Tag Archives: San Bernadino

Security News for the Week Ending October 25, 2019

Database Leaked 179 GB of Personal Data of military personnel, officials and hotel customers.

I wish this was a new story.  Autoclerk, a Best Western service that manages reservations, revenue, loyalty programs, payment processing and other functions for the hotel chain. left an elastic search database exposed.

Hundreds of thousands of guest reservations were exposed including names, home addresses, dates of birth, travel dates and other information.

The reason why government and military personnel are affected is that a government contractor that deals in travel reservations was sucked into the breach.  Source: SDNet.

 

San Bernadino Schools Hit By Ransomware

A message on the school district’s web site says not to worry, all of your data is secure.   (it’s just that it has all been encrypted by a hacker).    Phones are working but email is not working.   Schools in Flagstaff closed last month for several days while officials got things under control after a ransomware attack there.  Source: ABC

 

Russia Using “False Flags” to Confuse Security Experts

Researchers are still dissecting the attack on the 2018 Olympics in South Korea.  Russia inserted false signals and other misdirections in order to may people think that the attack came from China or North Korea.  This does point out that if you are willing to spend millions of dollars, you likely can figure out quite about a cyber attacker.  The story is so complex that one of the researchers wrote a book, Sandworm, which will be available on Amazon on November 5, 2019.  Source: WaPo

 

Amazon’s Web Services DDoSed for 10 Hours This Week

For about 10 hours earlier this week parts of Amazon were effectively offline.  Amazon’s DNS servers were being hammered by a DDoS attack.  This meant that Amazon backend services such as S3 may have failed for websites and apps that attempted to talk to those services.  The outage started around 0900 east coast time so it impacted users throughout the work day on Tuesday October 22, 2019.   For developers and businesses this is just one more reminder that nothing is bullet proof if the bullet is large enough.  Even though Amazon has an amazing about of bandwidth and infrastructure, it can get taken down.

Other services that were affected included RDS (database), Simple Queue Service, Cloudfront, Elastic Compute Cloud, and Elastic Load Balancing.  Amazon did offer some ways to mitigate the damage if it happens again – see the link below.  As a business you need to decide how much cost and effort you are willing to expend to mitigate rare occurrences like this.  Source: The Register.

 

Comcast is Lobbying Against Browsers Encrypting DNS Requests

Here is a big surprise.  As the browser vendors (Chrome and Firefox) add the ability to support encrypting your DNS requests to stop people from spying on you, one of the biggest spies, Comcast, is lobbying against this.  They say that since Google would be able to see the data, that puts too much power in Google’s hands.  Ignore for the moment that Firefox is not using Google as a DNS provider and also ignoring that Google is offering  users at least 4 different encrypted DNS providers.  Lets also consider that encrypted DNS is not even turned on by default.  The much bigger issue is that Comcast will not be able to see your DNS requests and therefore will not be able to sell your web site visit data.  But of course, we would not expect them to be honest about why.  Source: Motherboard.

Richard Clarke Says That FBI Could Have Had San Bernadino Data Already – If It Really Wanted It

Richard Clarke, National Security Counsel’s  chief counter-terrorism advisor to three presidents (George H.W. Bush, Bill Clinton and George Bush) and Special Advisor on Cyber Security to George Bush said that the FBI could have taken the San Bernadino phone to Ft. Meade, home of the NSA, and had the data in the phone a long time ago.

If, what they really wanted was, the data on the phone.

Which is not at all what they want.  What they want is to set a precedent so that they can force Apple, Google, Facebook, Whatsapp and any other software developer to build them a version of their software that defeats the security that they have added to protect their users.  Any time and under any circumstances.

Of course, this is what I have been saying from the beginning.

However, Richard Clarke likely has a little more “cred” on the subject than I do.

Failing that, they could ask the Chinese to unlock it for them. 🙂

Clarke is certainly not pulling any punches.  He said:

The Justice Department and the FBI are on their own here,” he said. “The FBI director [Comey] is exaggerating the need for this, and the Attorney General [Loretta Lynch] is letting him get away with it.

No one knows what the courts will do or if Congress will attempt to legislate a solution.  When Congress tries to take on technology, it is usually not a pretty sight.

What Clarke, along with a number of other cyber security and intelligence community members have said, is that this is a much bigger issue that even fighting terrorism.

Of course politicians dance to their own tunes and this is an election year, so who knows what might happen.  Stay tuned.

Information for this post came from Ars Technica.

Apple To Fight Order To Unlock iPhone

One of the San Bernadino shooters in last December’s attack had a work iPhone that, apparently, was locked.  Also, apparently, the organization that the shooter worked for was not using device management software, which would allow them to control the device.

The FBI wants to unlock the phone but doesn’t know how to do it.

They have asked and a Federal District Court Magistrate Judge has granted an order to require Apple to create a special version of iOS which doesn’t have security features, install that on this phone after the fact and let the FBI then extract the data from the phone.

Apple CEO Tim Cook says that, while he respects the FBI and justice system, he is not going to do it.  The judge has told Apple to tell the FBI how much it will cost and she expect the FBI to write a check.

As best I can tell, a Federal Magistrate Judge is an assistant judge appointed by the District Court judges to help them in certain, limited matters.   That means that this ruling can be appealed, at least, to the Appeals Court and the Supreme Court.  It also may be reviewed by the District Court itself.

Some people say this is not a risky proposition – that all Apple has to do is create a new version of the firmware that allows the FBI to try every possible combination of passwords without the phone bricking itself.  Assuming he used a 4 digit PIN, that would likely take a matter of seconds since there are only 10,000 combinations.

If, however, the user chose a relatively weak 8 letter password, then instead of 10,000 possibilities there would be a few more (depending on which characters are allowed, I am thinking there are around 722,204,136,308,736 possibilities) which would take considerably longer.  Experts, by the way, now say that an 8 character password is no longer secure.

If instead, you chose, say, a 12 character password, we are talking a lot of possible passwords.

Tim Cook, CEO of Apple, in a letter on the company’s web site said that this is a much bigger issue than a magistrate judge in a district court should decide.  Apparently, Apple was not allowed to participate in the hearing that created this opinion.

The odds of being able to keep this version of the software secret is almost zero.  It just won’t happen.  If it exists, it would be a prized target for hackers.

The version that the FBI is asking for would require physical access to the phone, but a cell phone gets stolen in the U.S. about once every 3 seconds, so that doesn’t seem like much of a bar.

Once the hacker has your phone, he or she would have access to your online banking and maybe even your ability to unlock your front door, along with everything else on your phone.

Of course, any terrorist who has more than a third grade education would not rely on the screen lock to protect his or her information.  Unlocking the phone is merely the first step in a very complicated mess.

But it all hinges on security vs. convenience.  We have seen that even the Paris terrorists chose convenience – using unencrypted phones and unencrypted messaging.

Is someone who is on a Jihad – a mission from God – going to choose convenience or security?  So far, it appears that the answer is, for the most part, convenience.

And in the San Bernadino case, we don’t even know if there is anything relevant on the phone.  The phone was left at home and belongs to San Bernadino County.  It may have zero information on it related to the crime.

This does bring up one more point.  Businesses that give employees phones (or, worse yet, allow employees to use their own phones) and then do not have a device management system to manage them may be out of luck when it comes to retrieving data off the phone.  Depending on the situation, that may or may not be important, but if it is important, then your company consider that and come up with a plan.  Even if you come up with a stupid plan – asking the employee to give you the password – doesn’t stop a nefarious employee from changing it.  If the employee died in a car wreck, they cannot give you the password and if they are out to get the company, they could say in all the stress, they forgot the password.  Prove that they didn’t.

If the employee is out to get the company, they could change it to a 50 character random password and then, even if Apple were to give the FBI what it wants, we will all be old and gray before that gets hacked.

The story continues to get stranger.

According to Quartz, Apple has agreed to let the Chinese audit any device they sell on the Chinese Mainland.  Apple is avoiding answering the question as to what they agreed to let the Chinese do.

Right now, for every 1 iPhone that is sold, there are 9 Android phones sold.  If people don’t trust Apple, that ratio could get worse.

What is not clear is what Google is doing.  The media might ought to investigate that.

And, of course, there is nothing to stop the terrorist from using encrypted software on the phone so that once the FBI figures out the one password out of 400 trillion to unlock the phone, they would have to start over with each and every application that uses Apple’s security philosophy.

The San Bernadino attackers took great pains to crush two personally owned cell phones and the hard disk from their computer has not been found, so what is the likelihood that there is sensitive information on his work phone and he just forgot about it?

Or use software that comes from Russia or Tehran.

Information for this post came from USCourts.gov , NBC, Qz, Fox and Apple.