Tag Archives: FBI

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.

 

China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.

 

Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor Support.com to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; Support.com another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

Facebooktwitterredditlinkedinmailby feather

DNC and FBI Fight Over Forensics – Some Tips

Politics being what it is, the FBI and DNC, a year after the attack on the DNC, are fighting over who did what and when.  Since everyone in Washington has to cover their rear ends, this is not a particular surprise, especially after Comey’s “We are investigating Clinton again …. oh, false alarm” letters to Congress a few days before the election, that accusations are flying.

Now the issue is whether the DNC gave “direct access” to their servers or not.

An anonymous official says that the FBI asked for direct access to the servers and data and was rebuffed until the initial compromise had been mitigated.

The DNC told Buzzfeed that the FBI never asked for direct access after the breach.

Leo Taddeo, a former Special Agent in Charge of the FBI’s New York office cyber division told the Hill that it is not unusual for the FBI to bypass a direct examination of a hacked server.  He said that in 9 out of 10 cases they don’t ask for access to a victim’s infrastructure.  “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Taddeo said, basically, that unless they think the victim wants to hide something, there is no reason why a bit for bit image of the server isn’t just as good as the original server.  AND, if they don’t touch the server, they can’t be accused of planting their own malware (after all, the FBI has been accused of that on more than one occasion and back in the dark ages, Director J. Edgar Hoover was well known for planting bugs to hack people he didn’t like).  They also can’t be accused of breaking anything.

Given how much of a political hot potato this investigation was and continues to be, NOT getting direct access is probably the smart thing for the FBI to do.  Of course, that doesn’t mean that someone isn’t going to second guess them.

If the former Special Agent in Charge of the FBI’s New York Cyber Division says that in 99 out of 100 cases, an image is sufficient, I tend to believe him over some anonymous source who says it is not.

DNC deputy communications director Eric Walker said that the FBI never requested access to the servers.

The DNC hired CrowdStrike, certainly a well known and respected incident response and mitigation firm to repair the damage.  I have no reason to believe that CrowdStrike didn’t follow generally accepted incident response practices, which in this case would include doing a bit for bit copy of every disk of every relevant server.

No one says that images were not made and no one says that images were not shared with the FBI, so given how political this has turned out, I am reasonably sure that images were both made and shared.

Also remember – and this is just me, WHY – the DNC was using GMail, which dramatically reduces anyone’s ability to do forensics.  After all, you are not going to go to Mountain View and ask Google if you can image their servers.  Not. Gonna. Happen.

But there certainly are lessons to be learned.

The FBI says that they contacted the DNC about a nation state breach of its systems.  Apparently, the outsourced tech support contractor who fielded the call was unsure of the special agent was from the FBI or a fraud.  For weeks, the FBI says, they continued to call the DNC with no response.

Lesson 1 – a contractor should not have the authority to make a decision about something as potentially life altering as a nation state attack.  In your organization, you need to have a policy, procedure and practice to walk – no RUN – that down the hall to the executive team and let them make that decision.

Lesson 2 – The contractor could always have gotten the agent’s name and called the switchboard at FBI headquarters to confirm that such an agent worked there and used that mechanism (and NOT a phone number that the agent might have given him) to contact the agent back to see if the threat is real – and give that information to the executive team.

IN MY OPINION, given the prevalence of hacks, a low level employee should NEVER make a decision about things like that.

Lesson 3 – According to Google Maps, FBI HQ is, at most, 1.5 miles walking distance from DNC HQ.  If the FBI thinks ANY company is being hacked and they are not getting a response from some phone calls, I PROMISE they will get a response if they walk into the company’s lobby, flash their FBI badge and ask to speak to the CEO.

So in this case, while I absolutely fault the DNC and especially the tech support contractor, I fault the FBI even more.  Sorry.

For companies who are worried about giving proprietary information to law enforcement, here are a couple of tips.

Tip 1 – Separate software and data.  If there is no data stored on the server, if law enforcement makes a copy of the server, there will be limited data collected.

Tip 2 – Encryption.  Servers should be encrypted.  If you make a bit image copy of a server, the copy will also be encrypted.  You can choose to control who and under what conditions you give out the encryption key(s).

Tip 3 – Encryption 2.  Data should also be encrypted.  The data should be encrypted with different keys than the servers are encrypted with.  In fact, multiple encryption keys for the data is better – some software uses a different key for each file.  Again, this gives you the ability to control actual access to the data.

Is encryption perfect?  No.  Especially if the encryption keys are stored on the server. Unencrypted.  I hate to say how many times encryption keys are stored unencrypted in configuration files.

In the FBI’s defense, the anonymous source said the DNC was recalcitrant and difficult to work with.  Given the political nature of this election and the history between Clinton and the FBI, that is not completely surprising, if it is true.

It is not uncommon for lawyers of private companies to deny requests for law enforcement to access their servers.  After all, what could go wrong?  And certainly the FBI wouldn’t pay to fix the damage or lost revenue.  If a company is in control, they also control the damage.

Comey wishes that people would trust the FBI more, but I think the FBI is challenged in this area.  Technology moves VERY quickly and the FBI moves a little more slowly.  How do you get an organization as old and large as the FBI to turn on a dime when even profit motivated private companies don’t do that very well?

We live in interesting times!

Information for this post came from The Hill.

 

Facebooktwitterredditlinkedinmailby feather

FBI Can Unlock Most Devices That It Receives

FBI Director Comey has talked a lot about the “going dark” problem but we now have some statistics on the problem.

So far this fiscal year, the FBI has received 6,814 devices – phones or computers – to forensically examine.

Of those devices, only 2,095 of them had any form of password on the device.  That means that roughly 70 percent of the devices that bad guys used did not have a password on it.  If you assume that this statistic mirrors the general population – and it may not – then only 30 percent of people protect their devices with a password.

Of the 2.095 devices that were password protected, the Feds were able to get into 1,210 of those.  They do not say what techniques they used to get into those devices.

This means that out of almost 7,000 devices, the cops could not read about 880 of them.  Said differently, the Feds were able to get into 87 percent of the devices that they were presented to evaluate.

These stats don’t include numbers for devices that local police receive and don’t turn over to the Feds.  This means that the 13 percent number – of devices that they cannot get into – may be high because there may be a number of devices that local police receive that they can easily get into and therefore don’t ask the Feds for help.

It also may include devices that are damaged.  For examine, if a device is broken during an arrest,such as a bad guy intentionally throwing a device off a building on onto oncoming traffic – which probably is not that uncommon in a case where the bad guys think the phone contains evidence – those numbers would be included in the “we couldn’t get into that device”,  How many devices fall into that category is unknown.  So while that is part of the going dark problem, it is not because of encryption.

Still, 13 percent is the most definitive number we have seen so far.

What we don’t have any numbers for is how many of those 6,800 devices contained any useful evidence of a crime.

From the Feds perspective, they want to be able to get into every device.  They are used to the days of executing a search warrant where they are looking for papers and where likely, in almost every case, they are able to examine almost 100 percent of the information that they are interested in looking at.

In response, the FBI said that 13 percent is significant and, in their defense, it is likely significant.  But it is far from an epidemic, at least at this point.

What is unclear is whether there was any evidence on those 880 phones or whether the inability to get into those phones made any difference in the prosecution or non-prosecution of those cases.  From a bad guy’s perspective, they likely have little incentive to unlock a phone even if there is nothing on it.  Their attorney would likely tell them that they could be something on the device that could be used against them, so don’t cooperate.  This is the digital equivalent of challenging a search warrant, but in this case, control is in the hands of the bad guy rather than in the hands of a judge and the Feds likely don’t appreciate that fact.

At least, for the first time, we have some information about the problem.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather