Tag Archives: Iran

MI-6 Follows CIA, Just 22 Years Late

Why? Quantum Computing and Artificial Intelligence!

For those of you who are not familiar with MI-6, even via a somewhat romanticized version in James Bond movies, MI-6 is Britain’s spy agency. Working along MI-5 and GCHQ, their goal is to protect Britain from the bad guys. MI-6, similar to our NSA (often referred to as No Such Agency), prefers to stay in the shadows. The agency’s existence wasn’t even formally acknowledged until the 1990s.

However, now they are they are talking very publicly. Richard Moore (AKA “C” in MI-6 speak) talked publicly for the first time since taking over the role of Chief of MI-6. He said that developments in quantum computing and AI are good for society.

Speaking at the International Institute for Strategic Studies, Moore warned that China, Russia and Iran are a threat to the UK (and the rest of the world), who could exploit technology to meet their aims.

While human intelligence is important (and, I might add, becoming harder by the day because of the digital footprint that every human leaves behind – or if they are a spy, do not leave behind), technology is going to be critical to assessing that intelligence.

He warned that “our adversaries are pouring money and ambition into mastering artificial intelligence, quantum computing and synthetic biology because they know that mastering these technologies will give them leverage”.

However, “C” admitted that they (the UK) will lose the battle if they try to out-do big tech.

So, they are doing what the CIA started to do in 1999 and have started a venture capital fund called the National Security Strategic Investment Fund. The CIA calls theirs In-Q-Tel. While I don’t know NSSIF, I did pitch In-Q-Tel a few years ago. Some super smart people. Likely also true for NSSIF. Both are looking for smart people with even smarter ideas who need money. Of course, they want to use, partner, or own the tech that these investments produce. “C” said that this is a culture change for the organization that is going to be a sea-change. The CIA seems to have figured out how to do it. Perhaps the two organizations should chat. Or maybe they already are.

Key point is that Quantum computing and AI are going to be critical to national security and, my guess is, China and the others know that too (read my November 25th blog post if you doubt this). If they can’t develop it themselves, there are other alternatives that they seem to be pretty good at also. Credit: ZDNet

Booze Allen says that the Chinese are already planning for the day when powerful quantum computers are running inside their state run intelligence service. Booze says that Chinese hackers might soon start trying to steal encrypted data such as encrypted weapons design data, biometric data and spy agency human asset info, with the hope that, with quantum computing, they will be able to decrypt it in the future.

Booze writes:

In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report Chinese Threats in the Quantum Era

Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts | ZDNet

We either need to protect our tech. Or learn Mandarin.

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

Security News for the Week Ending October 23, 2020

Iran or Russia – Who Should We Worry About?

The FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.

The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We’re told:

It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections. Credit: The Register

Snowden Granted Permanent Residency in Russia

The AP is reporting that Russia has granted Edward Snowden permanent residency status. Basically, Putin poked Trump in the eye with a sharp stick two weeks before the election. In what is clearly a calculated political move by former KGB operative Putin, he decided to do this right before the U.S. Presidential election, rather than wait a couple of weeks. Is this an effort by Putin to affect the election? Don’t know, but I am pretty sure it is not a coincidence. Credit: AP

WordPress Forced Updates to Entire Base of Site Due to Plug-in Bug

A critical bug in the Loginizer plug-in which would allow a hacker to bypass the login process caused WordPress to force an emergency update to its entire user base. While some admins whined about the forced update, Loginizer says that 89% of its installations have been updated. Forced updates have been used, rarely, by every major software vendor – inclusing Apple and Microsoft on a more frequent basis – because users just don’t deal with patches quickly, much of the time. Credit: ZDNet

MicroChipping Humans – Its a Thing and Soft of Illegal in a Few States

Apparently, embedding microchips in humans is a thing in some places. Some employers are doing that to employees – voluntarily at this point, to act as a replacement for badge. But a badge you can leave at home if you are off work. A microchip is on 24×7.

As a result, 7 states have passed laws making MANDATORY chipping of humans illegal. And it is a variety of states. You would expect California to ban that, but also Utah. Maryland, New Hampshire, North Dakota, Oklahoma and Wisconsin round out the list. Michigan is working on becoming number 8. Interesting.

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Security News for the Week Ending February 7, 2020

Iran Expands Oil & Gas Attacks to Electric as Well

According to researchers, Iran linked APT33 has expanded its attack surface.  Initially they were going after the global oil and gas industry but now they have added the electric grid to the mix.  Right now, they say, the goal is reconnaissance – gathering information to use later.  They also are trying to establish a foothold inside the infrastructure to use at a time of their choosing.  Source: Threat Post

 

In the Wake of the Iowa Caucus Voting Mess – Are We More Secure Now Than 2016?

Clearly the Iowa voting software issue does not instill confidence in the election process.  Was that a Russian hack?  No, I don’t think so.  Just software quickly thrown together with not much planning.  Apparently, they only paid $63,000 for it.  Given how important it was, it seems like a LOT more testing was needed.  That did not happen.

But more concerning this this week’s McAfee report.  They say that 84% of county websites did not have a .Gov domain name.  This is important because there is more verification done on those domains.

In addition, 46% of county web sites were not encrypted – with Texas being the worst with less than 25% of their county web sites being encrypted.

If we are not taking basic security measures like these, why would anyone think that they are doing a better job at protecting your vote.  Source: Help Net Security

 

GAO Says That CISA is Behind on Election Security Plans

The GAO says that DHS’s CISA is behind on its plans for election security.  CISA became responsible for election security when elections were declared critical infrastructure in 2017.

Unfortunately, CISA’s budget is less than JP Morgan Chase’s security budget.  Given the lack of funding, this is not a surprise.

Given the challenges with tech (non-hacking related) at the Iowas Caucuses, this is not a good sign.

The House has passed a number of bills to fund election security but the Senate has not taken up any of them and none of them have been submitted to the White House.  More than likely, this is due to partisan politics.  However, if there are problems during this election, voters are likely not going to be happy.

The GAO listed three recommendations for the CISA:

  • Urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure for the upcoming elections.
  • Ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections.
  • Document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency’s 2020 planning.

Source: CNBC

 

Experts Say the Software Used at Iowa Caucuses Looks Like a Student’s Class Project

Multiple Android app development experts and cybersecurity pros who took about the app that the IDP tried to use to report the Caucus results had the quality similar to what a college student might turn in for a programming class.

The software was based on React Native, a cross platform app development framework released as open source by Facebook.  That in itself is not a problem.

One expert said that the developers took an off the shelf skeleton project and added some stuff to it.  One expert said that it was clearly done by someone who had just read a tutorial on how to do it.  Another expert said the app looks like it was “hastily thrown together”.

It also appears that user training was inadequate.  The development team only started gathering requirements 6 months ago.  Homeland Security had offered to test the security of the app, but the Iowa party officials declined.

The IDP says that this app was not supposed to be the final arbiter of results but only a way to get quick, unofficial numbers.  The caucuses all collected their data on paper and were supposed to transfer the results to the app.  Source: Motherboard

Sources also say that the version of the app planned to be used in Nevada (plans which have been cancelled) also had errors.  Source: Motherboard

 

 

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.