Tag Archives: Terrorism

Security News for the Week Ending June 4, 2021

Freaking Ooops: Us Nuke Bunker Security Secrets On Public ‘Net Since 2013

Details of some US nuclear missile bunkers in Europe, including secret duress codewords have been exposed publicly on the Internet. Journalists discovered it by using simple search queries. The information was on training flashcards, which should not have been public. It includes “intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the identifiers that a restricted area badge needs to have”. The information has now been deleted. It was exposed since 2013. Good job, folks! Credit: The Register

If You Can’t Spy Yourself, Ask Your Friends for Help

It takes a village – even if that is a village of Spies. The NSA got help from Denmark in spying on top politicians and other high ranking officials in Germany, Sweden, Norway and France. They did this by asking the Danes to let them tap into an underwater fiber optic cable in 2012. Targets include Angela Merkel. Generally, politicians cyber hygiene habits are really poor, so the NSA probably found a lot of unencrypted data. Credit: The Hacker News

Watch Your Words When Discussing Breaches

If your company is in the unfortunate situation of dealing with a cyber breach, the lawyers say watch what you say in emails or Slack or similar channels because it can come back to bite the company later. If you say to a coworker “oh, yeah, we knew about that bug for months” and the bug wasn’t fixed and that contributed to the breach, well, you can see, that could be a problem for the company. Obviously, it goes without saying that social media is definitely off limits for that kind of conversation. Unless, you don’t like your job or the company. Read details in SC Magazine.

ARIN Plans to Take Down Part of the Internet – This is Just a Test

ARIN, the American Internet IP authority, plans to take down the RPKI infrastructure some time in July, without notice, just to see what breaks. In theory, if RPKI is implemented correctly, the fact that this goes down should be a big yawn. We shall see. Credit: Bleeping Computer

FBI and DoJ to Treat Ransomware Like Terrorism

Since ransomware *IS* terrorism, it is nice to hear that the DoJ is going to treat it as such. Unlike the last administration, this time the FBI took direct aim at Russia as the culprit in a lot of the ransomware attacks. The US Attorney’s offices in every state have been directed to investigate ransomware attacks the same way that they treat other forms of terrorism. While they don’t have the resources to investigate every ransomware attack, any big attack or one that hits a critical industry will be handled just like a terrorist bombing. While this won’t fix the problem, more attention is good. Credit: ZDNet

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Should We Compromise Security For Preventing Terrorism

After the Paris attacks, politicians have been falling all over themselves trying to be more anti-terrorist than the other.  Prior to the attacks, the odds of the CISA bill in Congress were dicey.  Now the odds are pretty high, even though that bill will do almost zero in terms of preventing terrorism.

One of the big issues is encryption.  Web site encryption (like HTTPS: or SSL/TLS) is really not an issue because the government cracked that years ago.  It takes them a little effort, but it doesn’t really stop them.

A bigger problem is encrypted phones – iPhones and android  – that Apple and Google do not have the keys to decrypt.  This means that the gov has to get a judge to issue a subpoena and then go to the owner, assuming the owner hasn’t been killed, say by a drone strike, and get them to comply.  If the owner is dead or not in the U.S., that is hard to do.  Hence, the government would like to have a secure back door.

However, secure and back door cannot exist in the same sentence.  You can have either one – just not both.  Many noted cryptographers and computer scientists signed a letter to Congress recently stating this, so it is not just me who thinks this is not possible.

Assuming the government or many private companies had a skeleton key to get in (and there would need to be tens of thousands of these keys given the number of software vendors out there) – given the number of breaches of both government systems and private company systems – do you really think that we could keep a skeleton key private for many years.  I don’t think so.  And, wherever those tens of thousands of keys are stored would be a super hot target for hackers.

Then you have the applications to deal with.  They are thousands, if not hundreds of thousands of applications.  Many written by one-person companies in some country like Ukraine or China.

Assuming the government required a back door, do you really think a developer in China would really care?  I didn’t think so.  Do you really think that you could stop a terrorist from getting that software from China or some other country?  No again.

So let’s look at the real world.

According to police reports and the Wired article, police have found cell phones next to dead terrorists – like the ones who blew themselves up in Paris – and in trash cans.  Are these phones encrypted with impenetrable encryption?  No, they are not encrypted at all.

Sure, some terrorists are using software like Telegram that is encrypted.  What we have to be VERY careful about is which software is really secure and which software only pretends to be secure.  The article gives some examples.  If you believe the FBI or NSA is going to tell you which software fits in which category, then I have a bridge for sale, just for you, in Brooklyn.

Once the feds find a phone, they can go to the carrier and get the call log from the carrier side.  That gives you text messages, phone numbers, web sites visited, etc.  Is this perfect?  No, it is not.  They used these facts in Paris to launch the second raid – the one in Saint-Denis – where they killed the mastermind of the first attack.  And, while they have not said this publicly, this is likely how they captured the terrorists in Belgium.

All that being said would the feds love all the traffic to be unencrypted? Sure.  Does that mean they are going blind, like they have claimed?  Nope.  Not even close.

In talking with a friend who used to be high up in one of the three letter agencies, he said that he has been warning them for 10 years that this is going to be a problem and they better plan for it.  How much planning they have done is classified – and needs to remain that way.

Creating the smoke screen that they are going blind is a great way to lull terrorists into a false sense of security – right up until the moment the drone strike happens.  If you don’t think that they are doing this on purpose, I recommend you rethink your position.

In talking with another very high ranking former DHS executive about whether we should weaken the crypto, he is very emphatic that the answer is no.

This is basically a repeat of the crypto wars of the 1990s when the FBI tried to force everyone to use a compromised crypto chip (called Clipper).  The concept didn’t work then.  Now, there is software being developed in every country in the world and if the NSA or FBI thinks that they can put the genie back in the bottle, they are fooling themselves.

I recommend reading the Wired article – it will provide a different perspective on the situation.

Information for this article came from Wired.

Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.

Mitch