Tag Archives: FBI

The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor Support.com to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; Support.com another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.


Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

Facebooktwitterredditlinkedinmailby feather

DNC and FBI Fight Over Forensics – Some Tips

Politics being what it is, the FBI and DNC, a year after the attack on the DNC, are fighting over who did what and when.  Since everyone in Washington has to cover their rear ends, this is not a particular surprise, especially after Comey’s “We are investigating Clinton again …. oh, false alarm” letters to Congress a few days before the election, that accusations are flying.

Now the issue is whether the DNC gave “direct access” to their servers or not.

An anonymous official says that the FBI asked for direct access to the servers and data and was rebuffed until the initial compromise had been mitigated.

The DNC told Buzzfeed that the FBI never asked for direct access after the breach.

Leo Taddeo, a former Special Agent in Charge of the FBI’s New York office cyber division told the Hill that it is not unusual for the FBI to bypass a direct examination of a hacked server.  He said that in 9 out of 10 cases they don’t ask for access to a victim’s infrastructure.  “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Taddeo said, basically, that unless they think the victim wants to hide something, there is no reason why a bit for bit image of the server isn’t just as good as the original server.  AND, if they don’t touch the server, they can’t be accused of planting their own malware (after all, the FBI has been accused of that on more than one occasion and back in the dark ages, Director J. Edgar Hoover was well known for planting bugs to hack people he didn’t like).  They also can’t be accused of breaking anything.

Given how much of a political hot potato this investigation was and continues to be, NOT getting direct access is probably the smart thing for the FBI to do.  Of course, that doesn’t mean that someone isn’t going to second guess them.

If the former Special Agent in Charge of the FBI’s New York Cyber Division says that in 99 out of 100 cases, an image is sufficient, I tend to believe him over some anonymous source who says it is not.

DNC deputy communications director Eric Walker said that the FBI never requested access to the servers.

The DNC hired CrowdStrike, certainly a well known and respected incident response and mitigation firm to repair the damage.  I have no reason to believe that CrowdStrike didn’t follow generally accepted incident response practices, which in this case would include doing a bit for bit copy of every disk of every relevant server.

No one says that images were not made and no one says that images were not shared with the FBI, so given how political this has turned out, I am reasonably sure that images were both made and shared.

Also remember – and this is just me, WHY – the DNC was using GMail, which dramatically reduces anyone’s ability to do forensics.  After all, you are not going to go to Mountain View and ask Google if you can image their servers.  Not. Gonna. Happen.

But there certainly are lessons to be learned.

The FBI says that they contacted the DNC about a nation state breach of its systems.  Apparently, the outsourced tech support contractor who fielded the call was unsure of the special agent was from the FBI or a fraud.  For weeks, the FBI says, they continued to call the DNC with no response.

Lesson 1 – a contractor should not have the authority to make a decision about something as potentially life altering as a nation state attack.  In your organization, you need to have a policy, procedure and practice to walk – no RUN – that down the hall to the executive team and let them make that decision.

Lesson 2 – The contractor could always have gotten the agent’s name and called the switchboard at FBI headquarters to confirm that such an agent worked there and used that mechanism (and NOT a phone number that the agent might have given him) to contact the agent back to see if the threat is real – and give that information to the executive team.

IN MY OPINION, given the prevalence of hacks, a low level employee should NEVER make a decision about things like that.

Lesson 3 – According to Google Maps, FBI HQ is, at most, 1.5 miles walking distance from DNC HQ.  If the FBI thinks ANY company is being hacked and they are not getting a response from some phone calls, I PROMISE they will get a response if they walk into the company’s lobby, flash their FBI badge and ask to speak to the CEO.

So in this case, while I absolutely fault the DNC and especially the tech support contractor, I fault the FBI even more.  Sorry.

For companies who are worried about giving proprietary information to law enforcement, here are a couple of tips.

Tip 1 – Separate software and data.  If there is no data stored on the server, if law enforcement makes a copy of the server, there will be limited data collected.

