:   Did campaign workers receive any cyber security training?  That is a pretty normal phishing technique.  Out of all the people who received these emails, did not even one of them question it?

POINT #3:  If they did question it, did the campaign have a chief cyber security staffer to send the concern to?  Not physical security, but cyber security.

But I digress….

Since that worked so well, the Russians tried the same trick with the Democratic National Committee.

POINT #4:  Did (or does) the DNC  train its people on phishing?

And then, being successful beyond their dreams, they tried the same trick with the Democratic  Congressional Campaign Committee.

POINT #5:   I am not even going to ask.

By mid June, the first leak had been identified and the DNC emails started coming to light.

I assume that others started to panic at this point and those who didn’t use email (like Trump, apparently) were laughing.

The group that orchestrated this is known as APT 28 or Fancy Bear, but there is nothing fancy about this attack.  In fact, a fifth grader could have likely done it.

In a rare display of political annoyance, the White House definitively said last week that Russia did this.  There was no beating around the bush.  The Department of Defense piled on.  I am sure that there is a fair bit of classified evidence, but apparently, the government was convinced enough to publicly blame Putin.

If you want more details, please read the Buzzfeed article below, but for the purposes of this post, this is sufficient.

After reading this, I have a few thoughts and those thoughts apply to everyone – political parties on any side of the fence, businesses or private citizens.

THOUGHT #1 : Email is private – until you hit the send button.  Beyond that, all bets are off.

THOUGHT #2: If you would be concerned, embarrassed or thrown in jail if that email appeared on the front page of the New York Post (or Wall Street Journal), DO NOT SEND IT!  You just cannot guarantee what will happen after you hit the send button.

THOUGHT #3:  At the very least, a private email server gives you some more control and the ability to monitor traffic.  BUT ONLY IF YOU DO IT RIGHT.  It is 10 times easier to do it wrong than to do it right.

THOUGHT #4: Encrypted email (and I don’t mean SSL based web mail) also helps, but again, the devil is in the details.  I have a few patents with my name on them in this area, so I think I understand the problem, what works and what doesn’t work.

THOUGHT #5: Training is critical.  Really.  Human beings are always the weak spot.  Period.  Invest in training.

THOUGHT #6: Monitoring and alerting is the next most critical thing.  If, by chance, the Ruskies accidentally logged in from Russia, alarm bells should have gone off.  There is no monitoring for users of GMail.  You are on your own.

THOUGHT #7:  I like Sergey Brin and Larry Page.  Google is a great search engine.  Not so much is it a great enterprise email solution, even though they would argue with me.  Vehemently.  But then, I am calling their baby ugly.  U.G.L.Y!  Sorry.

THOUGHT #8, 9 and 10:  If security and privacy is important to your organization – and they may not be – then treat it that way.  Find the expertise and hire it (#8).  Listen to what they tell you to do (#9).  And tell your users that this is not a democracy and they don’t get a vote on whether or not to follow the security policies (#10).

I know that is harsh, but the question is, is security and privacy important to you.

Information for this post came from Buzzfeed.