Tag Archives: Surveillance

NSA Says They Have A Big Blind Spot

NSA Director General Paul Nakasone testified before the Senate Armed Services Committee about the recent SolarWinds and Microsoft Exchange hacks. He said that foreign hackers are taking advantage of the Intelligence community’s blind spot – adversaries working INSIDE the United States.

Our adversaries can come into the United States, set up shop on the web, do their damage and be gone before a warrant can be issued – before we can have actual surveillance by a civilian authority.

To be clear, a warrant does not need to take a lot of time to get approved, but the NSA don’t need no stinking warrant. What is different is the FBI and others, most of the time, do need to get a warrant and getting a warrant requires probable cause and probable cause takes time to find. That is a constitutional problem, however. After 9/11, we did a whole bunch of new surveillance and some of that was ruled unconstitutional by the Supreme Court, but not until years later.

The problem is that no one – neither foreign not domestic, seems to have had any visibility into what the hackers were doing. In fact, neither law enforcement nor the intelligence community actually detected these attacks.

Nakasone said that we can’t connect the dots because we can’t see all the dots. Unlike dictatorships, in the US, we have separation of responsibilities and that does make things more difficult for those people who are tasked with protecting us.

While the NSA can legally intercept almost any signals that they are able to see internationally, inside the U.S., the FBI and others generally require a warrant to access information.

Of course the FBI and the NSA do not need any warrant to intercept traffic inside the government because the government can give them permission to do whatever they like. Given that the government was a major target, that seems like an important piece of information. The executive branch could have collected as much data as they wanted to using existing laws. Did they miss something? Could they have done something differently? Would that have changed the outcome? I don’t know the answer to any of these questions, but they are useful questions to ask.

Some folks – notably NOT General Nakasone – have suggested that the NSA needs to be allowed to spy inside the United States. That presents some minor legal problems, most notably the fourth amendment to the US Constitution.

Other people have suggested that even if we had allowed the NSA to spy on Americans in America, there is no indication that they would have detected these attacks. They might have. Or might not have.

Of course, if the private sector had a way to share their intelligence with the government in a way that protects Americans’ rights and protects the companies that share their data with the government.

I don’t think there is an easy answer. Sometimes the hackers are good – especially when they using an unlimited bank account as is often the case with state sponsored hacking.

The feds have been talking about a bill that would require companies to tell the gov about an attack, but that would be after the fact and that probably would not have helped in this case.

Still, we have to put our collective thinking caps on and try to figure out a solution. After 9-11 we came up with some reactionary responses and we are still arguing about the impact of that twenty years later. This time we should probably think about the long term implications. But we do need to think. Credit: The Cybersecurity 202/Washington Post

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

Security News for the Week Ending November 6, 2020

TikTok Ban – Remember That?

Well now that the election is over – at least the voting part – we can get back to the important stuff like whether our kids can create 30 second dance videos on TikTok. The President signed a memo a couple of months ago to add trade pressure on China by banning TikTok in the US, but a Federal judge signed a preliminary injunction putting the memo on hold. The government has asked the DC Circuit to overturn that injunction but there are other restrictions like hosting the TikTok software on US cloud servers that go into effect on November 12th, so assume this subject will heat up over the next week or so. Credit: Law360

Feds Seize $1 Billion in Bitcoin from Silk Road

The feds shut down the Silk Road online crime bazaar in 2013 and convicted its founder, Ross Ulbricht in 2015. He was sentenced to two life terms plus 40 years. Now, this past week, the feds transferred 69,000+ Bitcoin out of a wallet that has been quiet since 2015. Is Ross trying to make a deal? Those Bitcoin are worth not quite a billion dollars. Now the feds have to convince a judge that the money is proceeds subject to forfeiture. If they do, the feds will likely auction off the cryptocurrency and put the proceeds in its piggy bank and, possibly, the piggy banks of other agencies that helped take Ulbricht down. Credit: ARS Technica

How Fast is Our 5G

I know that 5G is not a security issue – except that how we use 5G WILL make it a security issue. Right now, the 3 big carriers continue to roll out some form of 5G nationally and they are succeeding. It is important to understand what they mean by 5G. It does NOT mean that if you spend $1,000 or $1,500 on a 5G phone (although there are a couple of low price models), you should expect really fast speed on your phone. It means that the carriers are layering the 5G protocols on top of the existing 4G infrastructure.

So how fast is our 5G? PC Magazine does tests every few months and has released a new set of tests. They say that our 5G average speed is slower than Saudi Arabia, South Korea, Australia, Canada, Switzerland, United Kingdom and Germany. That is not impressive and is not likely to change for a number of years for several technical reasons. Read the details at PC Magazine.

Jackson, Mississippi Integrating Your Ring Camera into their Surveillance Network

To be clear, they are doing it with the owner’s permission. They are partnering with two companies who claim to be able to suck up your Ring camera data and feed it into the police department’s surveillance network. Obviously, if the city can get the benefit of thousands of surveillance camera feeds without paying for them AND they can really digest the data, then that may help them stop crime. If the cameras point towards the street and record people that are not on your property, YOU may be committing a crime (depending on the state), but since the cops want your data, they are unlikely to complain. On the other hand, the person who is captured on your video which is fed to the police may sue you. Just sayin’. While Ring has made a big deal of trying to get you to give your video feeds to your local police, this is not one of their projects. Credit: Vice

Attention Those 220 Million Web Sites That Use Let’s Encrypt

This is probably not a big deal but still worth mentioning. When Let’s Encrypt first came out it borrowed a friend’s root signing certificate since the browsers did not trust it. Years ago it became trusted when it issued its own root certificate. Now that original signing certificate is expiring and if your computer or phone does not have their new certificate, you will get an error message when browsing to one of the 220 million web sites that use Let’s Encrypt. NOTE that only affects old operating systems and old browsers that use those operating system’s certificate stores (this may be the reason why Chrome is moving away from using the OS certificate store). This doesn’t become a problem until September 2021, but IT managers should make a note of it because they will likely get at least a few calls. Credit: The Register

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor Support.com to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; Support.com another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.