Tip 2 – Encryption.  Servers should be encrypted.  If you make a bit image copy of a server, the copy will also be encrypted.  You can choose to control who and under what conditions you give out the encryption key(s).

Tip 3 – Encryption 2.  Data should also be encrypted.  The data should be encrypted with different keys than the servers are encrypted with.  In fact, multiple encryption keys for the data is better – some software uses a different key for each file.  Again, this gives you the ability to control actual access to the data.

Is encryption perfect?  No.  Especially if the encryption keys are stored on the server. Unencrypted.  I hate to say how many times encryption keys are stored unencrypted in configuration files.

In the FBI’s defense, the anonymous source said the DNC was recalcitrant and difficult to work with.  Given the political nature of this election and the history between Clinton and the FBI, that is not completely surprising, if it is true.

It is not uncommon for lawyers of private companies to deny requests for law enforcement to access their servers.  After all, what could go wrong?  And certainly the FBI wouldn’t pay to fix the damage or lost revenue.  If a company is in control, they also control the damage.

Comey wishes that people would trust the FBI more, but I think the FBI is challenged in this area.  Technology moves VERY quickly and the FBI moves a little more slowly.  How do you get an organization as old and large as the FBI to turn on a dime when even profit motivated private companies don’t do that very well?

We live in interesting times!

Information for this post came from The Hill.


Facebooktwitterredditlinkedinmailby feather

FBI Can Unlock Most Devices That It Receives

FBI Director Comey has talked a lot about the “going dark” problem but we now have some statistics on the problem.

So far this fiscal year, the FBI has received 6,814 devices – phones or computers – to forensically examine.

Of those devices, only 2,095 of them had any form of password on the device.  That means that roughly 70 percent of the devices that bad guys used did not have a password on it.  If you assume that this statistic mirrors the general population – and it may not – then only 30 percent of people protect their devices with a password.

Of the 2.095 devices that were password protected, the Feds were able to get into 1,210 of those.  They do not say what techniques they used to get into those devices.

This means that out of almost 7,000 devices, the cops could not read about 880 of them.  Said differently, the Feds were able to get into 87 percent of the devices that they were presented to evaluate.

These stats don’t include numbers for devices that local police receive and don’t turn over to the Feds.  This means that the 13 percent number – of devices that they cannot get into – may be high because there may be a number of devices that local police receive that they can easily get into and therefore don’t ask the Feds for help.

It also may include devices that are damaged.  For examine, if a device is broken during an arrest,such as a bad guy intentionally throwing a device off a building on onto oncoming traffic – which probably is not that uncommon in a case where the bad guys think the phone contains evidence – those numbers would be included in the “we couldn’t get into that device”,  How many devices fall into that category is unknown.  So while that is part of the going dark problem, it is not because of encryption.

Still, 13 percent is the most definitive number we have seen so far.

What we don’t have any numbers for is how many of those 6,800 devices contained any useful evidence of a crime.

From the Feds perspective, they want to be able to get into every device.  They are used to the days of executing a search warrant where they are looking for papers and where likely, in almost every case, they are able to examine almost 100 percent of the information that they are interested in looking at.

In response, the FBI said that 13 percent is significant and, in their defense, it is likely significant.  But it is far from an epidemic, at least at this point.

What is unclear is whether there was any evidence on those 880 phones or whether the inability to get into those phones made any difference in the prosecution or non-prosecution of those cases.  From a bad guy’s perspective, they likely have little incentive to unlock a phone even if there is nothing on it.  Their attorney would likely tell them that they could be something on the device that could be used against them, so don’t cooperate.  This is the digital equivalent of challenging a search warrant, but in this case, control is in the hands of the bad guy rather than in the hands of a judge and the Feds likely don’t appreciate that fact.

At least, for the first time, we have some information about the problem.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Apple To Fight Order To Unlock iPhone

One of the San Bernadino shooters in last December’s attack had a work iPhone that, apparently, was locked.  Also, apparently, the organization that the shooter worked for was not using device management software, which would allow them to control the device.

The FBI wants to unlock the phone but doesn’t know how to do it.

They have asked and a Federal District Court Magistrate Judge has granted an order to require Apple to create a special version of iOS which doesn’t have security features, install that on this phone after the fact and let the FBI then extract the data from the phone.

Apple CEO Tim Cook says that, while he respects the FBI and justice system, he is not going to do it.  The judge has told Apple to tell the FBI how much it will cost and she expect the FBI to write a check.

As best I can tell, a Federal Magistrate Judge is an assistant judge appointed by the District Court judges to help them in certain, limited matters.   That means that this ruling can be appealed, at least, to the Appeals Court and the Supreme Court.  It also may be reviewed by the District Court itself.

Some people say this is not a risky proposition – that all Apple has to do is create a new version of the firmware that allows the FBI to try every possible combination of passwords without the phone bricking itself.  Assuming he used a 4 digit PIN, that would likely take a matter of seconds since there are only 10,000 combinations.

If, however, the user chose a relatively weak 8 letter password, then instead of 10,000 possibilities there would be a few more (depending on which characters are allowed, I am thinking there are around 722,204,136,308,736 possibilities) which would take considerably longer.  Experts, by the way, now say that an 8 character password is no longer secure.

If instead, you chose, say, a 12 character password, we are talking a lot of possible passwords.

Tim Cook, CEO of Apple, in a letter on the company’s web site said that this is a much bigger issue than a magistrate judge in a district court should decide.  Apparently, Apple was not allowed to participate in the hearing that created this opinion.

The odds of being able to keep this version of the software secret is almost zero.  It just won’t happen.  If it exists, it would be a prized target for hackers.

The version that the FBI is asking for would require physical access to the phone, but a cell phone gets stolen in the U.S. about once every 3 seconds, so that doesn’t seem like much of a bar.

Once the hacker has your phone, he or she would have access to your online banking and maybe even your ability to unlock your front door, along with everything else on your phone.

Of course, any terrorist who has more than a third grade education would not rely on the screen lock to protect his or her information.  Unlocking the phone is merely the first step in a very complicated mess.

But it all hinges on security vs. convenience.  We have seen that even the Paris terrorists chose convenience – using unencrypted phones and unencrypted messaging.

Is someone who is on a Jihad – a mission from God – going to choose convenience or security?  So far, it appears that the answer is, for the most part, convenience.

And in the San Bernadino case, we don’t even know if there is anything relevant on the phone.  The phone was left at home and belongs to San Bernadino County.  It may have zero information on it related to the crime.

This does bring up one more point.  Businesses that give employees phones (or, worse yet, allow employees to use their own phones) and then do not have a device management system to manage them may be out of luck when it comes to retrieving data off the phone.  Depending on the situation, that may or may not be important, but if it is important, then your company consider that and come up with a plan.  Even if you come up with a stupid plan – asking the employee to give you the password – doesn’t stop a nefarious employee from changing it.  If the employee died in a car wreck, they cannot give you the password and if they are out to get the company, they could say in all the stress, they forgot the password.  Prove that they didn’t.

If the employee is out to get the company, they could change it to a 50 character random password and then, even if Apple were to give the FBI what it wants, we will all be old and gray before that gets hacked.

The story continues to get stranger.

According to Quartz, Apple has agreed to let the Chinese audit any device they sell on the Chinese Mainland.  Apple is avoiding answering the question as to what they agreed to let the Chinese do.

Right now, for every 1 iPhone that is sold, there are 9 Android phones sold.  If people don’t trust Apple, that ratio could get worse.

What is not clear is what Google is doing.  The media might ought to investigate that.

And, of course, there is nothing to stop the terrorist from using encrypted software on the phone so that once the FBI figures out the one password out of 400 trillion to unlock the phone, they would have to start over with each and every application that uses Apple’s security philosophy.

The San Bernadino attackers took great pains to crush two personally owned cell phones and the hard disk from their computer has not been found, so what is the likelihood that there is sensitive information on his work phone and he just forgot about it?

Or use software that comes from Russia or Tehran.

Information for this post came from USCourts.gov , NBC, Qz, Fox and Apple.

Facebooktwitterredditlinkedinmailby feather