Tag Archives: Warrant

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

Security News Bites for the Week Ending Oct. 5, 2018

Web Page Load Times Double Due to Trackers

Trackers, those microscopic bits of pixie dust that web pages and advertisers insert into web pages to track our activities, make a significant negative contribution to user experience.

Full disclosure – this study was done by Ghostery, who makes software – free software – that blocks these trackers.

Ghostery looked at the page load time of the top 500 US web sites as defined by Alexa and discovered that it took, on average, 10 seconds longer to load with trackers enabled than when blocked by Ghostery.

The 10 slowest of the top 500 sites loaded 10x faster without trackers, saving users 84 seconds on average.

Obviously you could run their free software to reduce your page load times and I have run it for years.  It is amazing how many trackers can exist on one web page.  Source: Ghostery

Feds Issue Alert Regarding Remote Deskup Protocol

Sometimes it takes the feds a little while to realize what we have known for years.  Remote Desktop Protocol or RDP is a Microsoft mechanism for remotely logging in to another computer.  Sometimes people (not very wisely) enable this capability over the Internet.

RDP was designed for LAN administrators to remotely access a user’s computer or a server on the same network, so security considerations were never a top priority.  Over the years Microsoft has improved the security of RDP but still – my opinion – it is foolish to enable this so that a hacker in Timbuktu can try to hack into your network.

Finally, after several years of these widespread attacks, the FBI has issued an alert telling people this is not a good practice.  There are ways to secure that RDP connection, the easiest of which is to require remote users to establish a VPN connection first.  Source: Homeland Security.

Adobe Patches 85 Vulnerabilities in Acrobat and Reader

Adobe has released patches for 85 vulnerabilities in Acrobat and Acrobat Reader for both Windows and Mac.  85 is a pretty big number.  Some of the vulnerabilities allow for remote code execution while others allow for information disclosure or privilege elevation.  In other words, an entire buffet of problems.

This points to why it is so critical to understand what apps you have installed and make sure that they are patched quickly.  Every single time patches are released.  On every device in the network.  Desktops.  Laptops.  Servers.  Phones.  Tablets.  Everywhere.  As of today, Adobe says they are not being exploited in the wild – that they know of.  Tomorrow, at a minimum, every foreign intelligence agency in the world will have reverse engineered them and figured out how to use them as a weapon.  That doesn’t count the hackers.  Source:  The Register.

FBI Forces Child Abuse Suspect To Look at His Phone

In August, for the first time ever that we know of, the FBI obtained a warrant to force a person to look at his iPhone X to unlock it using Apple’s face recognition.  A month later he was charged with receiving and possessing child porn.

While no sane person is going to suggest that the judge should not have issued the warrant in this case, it points to the assumption that people have that stuff on their mobile devices is private.  A bad guy could put a gun to your head and that would likely have the same effect as the warrant.

Privacy is a relative term and as long as everyone understands that, we are all good.  Source: Forbes.

DoJ Indicts 7 Russian Hackers;  Odds of Them Standing Trial Are Almost Zero

The Department of Justice announced criminal charges against 7 Russian intelligence operatives this week, charging them with wire fraud, money laundering, identity theft and hacking.

Russia is unlikely to hand them over to the United States to stand trial and unless the Intelligence agents are not very intelligent, they will never visit any country that has an extradition treaty with the U.S.

That being said, a couple Russian criminal hackers (who are likely not as intelligent as GRU officers) have been known to visit countries friendly to us, so it is, technically possible, that they could wind up on trial in the U.S.  Just not very likely.

These indictments add more fuel to the fire that Russia is hacking us, although this is not specifically tied to the elections.  Source: CNN

 

Given that the President has

Microsoft, Amazon and Apple fighting together for privacy

The Department of Justice appears to be doing its best to kill off the cloud – at least in the U.S.

Microsoft has been fighting, for months, a DoJ search warrant to provide emails and address book information for a customer who’s data is stored in an Irish data center.

Microsoft has been fighting this search warrant at least since April when a New York judge ordered Microsoft to turn over the emails, but also suspended that order pending appeal.  This week Microsoft filed an appeal of the order and included Amicus briefs from Amazon, Apple, AT&T, eBay, Verizon and dozens of other organizations.

Assuming those emails were stored on the user’s PC in Ireland, it would be clear that the DoJ would need to get the Irish courts involved.  They could do a black bag job, but then the U.S. courts would never admit the evidence.

The reason, at least in part, for why there were over 40 amicus filings with this appeal is that part of the DoJ’s claim is that when personal emails and other documents are stored in the cloud they are no longer personal property, but rather business records, owned in part by the cloud providers.

While the records for this case are sealed, it appears to be part of a drug investigation and what is not clear is whether this person is a U.S. Citizen living in the US.

Microsoft is arguing that this data is being held by an Irish company (the Irish subsidiary of Microsoft) and if you want the data, you need to do so in Irish courts according to Irish law.  Assuming that this person they are going after is not an American, this makes perfect sense.

Microsoft argues that the U.S. would  not be fond of say, the Russian government ordering the Russian subsidiary of Microsoft to hand over information held in the U.S.  based on a Russian search warrant and Russian law — and that is hard to argue.

In another article,  Microsoft EVP and general counsel Brad Smith, when asked if users should encrypt their email in the cloud, said that encryption is important and protects data in many circumstances, but said that it would make it hard for Microsoft to hand over your stuff to the feds if it was encrypted.  Duh!  And your point is?  I am not sure what the downside to Microsoft is if they were to say yes to that question.  I don’t get their hedging.  Obviously, if they did that, like Apple and Google are doing with their smartphones, it would make the feds upset, but is that their logic?

Remember – and this is very important – that any form of transparent encryption where Microsoft or any other cloud provider holds the encryption keys, DOES NOT STOP THE PROVIDER FROM TURNING OVER YOUR DATA IF THEY WANT TO.  In fact, Smith specifically said that if the cloud provider does not hold the encryption keys, things get problematic for them (Microsoft).

If after all the appeals, the courts hold that YOUR data stored in the cloud is no longer personal property and is owned, at least in part, by the service provider, that will have a huge negative impact on U.S. cloud providers like Amazon, Google and Microsoft.  Constitutionally, the protection of your stuff, if it is ruled to be a business record of the cloud provider you are using, is dramatically less than if it is your personal property.

I assume this is likely to be appealed all the way up the the Supreme Court, so stay tuned.