Tag Archives: hacking

Government May Be Too Slow To Tackle Cyber Threats Says Outgoing NSA Attorney

The Washington Post is reporting …

Outgoing National Security Agency General Counsel Glenn Gerstell says hacking threats from China and other U.S. adversaries pose as great a challenge to the country as climate change.  And the government and private sector risk moving too slowly to respond.

Outgoing National Security Agency General Counsel Glenn Gerstell says hacking threats from China and other U.S. adversaries pose as great a challenge to the country as climate change.  And the government and private sector risk moving too slowly to respond.

Gerstell’s alarm bell comes after years during which the U.S. has failed to stem the tide of significant hacks from Russia, China, Iran and North Korea — and as a wave of new innovations such as artificial intelligence, quantum computing and 5G telecommunications networks could radically expand the damage adversaries can do in cyberspace.

Gerstell says that we need to update laws, many of which date to the 1980s and before and create additional regulation of tech firms (like the FBI wanting a back door to all encryption so they can snoop at will).

He is also suggesting that the government needs to consolidate responsibility which is now spread across the Pentagon, Department of Homeland Security, FBI and numerous other agencies (I think I will pop some popcorn when that ox gets gored – no one wants their agency to lose power).

He also thinks the NSA is going to have to be far more public about its work on both the offense and defense side.  Anne Neuberger who heads up the newly recreated cybersecurity division (it replaces the Information Assurance Division which was shut down a few years ago in a really misguided effort to shake up the bureaucracy) seems to already be making a difference in this department, starting with the announcement of the Microsoft Crypto API bug  last month.

I do think it is going to be real challenge for the government to move fast enough without doing a lot of stupid stuff and/or having a significant negative effect on the economy.

This administration does not seem to have a good handle on dealing with the problem.  This is not limited to one party.  After all, Congress is mostly made up of lawyers and we know how well many lawyers understand technology.

The Senate just released a report that said that the Obama administration was woefully unprepared for dealing with Russia’s hacking of the 2016 elections.  This administration has been in denial that Russia did hack the elections, saying maybe it was a 400 pound person in their parent’s basement.

None of this makes me super optimistic that the government will fix this problem any time soon.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 24, 2020

Breaches Gone Wild – Very Wild

Since EU’s GDPR went into effect on May 25, 2018 – about 18 months ago – 160,000 Breaches have been reported to EU authorities.  A calculator will tell you that means that people are reporting between 250 and 300 security incidents A DAY!

If you think that magically, 18 months ago, the number of breaches that were occurring skyrocketed – well that is not likely.  At least one of the data protection authorities says that there is over-reporting, but that two thirds of the reports are legitimate.

So far companies have PAID about $125 million in fines and the largest single fine was about $55 million.  Expect many more fines in the future since the authorities have not processed most of those 160,000 reports.  Source: ZDNet

Hacker Posts 500,000 Userid/Password Combinations

A hacker who is changing his business model posted the userids, passwords and IP addresses of 515,000 servers, routers and IoT devices on the Internet.  The hacker had used the compromised devices to attack other computers in Distributed Denial of Service attacks.

But he has decided to change his business model and instead use powerful servers in data centers to attack his victims, so he didn’t need all of these devices any more.

What is not clear is why he published the list.  He certainly could have sold it.  Maybe he thought that if the list became public people who change their passwords from the default or easy to guess ones that they were using.  Source: ZDNet

 

New York State Want to Ban Government Agencies From Paying Ransoms

Two NY Senators, a Republican and a Democrat, have each introduced bills that would outlaw using taxpayer money to pay ransoms.  One of the bills includes language to create a fund to help local municipalities improve their security.  Given the number of attacks on government networks, this would cause some tension.  If a city could pay a ransom and get operational in a few days vs. if they didn’t have good backups, it could take months to recover.  Stay tuned.  Source: ZDNet

 

U.N. Report: Bezos Hacked By Saudi Prince MBS

While some people are questioning the report by U.N. experts that Amazon and Washington Post CEO Jeff Bezos phone was hacked by Saudi Crown Prince Mohammed Ben Salman.  The report says that the hacking can be tied directly to a Whatsapp message sent from MBS’s phone.  Give other things MBS is accused of doing, this is certainly possible.  While the Saudis, not surprisingly, called the report absurd, others are calling for an investigation.  Source: The Register

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.

 

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

Why Paying Ransomware May Not Be A Great Idea

You may recall that a hacking group called the Dark Overlord hacked into Larson Studios, a third party provider to Netflix and other studios.  They stole the unreleased copies of the whole season of Orange as well as about 36 other series and movies.

Now we are beginning to hear the back story and it points out that paying ransomers is dicey business.

Larson’s owners tried to protect their customers.  The did this by paying the ransomers $50,000 in bitcoin.  The theory was that they would not release any of the titles if they did.

Investigators discovered that ground zero for the attack was a Windows 7 PC.  Whether it was patched current or not is unclear, but as we are seeing with the Wikileaks releases of CIA and NSA exploits, being patched does not mean being secure.  The CIA and NSA do not have an “exclusive” on exploits.

When Larson’s IT guy looked at the server and found the shows were gone, they called the FBI.  They did not tell their clients because the group said not to and at that point they were still hoping to contain the damage.

They paid the ransom.  It took a while to work through the system to buy $50,000 in bitcoin.  About a week in total.

The Dark Overlord got a bit greedy and contacted Netflix and the other studios trying to get them to pay a ransom also.  Those studios opted not to pay.  So, even through Larson paid the ransom, they released the titles.

It is a bit of a crap-shoot as to whether hackers will keep their word, even though not keeping their word should, in theory, destroy their business model.

In many cases, having a backup will protect you from having to pay the ransom.  Not in this and any number of cases where the hackers can steal intellectual property.  Like at law firms or accountants, for example.

Once they have your intellectual property, it is a new game.

They could sell it or publicly release it.  Depending on the model, they might want to embarrass the company, destroy it or make money.

Your best bet is to keep the hackers out.  That is not always so easy.

After the fact, Larson upgraded security.  Files are encrypted.  The network is segmented so that if an attacker gets in they don’t have free range to the whole company.  They no longer keep the audio files and video files together to make it harder for an attacker to get something useful.

Larson lost some customers over this, but they learned a lesson.  An expensive lesson.  Lost customers PLUS ransom PLUS reputational damage PLUS the cost of re-engineering the network EQUALS an expensive lesson.

You can spend the money before an attack or spend a lot more money after the attack.  It is your choice.  But there is no free lunch.

Information for this post came from Data Breach Today.

 

Facebooktwitterredditlinkedinmailby feather

Another Public Private Partnership Between Police and Hackers

A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies.  In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.

Now there are reports of a similar but different arrangement with the Metropolitan Police in London.  These reports are unsubstantiated as of right now.

The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.

Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents.  The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists.  It is not clear how the hackers benefited from this other than for being paid for their work.  How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.

Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.

The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.

The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating.  The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court.  The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.

Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.

The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.

Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.

Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law.  Those laws vary from country to country.

On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.

It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants.  It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.

For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.

For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.

For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution.  This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.

Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.

Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.

For most people, keeping the contents of their email private is, at best, a nuisance.  For other people, including journalists and investigators, privacy likely rises to a higher level.

Certainly interesting.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather