2016-Info (January to August)

2016 Information of a general interest

This is 2016 General Information January through August 2016
2016 General Information September to December 2016
2016 Compromises affecting 10,000 or more
2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises

Articles and items of note in chronological order

1/01/2016  Need help responding to a breach or security incident?

Got Ransomware? Start at NoMoreRansom.org

Do you think you just got a scam call? Read this and think on it before you send out all those W2s or send a wire transfer.

Read these eight points and the references at the end. Read also the Incident Response Paper Executive Summary From Escal Institute of Advanced Technologies (SANS) in November 2015. [ Ideally before the problems arise -ed ] As for the question is the discussion of cyber-security in, and of itself, a bad idea? Read what was published in 1853.

The Insider’s Guide to Incident Response from AlienVault is a good place to start. There are five sections covering: Arming & Aiming Your Incident Response Team, Incident Response Process & Procedures, Types of Security Incidents, Incident Response Tools and Incident Response Training. No charge for the download but some information is required.

Practical Security Guide to Prevent Cyber Extortion a 22 page PDF from Panda Security. It is an easy read with many relevant graphics that describe what is happening, what to do, and what not to do. There is a focus on ransomware as a vehicle for extortion. What to do if you’re a victim, what to do before you become a victim, and preloading the anxiety so when the time comes your mind will be a little clearer. The end promotes its protection products.

Security Guide – Small Business & Free Lancers an 18 page PDF from Panda Security. Also an easy read and a good place to start recognizing your exposures and how to address them. Where is the danger? Social engineering, email, telecommuting, cloud, mobile devices, and more are addressed.

What are your responsibilities in a breach? It depends not only on the state of the company, but the state of the residents. See this (96 page PDF) for a state-by-state summary of requirements.

1/02/2016  Buggiest of 2015

Based on the number of distinct problems the Buggy goes to …

Based on discrete listings in the not-for-profit Mitre organization’s Common Vulnerabilities and Exposures (CVE) Top 50 for 2015 here are the Top 10. Apple led the way:

384 Apple Mac OS X
375 Apple iPhone OS
314 Adobe Flash
246 Adobe Air Sdk
246 Adobe AIR
246 Adobe Air Sdk & Compiler
231 Microsoft Internet Explorer
187 Google Chrome
178 Mozilla Firefox
155 Microsoft Windows Server 2012

Summarizing by company, Microsoft led the top 5:

1,561 Microsoft
1,504 Adobe
1,147 Apple
317 Google
301 Mozilla

#6 had under 200.

To put this in perspective, for 2014 Microsoft still lead the way, but at 524 distinct vulnerabilities, only about a third of the 2015 number. The link above allows you to review back to 1999 where the buggiest was: Microsoft at 211 total and Windows NT at 64.

1/07/2016  Go jump in the river

Lets be clear – this was not a “hack”, no security was breached, someone who knows what is going on behind the curtain did something interesting over the new year.

Servers record just about everything that happens in very large files called “logs”. Of special interest to system operators are error logs. Not only because something might be truly broken, but because breaking things are often a precursor to some miscreant gaining entry to places they should not be.

In this case members of Chaos Computer Congress (CCC) used Masscan a TCP port scanner that can scan the entire internet, the WHOLE thing, in less than 6 minutes, transmitting 10 million packets per second (available at Github) to submit a DELETE command whose parameter was the poem below. Because the command didn’t execute (unless there happened to be an available file whose name was the whole poem) it got logged. It might have been logged anyway. Masscan’s creator included a little note so system administrators would know they were being surveyed and not hacked. CCC went a little far in this demonstration of a very broad band exploit that touched tens of millions of servers in under ten minutes. Their poetry needs a little work too.

DELETE your logs. Delete your installations. Wipe everything clean, Walk out into the path of cherry blossom trees and let your motherboard feel the stones.

Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you.

We know you’re out there, beeping in the hollow server room, lights blinking, never sleeping.

We know that you are ready and waiting. Join us. [ Source: Sophos -ed ]

1/08/2016  Medical IDIoT

More Inherent Danger on the Internet of Things Medical

Medical is often just as hackable as other devices on the internet of things. The difference is medical devices can kill you faster. (see November 2015 post)

Marie G. Moe, a Norwegian security researcher, had a heart problem, got a wireless-enabled pacemaker and joined the internet of things. The implant has not one, but two wireless networks. The close-range system allows pacemaker programming changes (adjustments). The longer-range system lets the pacemaker transmit data to the internet for logging and monitoring. She made a presentation (via the BBC) at Cambridge University’s Computer Security Group and the Centre for Risk Studies with the theme of what it feels like to live with a “vulnerable implanted device”. “Vulnerable”? Could be.

It could be hacked. Just a few realities and possibilities: In 2007 the sitting vice president had WiFi disabled for his implanted machinery for security concerns. (CNN). Shockingly Easy (2008 Ars Technica). The Government Accountability Office (GAO) reports a growing danger that any implantable device remotely accessible hacked and the Food and Drug Administration (FDA) is behind the cyber-security curve. (2012 NBC News) Microvolts or 830 volts triggered from 50 feet away? (2012 ComputerWorld) Murder by Hackable Implants. (2014 NewScientist)

It could be mechanically flawed. In 2005 a implant manufacturer hid a flaw that caused some of those units to short-circuit and malfunction. There were an estimated 24,000 implanted and at least one death. In February 2005 the FDA issued an advisory about another implant with a shorting problem that could drain the battery. That model had been implanted 87,000 times.

It could have flawed programming. At least one error in the machine that adjusts Ms. Moe’s pacemaker caused a blackout while in the kitchen. Had it been while she was driving …. There is also the question of medical privacy. Her information goes to the internet, transmitted by short messaging service (SMS), Global System for Mobile Communications (GSM) and email. Are those secure? Is it protected as other personally identifiable information? How can you check?

Just trust us. Ms. Moe is no computer neophyte. She has experience with Norway’s Computer Emergency Response Team (CERT) and is a research scientist at The Foundation for Scientific and Industrial Research (SINTEF) the largest independent research organization in Scandinavia. Yet, the manufacturers won’t provide the information for independent review.

Think a moment. Printed medical decimal place errors kill people (6 page PDF) In 1999 the US National Aeronautics and Space Administration (NASA) lost a Mars orbiter because one engineering team used English units of measurement while another used metric measurements

It is your life and “Trust Us” just isn’t good enough.

More on hacking devices to find problems before they take lives. I Am the Cavalry an organization that works on cybersecurity issues affecting public safety including medical devices, automobiles, home electronics and public infrastructure.

1/22/2016 Update  Medical IOT

The US Food and Drug Administration (FDA) released

Postmarket Management of
Cybersecurity in Medical Devices
– – – – – – – – – – – –
Draft Guidance for Industry and
Food and Drug Administration Staff

towards implementing improved cybersecurity for medical devices. Readers have 90 days to submit comments in accordance with instructions at the beginning the draft guidance (25 page PDF) a step in a good direction. See also 2016 Start of the Story and 2015 Hospital IOT / Billy Rios / Honey Pots & More.

1/08/2016  Mommy! BB-8 has a potty mouth!

The cutest ‘bot since R2D2 has a firmware update vulnerability.

Another Inherent Danger of the Internet of Things – Toys. Not a problem so bad your home controls are at risk, but BB-8’s internet communications for firmware updates are via unprotected HTTP, not a secure connection. Thus, hackers within WiFi range could replace a valid update with their own. That could turn BB-8s cheeps and chirps into something less appropriate for children. The absence of protected communications is more of an oversight, but with the growing number of items on the internet (see post on a security researcher’s worst nightmare – a cardiac implant whose manufacturers say “just trust us” for cyber-security) that should become a basic checklist item, not an after-the-fact ooops! Source: TheRegister/UK Biting the Hand that Feeds IT

[ Could BB-8 be hacked to run wildly, perhaps into traffic? With children chasing it? Maybe this isn’t so benign after all. -ed ]

1/08/2016  Windows 10 Adware

Adware – software that places popups or notices for some product.
Slipstream – something unknown placed alongside, or inside, a known stream.

Microsoft has slipsteamed adware into some versions of Windows 7 and 8 that is offering an update to Windows 10. There is no way to say nay and be done with it. You can close the window and it pops up again, and again, and again, ad infinitum, ad nauseum. Early efforts to remove this adware were effective, but only partly. April 2015 was the first instance of Patch KB 3035582, revealed to be the source of the Win10 adware. Two registry entries, DisableOSUpgrade and ReservationsAllowed, which were supposed to “prevent Windows 7, Windows 7 for Embedded Systems, Windows 8.1, and Windows Embedded 8.1 Pro clients from upgrading” to Windows 10. “KB 3035583 was modified, fortified, and re-released nine times in 2015” according to Woody Leonhard of InfoWorld. [ See the link above for at least two, stronger, ways to eradicate this adware campaign which is working just fine … to drive users away – ed ]

1/09/2016  Two not-so-secure

A “secure” cellphone and a home security system, ah, not-so-secure.

Blackphone is marketed as the “most secure” Android phone available. “Every unique feature of the Blackphone 2 promotes enterprise confidentiality from the ground up, rather than security after the fact, or convenience at the cost of privacy. This clearly differentiates Silent Circle from its competitors.” (from BlackPhone manufacturer SilentCircle.) Yet, the Blackphone has a vulnerability that would allow some protection features to be bypassed. An app could be installed without permission and access features (such as preventing hibernation, send or receive text messages etc.) and information (yours!) without your knowledge. More…

Home In-Security A security researcher examined the security of an intruder alarm which claimed a European Standard EN50131, Grade 3 (grade 1 is low, grade 4 is rather high, see links below for details). The company claims to provide a mechanism for generating “encrypted passwords” yet when the alarm communicates with the company or when the mobile app communicates with the control panel (including password transmission) neither use encryption or authentication. The story from Sophos and the original post with great detail.

1/10/2016  McAfee 2015 Q3 Threat Report

for November 2015. From the preface

Every hour more than 7.4 million attempts were made (via emails, browser searches, etc.) to entice our customers into connecting to risky URLs.

Every hour more than 3.5 million infected files were exposed to our customers’ networks.

Every hour an additional 7.4 million potentially unwanted programs attempted installation or launch.

Every hour 2.2 million attempts were made by our customers to connect to risky IP addresses, or those addresses attempted to connect to customers’ networks.

Topics included trends in fileless malware, mobile banking Trojans and the return of macro malware. Those, plus threat statistics including a high rise in Mac OS malware. (60 page PDF no charge, no registration required)

1/11/2016  Virus Cheats at Poker

[ we missed this in September 2015. It explains why some on-line poker players have an incredible win:loss ratio -ed ]

The Odlanor virus gets delivered the usual way as part of another program or a general installer for another program. This is targeted toward poker players so ancillary tools for the game are a likely source of infection. The malware starts by capturing screens from the two largest online poker sites: PokerStars and Full Tilt Poker. Those screens are made available to the malware operator who can determined the player’s identification. When the malware operator joins games with those players they receive, in real time, information literally allowing the operator to see the other player’s cards. Source: WeLiveSecurity/ESET

1/11/2016  The Crime & The Time

A hacker and accomplices impersonated a bank site. Victims provided bank and charge card details. Arrested in 2013, Turkey charged Onur Kopçak with: identity fraud, website forgery, access device fraud and fraud. Found guilty, he was sentenced to 199 years, 7 months and 10 days. During the trial additional customers filed complaints. A new trial followed and ended 1/10/2015. The Mersin Third Criminal Court of General Jurisdiction added another 135 years to the original sentence for a total of 334 years, effectively a life sentence. More at TheHackerNews.

1/12/2016  Major News comes to the Dark Web

Founded in 2008, the non-profit organization ProPublica has won dozens of prizes including a 2010 Pulitzer Prize for Investigative Reporting, a 2011 Pulitzer Prize for National Reporting, a 2013 Peabody Award and two Emmy Awards in 2015. Their focus is investigative journalism covering controversial topics money and politics, drugs, sports doping, NSA domestic spying and more.

The common web has well defined names, domains and locations. In the Dark Web you have an address, but that is all. The actual address is not available to you, it is anonymized. To access the Dark Web you generally use the Tor browser. Because the site isn’t determinable it is practically impossible to block. A nation who wants to block Twitter.com can do it. Hard to block a site you can’t define, so the Dark Web is a place for hosts that don’t want to be found and Tor is the tool to access those sites.

ProPublica just launched a site on the Dark Web, the first major news organization to do so. To access the service use Tor and access http://propub3r6espa33w.onion. That link should get a “server not found” error if you try a regular web browser.

Despite its reputation of drug dealers and other criminal activities there are some good reasons to have this kind of services. Journalists use it for more-secure contact with sources who may be, quite reasonably, afraid for their lives. Read more at NakedSecurity/Sophos.

1/15/2016  Advertising vs AdBlockers

A lot of content on the internet is supported by advertising. Some sites heap it on with a shovel, others put up just a few. Sometimes the ads are supplied from a vendor and sometimes those ads, no matter how discreet, contain malware. That is called malvertising. In defense people use ad-blockers. In a counter move some web sites check for ad-blockers and won’t serve content until the blocker is removed. Which exposes you to potential malware. Even worse, some web sites are compromised to serve malvertising and they had no intention to do so. More at NakedSecurity/Sophos.

1/15/2016  Hack, probation, job offer?

It wasn’t a terrible hack as those things go, and the prosecution didn’t feel the need to make an impression. Read what happened to a talented young person who got a little guidance along the way at NakedSecurity/Sophos.

1/15/2016  Casino sues CyberSec Firm

Las Vegas-based casino operator Affinity Gaming operates five casinos in Nevada and six more in the United States. In 2013 their systems were compromised exposing more than 300,000 charge cards. IN late 2013 Affinity Trustwave to determine what happened and clean it up. In January 2014 Trustwave reported that it had identified the breach source and contained the infecting malware. So far, so good. More than a year later Affinity was breached again. This time they hired another cyber-security firm, Mandiant who reported the malware from the first breach had never been completely removed.

A complaint (26 pages) filed in the US District Court in Nevada, may be the first of its kind where a client sues over the quality of a post-hack cyber security investigation. Affinity alleges that Trustwave’s claimed skills were not evident and cites Mandiant in support of the claim. More at TheHackerNews.

1/18/2016  CEO: Send Money! It wasn’t the CEO

Accounting received email message to send money to China. The message said to expect a call from a lawyer. The “lawyer” called, provided wire transfer instructions, the $480,000 went, and that was the end of the money. The issue is insurance. The company made a claim on its cyber insurance policy and it was denied. Why? The email was not a “financial instrument” as defined in the policy but business email compromise, not covered. BEC has cost over a billion dollars and is a modern business risk, but it appears the policy isn’t modern enough. A lawsuit is in progress. More at KrebsOnSecurity

[ The instructions reportedly from the CEO set up accounting for a fake “confirmation”. The accountant missed an opportunity to get confirmation by calling the lawyer’s firm at a known number, then asking for confirmation. It isn’t a secret from the person who gave you the wire instructions. Before acting, think about information, or instructions, that smell bad that arrived on an incoming call. Reach out. It might not be your bank calling you. See a scam from last year with links for what you can do if you suspect a fake. -ed ]

1/20/2016 Update  Insurance: CyberRisk vs Crime

More on “Cyber Risk Insurance” vs “Crime Insurance” from Specialty Insurance Blog.

1/18/2016  Celebrity Hacker busted

On August 31, 2014, hundreds of pictures of women celebrities were posted on a website, then re-posted to other image-based websites. (more history) How did one hacker convince hundreds of the Hollywood elite to make it happen? Old fashioned social engineering, a few fake email addresses, authentic-sounding web sites and a level of ignorance you have to read to believe.

1/19/2016  Smart Meters Futz WiFi

Consumer proves smart meter jammed wifi and smartphone so utility did what?

A consumer was able to demonstrate his new smart meter jammed his wifi and smartphone. So what did the power company do? Close the issue with a no problem. Southern California Edison (SCE) smart meters had not one, but two, wireless devices. One makes a connection a few times an hour and didn’t impact service. The other is a ZigBee Device which uses a low powered digital radio specification to create mesh networks. It is simpler than some other network types and used to connect devices that use short-range (10 to 100 meters line-of-sight) low-rate (250kbit/second) wireless data transfer. Longer distances are possible when the units are meshed so a house that is 1000 meters away from the actual hub can connect via a house 100 meters away that connects with another house 100 meters away, etc. The name comes from a waggle dance honey bees do when they get to their hive home. The SCE ZigBee unit sent pings more than once a minute over channel 6. If your wifi is operating on channel 6 it will be seriously compromised. Signals can leak a little. A signal on channel 6 will affect channels 5 and 7 and maybe a little for 4 and 8. Many home wifi can operate on other channels. If you are having an unexplained problem with your home wifi use a WiFi Analyzer (like this one) and see what is blasting around in your zone. (although the source is several years old this problem still exists and can be exasperating for non-technically inclined consumers)

1/19/2016  Is your password “password”?

Congratulations! You have the second most common of the worst passwords compiled from 2+ million leaked passwords collected during 2015. To see the others visit TeamsID or download a summary (1 page PDF) suitable for printing and posting as a reminder that even though it isn’t in the dictionary and longer than eight characters qwerptyuiop is still not a good password! For more advice on creating strong passwords see this from NakedSecurity/Sophos.

1/20/2016  Supreme Court Upholds an aspect of Class Actions

The Supreme Court has recently enforced arbitration clauses as being prohibitive of class actions. Today, the court ruled 6-3 that offering to pay an individual plaintiff does not end the possibility of class action. The case was Campbell-Ewald Company v. Jose Gomez. Justice Ginsburg delivered the opinion joined by Justices Kennedy, Breyer, Sotomayor, and Kagan. Justice Thomas filed a separate concurring opinion. Chief Justice Roberts dissented opinion, joined by Justices Scalia and Alito.

< [ In our opinion this was a decision supporting consumer rights. This NYT editorial says so better. We also found of interest the amicus curiae briefs filed by AFLCIO, Chamber of Commerce of the United States of America & Business Roundtable, Constitutional Accountability Center, Consumer Data Industry Association, KBR, Inc., Lawyers for Civil Justice, Legal Aid Society of the District of Columbia, et al., National Defense Industrial Association, National Employment Lawyers Association, et al., National Right to Work Legal Defense Foundation, Inc., NECA-IBEW Welfare Trust Fund, Public Justice, P.C. and AARP Foundation Litigation, The National Black Chamber of Commerce, Trans Union LLC, Washington Legal Foundation, and a motion by the Solicitor General to participate in oral argument as amicus curiae and for divided argument. -ed ]

1/20/2016  Freezing Kid’s Credit

Some misinformation on freezing credit for children is corrected by security researcher Brian Krebs who reports that not all states and not all credit reporting services provide the same protections.

First – there is no federal law in effect. The Protect Children from Identity Theft Act would give parents and guardians the ability to create a protected, frozen credit file for their children. The bill has was introduced in the House of Representatives on March 26, 2015. It was referred to committee the same day and is still there as of today. The odds on it becoming law are low. Absent binding federal law the states are free to make their own laws in accordance with the 10th Amendment to the Constitution. For what you can do for protection today see KrebsOnSecurity

1/22/2016  Facebook Friend Finder ruled Illegal

in Germany.

Big data crunching can move from beneficial to frightening pretty quickly. Facebook crunched mutual friends, work history, education information, and contacts imported from many sources all to boost their ad revenue. Some don’t like the way it was marketed.

Last week the Federal Court of Justice, the highest court in Germany, affirmed the ruling of two lower courts that this “deceptive marketing practice” violated German laws regarding data protection and unfair trade practices. Facebook’s “friend finder” constituted advertising harassment. The original case was brought in 2010 by the Federation of German Consumer Organisations (VZBV).

3/6/2012 First ruling ZDNet. 1/14/2016 Final ruling Reuters. 1/22/2016 More from NakedSecurity/Sophos.

1/26/2016  Don’t Try This – REALLY

Some people try dangerous things for the thrill. Some other people drive a 12′ tall truck and look to see if the police are around before trying to drive under an 11′ bridge. Some others say “hold my beer and watch this”. We’re not sure what they were trying as the recording was damaged in the crash.

So, if someone sends you a link to Crash_My_Apple_Device.com (not its real name) would you try it? Yep, some will. There is some Java code on the site that goes round and round allocating memory and grinding your iPhone or Mac to a crawl. Firefox says the script is unresponsive and you can quit the page earlier. If you want the details of what is happening see this at NakedSecurity/Sophos. Again:

Don’t open a link that says “Crash Me”
Don’t send one to anyone else either!
Security is in YOUR hands!

1/28/2016  Baby Monitors Scream AT Kids

Crooks have hacked baby monitors to make parents cringe.

Weaknesses in lightbulbs, baby monitors, and hospitals and other Inherent Dangers in the Internet Of Things have made the news in recent years. This time they’re messing with the kids of the Big Apple. New York City, Department of Consumer Affairs (DCA), is investigating baby monitors that have been hacked despite being advertised as “secure”. “DCA is investigating whether the companies have corrected known security vulnerabilities with their devices and whether their security claims violate NYC’s Consumer Protection Law, which prohibits deceptive and misleading advertising. DCA’s actions follow the disclosure by cybersecurity researchers that many of the top-selling Internet-connected baby monitors, which are often marketed as secure, are easily exploited by hackers. Some of those hackers have created websites that stream footage from unsecure Internet-connected video monitors.” (source) More at TheNextWeb

1/28/2016  ID theft way up

U.S. Federal Trade Commission (FTC) reported a 47% increase in identity theft complaints in 2015. Tax refund fraud Was a large contributor to the rise. See new resource for consumers at IdentityTheft.Gov. Much more at KrebsOnSecurity

1/28/2016  Malware growth

Like many biological organism malware seems driven to grow and grow it did.

PandaLabs is the research arm of Spanish security vendor Panda Security. They report more than 80 million new malware samples during 2015. Putting that in perspective over 200,000 new malware samples appear every day. This brings the total samples to 304 million which also means more than 25% of all malware sampled was new in 2015. 52% of the malware were trojans. 23% were viruses, 13% were worms, 11% potentially unwanted programs (PUPs, often adware) and just 2% were spyware.

An estimated 57% of China’s computers were infected. That is the highest rate. Taiwan had a 49% infection rate followed by Turkey / 43%, with Colombia and Uruguay at 33% each. With an infection rate below the global average were Italy / 31.84%, Hungary / 30.23%, Venezuela / 30.11%, United States / 29.48%, Canada / 29.03%, Austria / 28.96%, France / 27.02%, Australia / 26.87%, Japan / 25.34%, Germany / 22.78%, UK / 21.34%, Sweden / 20.88%, Norway / 20.51% and Finland / 20.32%. (source) See PandaLabs 2015 report (31 page PDF)

[ If growth stays stable at 25% in 2016 we’ll have 380 million, in 2017 475M and will get worse and worse until you need a supercomputer just to run your anti-malware software. Yet, why should growth stay stable at all? -ed ]

1/28/2016  Drone Hacking

Do you have heartache over someone tapping your cell phone? How about when your friends do it? A US/UK operation has hacked, decrypted, and tracked live video feeds of Israeli drones and aircraft since at least 2009. See this article in TheIntercept.

1/29/2016  Simpler, broader, wireless from NOT(your ISP)?

This won’t come soon, but someone found an underused section of wavelength and was able to use a millimeter wave signal to provide wireless internet service. Read about Starry at eWeek 11 slides and a few paragraphs and you can dream of dumping the unresponsive provider you have now.

1/29/2016  We passed it without reading it?

Cyber security researchers may now need “export licenses” to do research that crosses borders.

May 2015 the US government updated the multi-nation Wassenaar Arrangement to keep malware from spreading by requiring licenses to access such software from across borders. Sounds good but will the crooks obey the law? Probably not. How about security researchers?

Cybersecurity experts pointed out the problem in July 2015 (two months after the update) when the US Department of Commerce solicited feedback on proposed rules to implement the update. Is it really a problem? First know that these export licenses are at no-charge, but take weeks to obtain. Cyber time is measured in fractions of a second.

A US company assisted foreign law enforcement to identify a hacker who was remotely taking control of computers using them for criminal purposes. The US company accessed the malware as though they were in the foreign country and identified the hacker. The US and that foreign country are signatories to the Wassenaar Arrangement. Under the new rules the US company needs to get an export license from the United States Commerce Department’s Bureau of Industry and Security (BIS).

In 2015 the US issued 37,000 export licenses. Remember that weeks-long delay? Now Microsoft alone estimates it will need “hundreds of thousands” of them just for its own cybersecurity research and work with other companies in other nations working toward making its products more secure. More at CNET

1/29/2016  Amazon Spoofers

Apparently Amazon Customer Service (ACS) will tell anyone almost anything as long as they say they are you, even if you are not. The key appears to be Amazon uses your email address as an identifier so use a special email address just for that. See article for more suggestions. Read how an accomplished cyber security person had Amazon customer service reveal data to a fake. ArsTechnica

1/29/2016  Is your IOT camera protected?

That nifty security camera may be working for someone else. Crooks can watch homeowners and businesses unless you protect access by changing the default passwords and securing them in other ways. See DailyMail/UK

1/31/2016  How does malware get into Google Play Store?

Also: there is an election going on – vote!

How does malware get into the play store? Part of the answer is simple answer is volume. There are over 2 million apps there already and about 50,000 being added each month. That leaves little time for inspection via automation or humans. At the RSA Conference / USA 2016 2/29/2016-3/4/2016 at the Moscone Center, San Francisco there may be a presentation on The Secrets of Malware Success on Google. What election? Why “may”? The RSA Conference is crowdsourcing some selection. Go to the URL above, provide an email address to register to vote, then vote. Here is the leader board for the top 25. Only 17 will be presented. You have until midnight Pacific time 2/9/2016 to vote. More at NakedSecurity/Sophos

2/01/2016  Don’t Panic

A counterpoint to the need for “weak” security in the form of backdoors to encryption.

Don’t Panic
Making Progress on the “Going Dark” debate

was published 2/1/2016 by The Berkman Center for Internet & Society at Harvard University. The Findings first paragraph:

Although we were not able to unanimously agree upon the scope of the problem or the policy solution that would strike the best balance, we take the warnings of the FBI and others at face value: conducting certain types of surveillance has, to some extent, become more difficult in light of technological changes. Nevertheless, we question whether the “going dark” metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not.

The entire paper (37 page PDF) is available on line.The statements from some members are in Appendix A. The lead statement frames the issue in an excellent manner (source: paper page 23). Appendix B lists participants which include DHS, federal judges, NSA, cyber security researchers, professors, and many others.

2/01/2016  Liberty Reserve founder guilty

Liberty Reserve, an alternative currency, was shut down in May 2013. Arthur Budovsky founded the Costa Rica-based virtual currency system, in 2006. On 1/29/2016, as part of a plea agreement, he plead guilty to one count of conspiring to commit money laundering for laundering $250 million, potentially a 20 year sentence. Originally, the estimate was over $6 billion in laundered funds. More at Data Breach Today. See also Faux Card Store Shut.

5/06/2016 Update  Liberty Reserve founder sentenced

More than three months after being found guilty, Arthur Budovsky was sentenced to 20 years for money laundering. The alternative currency Liberty Reserve was determined to be a global money-laundering scheme and “the financial hub for cyber criminals around the world”, effectively a “black market bank” that filtered an astonishing six billion dollars on behalf of crooks. More at The Hacker News.

2/01/2016  BitCoin swiper re-arrested

The day before Shaun Bridges was to turn himself in to start his prison sentence he was arrested at home in Laurel, Maryland. A former agent for the US Secret Service he had diverted over $800,000 in bitcoins obtained in the Silk Road prosecution for himself. During the recent arrest officers found packed bags with his passport and corporate records for three offshore entities in Nevis, Belize and Mauritius. [ Any chance he stashed some of the funds off shore and was running away? -ed ]

2/02/2016  Nature & Technology

Nature can sometimes complete tasks better than technology. Sometimes nature can be assisted by technology. Here is a brief video showing a test deployment of a police canine from a helicopter still in motion. The canine moves faster than the eye can see. Video 39s That is a low flying, self guided, hard charging, strong tooth capable counter crime canine with turbo charged four-paw drive.

Capturing drones with other drones has been difficult. Japanese police have been working on catching them using a net which certainly expands the intercept area (video 1m 15s) but still requires a skilled operator in visual range. So, the Dutch police are working with eagles to catch drones. (article and 2m 43s video) The first eagle we see? The American Bald Eagle, symbol of our nation.

Drone Hunting Eagles and Air Launched Canine Missiles, truly we are embracing the wealth of experience nature has provided.

2/02/2016  Spammer Jailed

Spam comes in the US mail, email and most recently via text message. Good news – one major spammer, Phillip Fleitz 37 from Pennsylvania, is going to spend more than two years in federal prison for his part in a massive spam campaign. More at PandaSecurity.

2/03/2016  F35 Maintenance – Unavailable?

Lack of database security is going to keep very expensive equipment grounded.

Engine and airframe maintenance information can’t be accessed because US Cyber Command requires better security. So, access to the database from a government network is not allowed. Immediate affect? Combat testing of the F-35 will likely be delayed. More at TheRegister/UK

2/03/2016  IOT – Buildings

Office environmental systems that allow remote monitoring or control can be portals for hackers. See article at FastCompany and the original survey from FacilitiesNet.com

2/04/2016  Bill to Limit Arbitration

Back in December 2015 we wrote about how the Supreme Court upheld the inclusion of mandatory arbitration effectively stripping smaller plaintiffs from forming class actions. The pendulum may be turning again in support for consumer rights. Two senators, Al Franken of Minnesota and Patrick J. Leahy of Vermont, introduced legislation that would prevent civil rights cases, employment disputes and other crucial lawsuits from forced arbitration where arbitrators (who commonly consider the companies as their clients) replace impartial judges and juries. “Legal fine print … [ forces ] consumers into private arbitration, denying us of our constitutional right to protect ourselves in court.” per Senator Leahy. Arbitration is so prevalent you may not realize you’ve signed away your right to a day in court when you rent a car, open a bank account, get a job, or place a loved one in a nursing home. The bill is likely to face opposition within the government and pro-business interests. More at The New York Times

2/05/2016  iPhone6/iOS9 – Error53 Bricks you

The unit is permanently disabled if it detects a non-Apple repair, but only under iOS9. Yep, it may function without error until the update. A journalist in Macedonia needed his phone repaired. No Apple stores anywhere near so a local did the job and the phone worked fine until … the update turned it into a brick. An Apple store in London could “do nothing” for him. He is not alone. Use any search engine for “iPhone 6” and “error 53” (without the quotes) to find many, many more. This supposed to be a “security” feature for the home button that contains the TouchID fingerprint recognition but also has affected customers with damaged phones that were not repaired. More at The Guardian

Apple responded, acknowledging the existence of error-53 and the security reasoning behind validating and re-validating the TouchID sensor. Non-Apple repairs invalidate the warranty, may render the phone useless. The lack of Apple repair facilities in many parts of the world was unaddressed. More from Apple Insider.

[ It is a deliberate anti-competitive measure to end non-Apple repairs? -ed ]

2/06/2016  eBay NOT to fix major bug

Per CheckPoint: eBay has a vulnerability that allows attackers bypass a key restriction that prevents user posts from pushing JavaScript code to be executed on end-user devices. A specialized technique allows the insertion of JavaScript calls different payloads to deliver malware to the user. Ebay is not planning on fixing this. More at ArsTechnica

2/07/2016 Update  eBay will to fix major bug, partly

In a quick response to outrage eBay has fixed, at least partially, the bug described above. See TechWeek Europe

2/06/2016  Two Tax Prep companies report problems

TaxSlayer and TaxAct, both tax preparation software companies, reported unusual activity involving their customers. Neither has suspended filing and both believe there has not been a breach. TaxSlayer believes about 8,800 individual accounts were accessed, not as a breach, but using recycled user names and passwords compromised from another source. TaxAct suspended about 500 accounts after identifying instances of suspicious activity. More at Forbes

2/06/2016  Payback for Dridex

Dridex is a nasty banking trojan, generally spread by spam, often with a Word document containing malicious macros which download malware from a remote server. It appears someone has hacked the Dridex remote servers and, when a computer is infected with Dridex, the anti-virus software from Avira is delivered instead. While it is appreciated it is probably still not legal. More at BetaNews

2/08/2016  Good News: Dyre Busted

Good News in Cops vs Crooks, the creators of the nasty banking trojan Dyre have been arrested. Reuters from 2/6/2016.

2/08/2016  Smartphone more valuable than silver

At about $15 per ounce solid silver is less expensive than many smartphones.

Yet, do people protect their smartphone like precious metal? Not even close. Worse they store items of information more valuable than either. Things like social security numbers, passwords or other access codes, plaintext versions of charge cards and the thing you’d like least to see spread on the internet, those … personal … pictures. Read more at HuffPo.

2/08/2016  Cyber-Security: Change in Orientation

It is axiomatic we can’t counter all unknown threats with known solutions. This is why the “first mover” advantage exists. The second mover has to adapt to novel situations before presenting a response. There are few “secrets” in cyber-security, the crooks know what the cops know. Instead of a reactive response Minerva Labs has developed software to protect proactively creating prevention without, or before, detection. More at HuffPo

2/08/2016  Sometimes it isn’t money

You don’t have to actually take money to make a profit.

Last year hackers launched a virus at a bank and used it to significantly alter … the exchange rate. Using the 20% differential wedge the crooks bought foreign currency to the tune of nearly half a billion US dollars at decidedly non-market rates before the wedge settled out. Because the currencies were not sold (so it appears) there was no profit leading to conjecture this was a proof-of-concept practice before a larger attack. More at Fortune.

2/08/2016  Apple Users: Beware WiFi Assist

iOS9 (the same one that bricks your phone if you used a third party repair) has “WiFi Assist” enabled by default. When enabled, WFA allows your device to send data over a 4G cellular network if it will go faster than WiFi. There is no duration so that the iPhone could bounce between WiFi and 4G repeatedly racking up bandwidth charges. Check your settings and DISABLE WFA if you want to only do data over WiFi. (Thanks to RICIS, Inc)

2/08/2016  Get call, evacuate house?

A phone call that CallerID reported as the police department motivated someone to leave home in a hurry. Burglars appreciated it being empty. It wasn’t the police on the phone. Remember: CallerID can be spoofed and consider unusual incoming calls (and emails) before taking action. See related story about having your strings pulled and more on this from Naked Security / Sophos

2/09/2016  Gag me with a First Amendment?

Can you sign away your Freedom of Speech? In some places, yes.

In many a contract, or agreement with binding force, you might find something called a “non-disparagement” clause which basically says you won’t say what dreck you got. Essentially it a gag order on the dissemination of bad news, generally buried way down in the fine print. Even if the “Picassso” you ordered was an inch by an inch of what looks like sneezed paint you can’t complain. Hotels have imposed non-trivial fines on guests for bad reviews, an apartment complex threatened a heavy fine for residents breaking a “social media addendum” prohibiting bad online reviews, consumers can be fined for posting bad reviews. Don’t pay the fine? Get referred to credit and collections for the unpaid debt.

Let us be clear: if you post, or otherwise make public, information knowingly false you may have committed libel and that is a tort, a civil offense. The truth is generally considered an “absolute defense” against libel and its verbal companion slander. These were truthful reports of dreck.

These anti-disparagement clauses are legal in all states except California which passed The Yelp Bill to protect customers who wrote critical reviews. A similar bill was introduced in the Maryland House on 2/3/2016. There is a federal bill, S.2044 the Consumer Review Freedom Act of 2015 that was introduced in December 2015 with bi-partisan support. The draft is not perfect. If you write a review and assign rights to the company being reviewed there are options under the Digital Millennium Copyright Act (DMCA) to squash the review. The Electronic Frontier Foundation recommends this be addressed. Let your congress people know you support S.2044 the Consumer Review Freedom Act of 2015 and let us restore our First Amendment right to bitch (truthfully) about dreck! More at Naked Security / Sophos

[ Note that NS/S is based in the UK and regularly reports on news of major importance to us here in the colonies that our own news organizations seem to miss. Thanks to them! – ed ]

2/10/2016  Congress Flexes 10th Amendment Muscle

Congress: States, stop asking for encryption backdoors.

Two representatives submitted draft (3 page PDF) legislation on 2/4/2016 to stop states, at least individually, from requiring back doors for encrypted communications. The title shows the work of dedicated and creative persons in creating acronyms. The full title is Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016, gratefully with an alternative, and much shorter, title: ENCRYPT Act of 2016.

There are arguments for law enforcement to read encrypted communications and against it. The arguments against it include that any backdoor can be co-opted by crooks, that strong encryption prevents inadvertent exposure, and it imperils personal freedoms. See this for a recap of the pros and cons. The point of view that “going dark” endangers us was countered with the publication of “Don’t Panic” showing that there are other ways to provide surveillance. More at Ars Technica.

2/11/2016  Good news: Flash being Booted

Adobe Flash, that great idea that crooks turned into the malware superhighway is getting the boot from Google. Google posted that all display ads are going 100% HTML5. Uploads of ads with built in Flash will be stopped 6/30/2016. On 1/2/2017 ads in Flash format won’t be allowed to run. While this is a good news events there is one large hole: video ads with Flash are still allowed. Flash isn’t dead though – Adobe is re-branding it as “Animate CC” in the next update.

2/11/2016  Good news: White Hats Strike Again

Continuing in a recent trend of hacking-for-good White Hat Hackers (WHH) are at it again.

In late 2015 a WHH infected 10,000 vulnerable WiFi home routers, connected then to a network, and distributed the payload. Rather than damaging malware, the beneficial payload checked for crooked activity or real-malware and asked owners to change their default password and close vulnerable ports. Earlier this year another WHH co-opted the Dridex banking trojan network to deliver anti-virus software. This time more than 70,000 home routers were hacked in the same manner as the late 2015 batch. More at The Hacker News

[ Hacking is generally illegal, but some crimes done pro bono publico (for the public good) are often excusable, perhaps with the necessity defense. I’d like my tax dollars to investigate, but not prosecute, the White Hat Hackers. -ed ]

2/11/2016  ECC in BTC BW defeated

Elliptic Curve Cryptography fails to secure brain wallets

What is Elliptic Curve Cryptography (ECC)? Simply a new way of converting information into something only the intended can read. See this from October 2013 as a starting point.

What is wrong with ECC in a BW? On 2/8/2016 several researchers published a paper (6 page PDF) where they reported on an examination of the specific elliptic curve used by many users in “brain wallets” for Bitcoin and other alternative currencies. From the abstract: “Our implementation improves the state of the art by a factor of 2.5, with focus on the cases where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation. We also give some examples of passwords which have we have cracked, showing that brain wallets are not secure in practice even for quite complex passwords.” [ our emphasis -ed ]

How did they do? They used Amazon EC2 computing and, thanks to their efficiency, were able to process 17.9 billion passwords for one US dollar. Checking a trillion passwords got 18,000 ranging from a simple “hankou” (a city in China often written Hankow in western languages), to moderately complex “to be or not to be”, to what used to be very complex “{1summer2leo3phoebe”.

More at Naked Security / Sophos

2/11/2016  New Surveillance Tools

The Inherent Danger in the Internet Of Things just got more dangerous as a tool for … James Clapper, the US director of national intelligence, in Senate testimony regarding an assessment of threats facing the United States, said “In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials”. Source: The Guardian   Related: See the “Don’t Panic” paper

2/12/2016  Win10, phoning home, lots

What we’ve been told: Windows 10 will stop tracking your activities if you set the proper settings. What appears to be happening: With all options set for max privacy and telemetry features disabled, Windows 10 transmitted something over 5,000 times a day.

The test A researcher set up a Windows 10 Enterprise virtual machine in a Linux laptop and used a DD-WRT router to monitor traffic. Win10E was selected because that version has more control over over settings than Win10-Home. Every single tracking and telemetry features in the operating system was disabled.

Traffic Analysis #1 In eight hours the idle Win10 had tried over 5,500 connections to 93 different IP addresses. Of those connections 4,000 were made to 51 different IP addresses belonging to Microsoft. After 30 hours the Win10 machine had added 113 non-private IP addresses, exposing the data to third parties. Some of the material is being transmitted outside the United States, meaning what we’re not sure, but exporting data to a country with less powerful consumer protections can’t be good for consumer privacy.

Traffic Analysis #2 A new install of the Windows 10 Enterprise virtual machine had all tracking disabled and activating a third-party tool known as DisableWinTracking. After 30 hours there were only 2,758 connections to 30 different IP addresses. So is Win10E just checking the time 90 times an hour? Looking for updates? For more see The Hacker News.

2/12/2016  AdBlocker v AdRevenue v Security

Wired and Forbes are joining web sites who require no ad blocks.

Both publications need advertising revenue. Ads can contain malware (malvertising). Few people want that, but many people want the web content. Few companies are willing to warrant that their ads won’t infect your computer or lead to infection down the road.

This reminds me of fugu. Also called blowfish, they are quite tasty with a caveat. Their intestines, ovaries and liver contain otetrodotoxin, a poison over a thousand times deadlier than cyanide. So, restaurants who serve it, even though they have specially trained and certified chefs, require a waiver of liability. If you die, they are not responsible. So, I don’t eat fugu.

Similarly I’m very reluctant to lower my blockers (yes, plural). I could “whitelist” the site, meaning that I tell my blockers to not block. The catch is that only some web sites provide their own advertising. Others sell spots and the ads are provided by third parties (see related article from earlier this year) and sometimes those third parties are crooks.

If a company serves up its own ads it isn’t getting ad revenue. Even if the advertiser provides their ad in advance for a no-malware check (at an added expense) when a web visitor clicks through to the advertiser’s web site, they could be landing on a malware server. Will a company that sells ad placements check the background or just deposit the check? There are few ways to cost-effectively protect the consumer so the company providing the advertising space disclaims responsibility, just like the fugu restaurant. The difference is a physiological death vs a financial impact when you get hit with ransomware and psychic trauma when those … personal … pictures wind up on the internet.

From the survey at Naked Security / Sophos I’m not alone in avoiding malvertising complications. Almost two-thirds voted to abandon even their favorite web site before lowering their shields. As for me, I’m trying to create a web browser in a virtual machine in a real machine that I control remotely. Not in my skill set … yet.

2/13/2016  Another way to brick your iPhone

Affects iOS 8.0 to 9.3 beta 3 Don’t try this at home!

Good design means setting limits set on user input if that input can do bad things. In this case iPhones will turn themselves into an attractive, but useless, tool if you set the date to 1/1/1970. That is the earliest date you can set. It is allowed. 0000 Greenwich Mean Time (GMT) 1/1/1970 is considered the beginning of Unix time, a concept that many devices use. Unix allows negative time, but many devices hiccup and die with that concept.

So why does this allowed value brick your iPhone? If your time zone isn’t set for 0, the time at Greenwich, your iPhone may think you’re in minus time. The good news is that your phone will still work, until it gets powered off and back on. Then it becomes a paperweight. (see fix below)

In retrospect Apple should have made the earliest allowed date 1/2/1970 and avoided the whole problem, but apparently it wasn’t discovered until 2/11/2016

The good news: Unlike the repaired/iOS 9 bricking this one can be fixed by disconnecting the battery, pausing and reconnecting the battery fixes the issue.

The bad news: You have to take your phone to an authorized repair facility. If you take it to a non-Apple place make sure they don’t touch the home button with the fingerprint scanner. See related story. Also – be sure to use your keypad lock. A “friend” could set the time and you’d get bricked next power cycling.

The really bad news: The iPhone calibrates its time settings with a network time protocol (NTP) server. If the NTP server were hacked every iPhone that sync’d time to that network could be bricked for a massive, global, unhappiness.

Really, don’t try this yourself! Watch video 2m 47s

2/15/2016 Update   Restoring 1970 Bricked iPhones

Bad news, good news and better news. Bad News: Earlier reports indicated the bug would only be activated if you set the time to 00:00 1/1/1970. Bug activates if you set the time from then to May 1970. Good News: The bug will be eradicated an update. Better News: If your iPhone has already been hit you can participate in the iOS 9.3 Beta 4 test. Contact https://www.apple.com/support/contact/

2/15/2016  Hackers are how old?

Young, old, all ages?

In late 2015 the reported average age of cyber-suspects dropped from 24 to 17. (see a great public service announcement from UK’s National Crime Agency to parents). Last week, keeping up the higher end of the age range, is a 59-year-old woman from Bridgend (near the Bristol Channel, about 18 miles west of Cardiff, and at the same latitude as London, England) has been arrested in connection with an information security breach relating to personal data of employees of the South Wales Fire and Rescue Service. BBC

2/15/2016  Decrypt Ransomware

Crooks are as smart as anyone else, and just as likely to recycle old code.

The recent resurgence of Angler Exploit Kit has brought with it two new members of the CrypBoss ransomware named Hydracrypt and Umbrecrypt. Remember that even if you pay not all ransomware will actually decrypt your files. Or, the files may be decrypted, but the malware remains so they can do it to you again. For these reasons paying ransom is not a great idea. Even Rudyard Kipling recommended against it. Good news: a security researcher has cracked both and made both available to the public. There are some procedures to follow. See The Hacker News.

2/15/2016  GCHQ Hacking legal

British Court says GCHQ hacking is legal, in Britain and without.

UK’s Investigatory Powers Tribunal (IPT) ruled (56 page PDF) that the hacking of computers, smartphones and networks in the United Kingdom or abroad by the Government Communications Headquarters (GCHQ) is legal. Reading the ruling with care it appears the court is aware of the intrusive nature of these activities, but offers that there are balances in place. The ruling does not sit well with some other nations who wonder how one nation’s legal system can make rulings affecting actions in other nations. More at The Hacker News.

2/15/2016  Nasdaq embracing blockchain

at least to record shareholder votes.

Owners of an Estonian publicly listed company are required to be physically present or nominate a proxy to physically attend the meeting. The concept is that the voter would get a “private key” which is “sealed” on the Blockchain and cannot be altered or tampered with. Using the private key constitutes validation so shareholders can vote online. More at The Hacker News. [ Nice concept … but the encryption of blockchains has received a significant crack just this month. -ed ]

2/16/2016  Internet Core Function found Vulnerable

A core internet function from 2008 was just found to have a severe vulnerability.

The getaddrinfo() function does domain-name lookups. It contains contains a buffer overflow bug that allows attackers to remotely execute malicious code. The function is contained in the GNU C Library (glibc) and all versions after 2.9 (released November 2008) are vulnerable. The proof-of-concept vulnerability was posted on 2/15/2016.

Services providing Linux-based domain name lookups should install updates as soon as possible. Unfortunately many applications were compiled with a vulnerable glibc library. Those apps need to be recompiled and distributed. A security researcher described the vulnerability as “…is a core bedrock function across Linux. Things that do domain name lookups have a real vulnerability if the attacker can answer.” More at Ars Technica.

2/16/2016  Insecurity in the Cloud Costs Dearly

A very … personal … video clip was not only swiped, but displayed

It started with a teacher’s hacked GMail account which contained the userid and passwords for multiple accounts. That lead to his Dropbox with a … personal … video and list of phone numbers of students he worked with on school activities. Someone arranged for the video to be public and texted the students with the link which was circulated.

The teacher was placed on unpaid leave and later fired. Perhaps without due process as the termination was reversed by the Arkansas Professional Licensure Standards Board citing insufficient evidence. The teacher was a victim of hacking, a cybercrime prohibited in state and federal law. Still, remember, the cloud is no safe, super secure place. Certainly not the place to store … personal … pictures, videos, userids, passwords, address books etc. More at Sophos.

2/16/2016  IOT Flaming Pumpkin

A talking, flame shooting pumpkin on the internet of things. What could possibly go wrong? See how it was made at Hackster.

2/16/2016  Another hospital held ransom

Hollywood Presbyterian Medical Center back to pen and paper.

Time jump to 1970: pen and paper were required to record patient information, patient medical records were barely available and inter-departmental communications used facsimile. There was no network, there was no email, and administrators required computers be shut down to stop the spread of ransomware. How can you do a digital x-ray or MRI without computers? How can you control radiation treatments without computers? The attack started 2/5/2016 and soon after patients were being transferred to other hospitals and emergencies were re directed to care that was precious minutes further away.

Compare Events

If the burst of medical ransomware has any upside it provides multiple situations for comparison. February 11, 2016 Another hospital was infected with email transmitted ransomware. The Lukas Hospital in Neuss, Germany had complete backups and patient data was already encrypted so they took their systems off line until those systems were restored. They rescheduled some elective surgeries and shifted non-critical emergency care to other hospitals. January 2016 Titus Regional Medical Center in Mount Pleasant, Texas was struck by ransomware which blocked access medical records and internal communications between departments. Their defenses were less capable and they were reduced to 1970s technology. (sources: Naked Security / Sophos and Data Breach Today which has an interesting Growth of Ransomware chart)

Prepared or Not?

Some hospitals are better prepared that others. Those who don’t provide the resources for better preparation will be faced with a choice to provide resources to (maybe) unlock their data or suffer a capabilities jump back to the 70s. Better to be prepared with backups, stored away from that which was backed up. Don’t count on a miraculous save from law enforcement. Remember there are computer-like devices such as smartphones that can interact and infect your more traditional networks. Use the best prevention design and technologies appropriate to your situation. Remember: “Just because we can does not mean we should.” Does every thermometer need to be on the network? (related: See the story of Billy Rios and the Hospital Internet of Things )

Pay or not?

Back in October 2015 the FBI advised to just pay the ransom. The arguments for not paying include paying does not always get your data back. Crooks have either willfully not unlocked the data, or were a little less diligent in their programming and can’t unlock it. Do you trust them to unlock it? Remember, these are crooks. The data may be unlocked today, with a little surprise that will lock it again later. The biggest argument is that paying perpetuates this crime. That was well explained by Rudyard Kipling well before our modern technology.

[ This is a bad situation and it is getting worse. One thing is certain, you cannot escape on auxiliary power -ed ]

2/17/2016  Caved to Crime – Got a discount

Hollywood Presbyterian Medical Center paid the ransom

Initial reports had the ransom at the Bitcoin equivalent of over $3 million US dollars. Today it was reported that a ransom of just $17 thousand US dollars was paid. In a stroke of good luck, the crooks made good and delivered decryption keys that unlocked the data and allowed operations to resume.

2/19/2016  Hospital – media error

The initial report of a ransom over $3 million dollars was widely distributed, but erroneous.

2/17/2016  Home alarm broadcasts access code

300,000 in the US have home alarms that are decidedly not helping

SimpliSafe wireless home alarm systems allow easy full access to crooks. For under $250 in hardware anyone can determine the alarm’s PIN and turn it off at distances of up to two hundred yards. Why? The alarm system does not encrypt its signals so a sniffer can record the code over the air and replay it when they want to get in. The software is embodied in a chip and there are no provisions for end user updates. See a video of the hack and more at The Hacker News

2/18/2016   New Lows in IOT “Security”

Would you hire a convicted embezzler to manage your funds?

So why would you get a “security” device that exposes you? You probably wouldn’t if you knew about it. How about a web camera that pushed its video over plain-http (no https) so anyone who snoops can see the video? Would you buy it? Or, a digital video recorder that has a hard-coded (and unchangeable and short) web interface password. Put this in a remote location and view it from home, just like any crook can. A researcher used Shodan and found more than 36,000 devices that would probably accept the password. Why “probably”? Because using Shodan is one thing. Actually logging in is potentially a crime. So, if you knew would you buy it? See more at Naked Security / Sophos.

Now turning to Foscam, a maker of security cameras. In November 2015 a user reported to Foscam.us that his internet-connected camera was calling out to multiple hosts (including VigoThaiClub dot info) despite every security option being turned off. Foscam didn’t reply then, but in January 2016 they posted (and we quote) “Actually, even you have disabled P2P function in camera settings, in the camera mainbord, the camera information still sync with P2P server in case camera enabled P2P settings all of sudden.” Further in the response Foscam reports blocking one port which was already reported as one of multiple ports that were communicating without user permission. The point? There is Inherent Danger in the Internet of Things and you should research the exposures you are getting along with the security. Much more at KrebsOnSecurity.

2/19/2016   DVR does more than you think

A digital video recorder (DVR) can be controlled remotely and that isn’t all.

An investigator bought a cheap DVR from Amazon and found an unauthenticated, impossible to disable, remote root shell so an attacker could compromise, then control, the device from anywhere on the internet. Even odder is the DVR takes single frames from the DVR and sends them to China. There is no password-attempt-counter so crooks can try as many passwords as they want. There are no firmware updates. There is probably more, but the real point is that unless a consumer did significant research they’d never know of these weaknesses. There is one glimmer of nice news. The investigator, being a cautious kinda person, used a controlled source so the crooks received single frames of a UK child’s program from the 1980s called “Button Moon”, the adventures of Mr. Spoon and his family of kitchen implements. More at Naked Security / Sophos

2/24/2016  W2 scam stopped cold

Good news: Alert employees get a whiff of something bad and stop a compromise.

Remember: Something that comes in from the outside (like an email from the “boss”, or a phone call from a “lawyer”) has to pass the smell test. If your nose is new, get an experienced sniff consultation and stop crooks. Great read at KrebsOnSecurity

2/24/2016  info on 10M kids to be released. What could go wrong?

Five years ago some lawyers started a lawsuit against California. Sadly, there is nothing unusual about that. What is unusual is that a federal judge, Kimberly J. Mueller of the U.S. District Court for the Eastern District of California, has requested seven huge state databases with the addresses of children, Social Security numbers, disciplinary records, test scores and mental health information to be provided those lawyers suing the state. What could possibly go wrong?

The plaintiffs say they are looking for patterns and don’t need, or want, personal information. Why didn’t the judge require that sensitive information be excluded? Medical records carry HIPAA responsibilities, but the security specifications are weak. More at San Jose Mercury News.

[ “Weak” is putting it mildly. We recommend removing names, reducing addresses to zipcode only, and replacing social security numbers with a pseudo-random, but unique identifier not derived from any source data to preclude the data from being traced to an individual. A key translation file can be held by the court and, should individuals need to be identified, and with the judge’s approval, that information can be located. That translation file needs the highest protection and encryption is part of it. -ed ]

2/25/2016  Hospital Security

The majority of hospitals are focused on securing patient records, not the patient. According to a study released February 23, 2016 by Independent Security Evaluators that misdirected focus endangers the patient. A two year study from January 2014 to 2016 assessed a dozen healthcare facilities and more.

Abstract: The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. To understand these ecosystems, a two year study was performed from January, 2014 through January, 2016 of critical elements within these facilities as they relate to securing patient health. Our goal was to create a blueprint a step by step action plan that all medical facilities can follow as the foundational element in reaching full security readiness. The research was driven by a hands on analysis of various healthcare systems, applications, and budgets, interviews with hospital, data center, and medical device manufacturer employees, and sourcing industry knowledge from thought leaders on our advisory board. The findings show an industry in turmoil: lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership, and a misguided reliance upon compliance. These findings illustrate our greatest fear: patient health remains extremely vulnerable. The output of the research is the production of a modern patient health focused attack model, and a blueprint that advocates a phased approach to security design and implementation for healthcare facilities that focuses on the protection of patient health assets. [ Source: 71 page PDF highlighting ours -ed ]

In one test USB sticks with the health care facility logo were placed around the facility. The sticks were picked up and used. Simulated malware was uploaded. Within a day the sticks were in service and communicating with the command and control server. From this foothold inside the network the investigators were able to attack multiple medicine inventory and dispensing systems.

The better news is the learning has been condensed into a practical guide for hospitals starting with shifting the focus from data protection to patient protection.

2/28/2016  eFilers Beware!

Report (24 page PDF) shows list of 7 eFiling sites that made the “Honor Roll”. 3 failed and 3 more failed big time. There was no other middle ground. Big names in all categories. More …

2/28/2016  Fingerprint Security

iPhone users – beware your dentist!

We know of no dentist that has done this, but the iPhone’s fingerprint scanner has been successfully spoofed with Hasbro’s Play-Doh and dental supplies. Remember biometric security isn’t foolproof. Why worry about your dentist visit? See the article at HackRead and our section on Biometric Security.

2/29/2016  Other Time Problems

International Date line defends itself from USAF.

F-22 Air Supremacy Fighters (then $120 million each) were enroute from Hickam AFB, Hawaii to Kadena AFB, Japan. At the international date line systems including all navigation, communications, and some fuel functions failed. They were in the company of tankers who provided directional and other assistance on an emergency return to Hawaii. The problem was found in the computer code and fixed in about two days in early 2007.

2/29/2016  Did we expose ourselves?

Did US intelligence services cause the creation of backdoors in various networking equipment made by US manufacturers? Did we gain intelligence while allowing other governments to access our secrets (such as China accessing OPM) at a much larger scale? Could be. See BusinessInsider.

2/29/2016  Jumping the Air-Gap

It used to be if a computer wasn’t connected to the internet it was safe, isolated by what was termed the “air gap” between systems. No more.

This side-channel attack relies on the electromagnetic outputs emitted by a computer during a decryption process. The attack is non-intrusive, the target isn’t modified and isn’t even in the same room. Using lab equipment costing about $3,000 researchers were able to determine the keys to an elliptic curve encryption of a computer in the next room in seconds. Once the physics are understood these attacks can be made with even simpler equipment. The research paper (16 page PDF) will be presented at the March 2016 RSA conference. More at Motherboard and HackRead.

[ this should have been back in mid-February. -ed ]

3/01/2016  More Ransomware – Locky

“Locky” ransomware is spreading by the same vectors as many other ransomware.

Don’t open attachments from people you don’t know, especially attachments that have unrestrained macro capability. This includes the whole family of Microsoft office products that have macro capability as well as the ability to invoke Visual Basic (VBS) code. IF you open a document and it says it was created in a newer version and “click here to update” don’t do it! Details on how “Locky” works at Panda Security. More details on how “Locky” upsets backups and how to prevent damage from spreading from Naked Security / Sophos.

3/10/2016  Locky Update

Locky has evolved and that is bad for us. SpiderLabs (part of TrustWave) reported 3/8/2016 that of the 4 million spam messages it collected last week 18% were ransomware related and many linked back to Locky making for a huge growth spurt. Originally Locky was delivered via infected Microsoft Word documents, but this version has a JavaScript file hidden in the spam. Just as bad, the volume appears to be driven by the same large network of compromised computers (botnet) used to send the Dridex banking malware back in January 2015. More at PCWorld

3/01/2016  More Ransomware – CTB

CTB Locker hits websites with ransomware. More at The Hacker News

3/01/2016  Police Brew Own Trojan Spy

The venerable Chaos Computer Club (CCC) was the first to spot the malware, which is called, among other things, the Bundestrojaner (“Federal Trojan”). Why the name? Because the German Interior Ministry created it circa 2011 and confirmed its use. In late February 2016 they approved a new version. Make no mistake, this is a full fledged surveillance system, it remotely update itself, grab screenshots, activates the camera and microphone, allows remote access, taps communications including Skype, Messenger (MSN and Yahoo both) as well as serving as a keystroke logger. More at Naked Security / Sophos

3/01/2016  Tor hacked?

TOR or Tor stands for The Onion Router a system of browsers and hosts that obfuscates users and hosts alike. Unlike a traditional domain where their host is determinable with WHOIS and users who are identified by the IP address TOR users and host location are unknown. This is unacceptable to surveillance states.

In a 2/23/2016 filing (4 page PDF) it was revealed that in 2014 security researchers from Carnegie Mellon University (CMU) Software Engineering Institute (SEI) were hired to expose Tor users and their IP addresses.

After a November 2015 report the FBI denied the allegation. A few days later CMU published a similar denial. Based on the 2/23/2016 filing some reported details were incorrect. The Department of Defense (DOD) contracted with CMU, not the FBI. In July 2015 DOD renewed the contract with CMU to the tune of $1.7 billion US dollars. More at The Hacker News

3/01/2016  Your printer is talking

Believe it or not your WiFi printer can be exposing your network. Pwnie Labs analyzed over seven million devices and found that wireless-enabled printers remain deployed in a potentially vulnerable default configuration. More at

3/01/2016  Your mouse has been hacked

A wireless mouse needs to connect to something connected to your computer. That thing is called a “wireless dongle”. True egalitarians, these dongles don’t discriminate and if it received a signal that says “I’m a wireless mouse” it will just pass the signal right to the computer. This Mouse Jacking attack is cheap to mount and all humor aside, you don’t want to be a victim. More at CNET

3/02/2016  US Smartphone penetration

For the quarter ending in December 2015 over 197 million people in the United States owned smartphones for a 79.4% mobile market penetration. More at Comscore. That is continuing an upward trend from 74.9% 2014Q4, 77.1% 2015Q2, 77.9% 2015Q3 to 79.4% 2015Q4.

3/02/2016  McAfee 2016 look ahead

McAfee Labs (part of Intel) published the 2016 Threats Predictions (40 page PDF) including a five year look ahead for threats against hardware, ransomware, payment systems, attacks through employee systems, via and against cloud services, wearable technology, automobiles, cyber espionage, hacktivism, and attacks against infrastructure.

3/03/2016  DROWNing TLS/SSL

Decrypting RSA with Obsolete and Weakened eNcryption works against TLS/SSL, that code that sticks an ‘s’ at the end of HTTP for encryption security over the web.

Included in many cryptographic products is a backdoor named EXPORT_GRADE, put there by law. Cryptographic concepts were considered arms and subject to International Traffic in Arms Regulations Title 22 — Foreign Relations; Chapter I — Department of State; Subchapter M — International Traffic in Arms Regulations. Specifically Category XI–Military [and Space] Electronics. [ a t-shirt with a code segment was considered “arms” and subject to regulation. -ed ]

The concept was that by not exporting crypto code we’d be safer. Didn’t quite work that way and most regulations have lapsed, expired, or otherwise removed. Still, programmers re-use code and many older code contain EXPORT_GRADE traces including its now-weak constructs.

The DROWN paper (22 page PDF) is techno-dense but simply put: DROWN can overwhelm multiple legacy elements. Read more at Darknet/UK

3/11/2016 Update  DROWNing TLS/SSL

Knowing is half the battle. Seems we’re not winning the other half any time soon.

A week after being informed of the DROWN vulnerability 620 out of 653 cloud services are still vulnerable. With 98.9 percent of enterprises using at least one vulnerable service, this isn’t good news. Compare that to Heartbleed where over 90% of providers were patched in a week. That wasn’t a total victory either. A year later 74% of Global 2000 organizations still had at least one Heartbleed risk. More at Security Week

3/04/2016  Side Door to Apple & Android

A $2 magnetic probe (picture) and some easily concealed ancillary equipment snoops in a non-invasive on the physical side channels of electromagnetic radiation and power consumption. The way those change depends on cryptographic computations.

In a study (22 page PDF) researchers from Tel Aviv University’s Laboratory for Experimental Information Security (LEISec) and The University of Adelaide (NICTA) in Australia were able to “fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.” The crypto used is Elliptic Curve Digital Signature Algorithm (ECDSA) used in many applications such as Bitcoin wallets, Apple Pay, OpenSSL, CoreBitcoin, iOS and more. See more … and Naked Security / Sophos.

3/04/2016  Encryption removed without notice?

Amazon removed encryption because few people were using it. Screw the ones that were? See The Guardian

3/04/2016  Smacking Trolls & Catphishing

People who create fake profiles may get smacked with a proposed new law

The Crown Prosecution Service (CPS) of the United Kingdom has published guidance to provide clear advice to help the prosecution of cyber-enabled crime. These guidelines are in a 10-week public comment period. In those guidelines are prosecution of offenders who hide behind fake profiles (including catphishing) to torment or trick people, and guidance on new crimes, including nonconsensual (or “revenge”) porn and domestic abuse. The guidelines include updates to remind officers and prosecutors what type of related evidence may exist for this type of crime.

The guidelines include three categories of social media crimes: Category 1: Communications that carry credible threats of violence to a person or damage to property. Category 2: Specific targeting for harassment, stalking, nonconsensual porn, blackmail, or coercive behavior to former partners or family members. Category 3: Communications that lead to a breach of a court order. More at Naked Security / Sophos

3/04/2016  Evolving Pirates

Think of pirates: Blackbeard, Captain Kidd, Captain Morgan, Captain Barbossa, Captain Blood, Captain Flint, Captain Nemo, Captain Hook even Captain Jack Sparrow, not one of them used the internet. Well, piracy has advanced some since the heyday of buckle and swash. Modern pirates are hacking into shipping company databases to find the few containers of high value. They raid the ship, lock up the crew, secure their plunder and are gone quickly. They still have some work to do regarding covering their electronic trail. See Business Insider.

3/05/2016  Update to Under Reporting & Law Firms

Years ago we noticed that reports of data breaches at law firms were conspicuously few from all sources. Back on 3/27/2015 we wondered if they were exempt from reporting? The answer is no, they just didn’t. A security firm reported that unnamed law firms had been breached. Several publications criticized that industry. A few months later the American Bar Association reported that an astonishing 80% of the 100 largest law firms had been breached.

So, what is available inside a law firm? Aside from an incredible amount of personal information there is a considerable treasure in not-yet-public information. This about what is available on a planned merger, or a possible takeover target? What severance package is being prepared for a soon-to-be-ousted senior executive? All of those examples, and more, are information that can be used to turn a tidy profit in the public marketplace by trading on information before the public is informed.

As of the end of February 2016 summary over 56% of reported breaches lacked disclosure on how many were affected. How many law firms, and other organizations, don’t even report they were breached? The Safe Harbor Rule (see When do you get told your data was compromised?) allows companies not to disclose which makes the cyber in-security picture, already scary, even more frightening because we know that we don’t know how bad it really is.

3/05/2016  Irony Strikes RSA conference

RSA Conference, RSA security Conference

In the old days vendors at trade shows collected business cards from attendees. Vendors at this conference were given particular handsets with a password protecting an app to scan attendee badges. The conference is well attended by security researchers one of whom found the device could be “easily” compromised to allow access all functions, just like a hacker would. Ah, ooops. More at ReCode

3/05/2016  Dwolla Didn’t

Dwolla advertised that its security was better than industry standard, their payment apps were secure and it encrypts sensitive personal information. Dwolla didn’t do that. A few days ago the Consumer Financial Protection Bureau (CFPB) fined them $100,000 noting they didn’t meet the Payment Card Industry Data Security Standard (PCI-DSS) either. More …

3/05/2016  Click Jacking

Would you click on something that says “Allow Virus Infection”? Probably not. By turning on an accessibility feature the user may be clicking on options they can’t see. Those options are anything a user could do on their own. See the article and 1:05 video

3/06/2016  IRS strike 2

The IRS created Identity Protection Personal Identification numbers (IP-PIN) for victims of identity theft. Despite being warned the concept was weak the IRS issued almost 3 million of them. IP-PIN is weak because it uses static facts that are in the public domain. To the surprise of few, those IP-PINs were gathered by crooks and used to hijack tax refunds. More at Krebs on Security

3/07/2016  IRS suspends IP-PIN

The IRS has shut the door after an unknown number of IP-PIN horses have left the barn.

The IRS says 2.7 million IP-PINs were issued. About 130,000 people used an online tool to retrieve a lost IP-PIN. 800 fraudulent returns were stopped with IP-PIN. The function has been removed from the IRS web site. Remember: The IRS disabled the “Get Transcript” tool in mid-2015 after reporting 100,000 people had been affected. In August that number was raised to over 340,000 and by February 2016 it had reached 700.000. (more…) So how many were actually exposed? See Krebs on Security.

3/09/2016  Converting bad hackers to good guys

If you can’t beat ’em hire ’em!

Romania, Ukraine, and more than a few other places are known as hotbeds of hackers. In Romania cyber-security firms including Bitdefender, Avira, and Heimdal already employ hundreds of professionals and are planning to increase their Romanian teams by up to 20 percent this year. More at ZDnet.

3/09/2016  300M hits a day?

You think you have a cyber security problem? How about 300,000,000 hits a day? That is three hundred million in one day. Silicon Valley? Wall Street? How about Utah? See The Hacker News.

3/10/2016  Hacking Facebook

Would be hackers searching the internet need to be careful. That tool you download might hack FaceBook, or SnapChat, or something else, like planting a virus in your machine. Yeah HackU! More at The Hacker News.

Better is to use a vulnerability in Facebook allowing someone to view messages, post, view payment card details, basically do anything the real account holder could do. A good “forgot password” link sends a code to the email address on record, then provides a place to enter that code. Good design puts limit on the number of attempts. Seems someone forgot that on some Facebook domains. Tempted to try it? Too late. Incredibly responsive Facebook fixed the problem and awarded a hefty bounty to the bug finder. More at The Hacker News.

3/10/2016  Scamming people the old fashioned way

With all the headlines on technology related scams some crooks have gone decidedly old school and printed up fake parking tickets in Asheville, North Carolina. Crooks is the wrong word, pranksters is more like it. The ticket is pretty similar to the real ones (see WLOS, ABC News 13 serving western North Carolina) and the arrangement would convince people to scan the QR code to appeal, pay by phone, or get details. Ah, not so much. That QR code actually goes to a YouTube video of Rick Astley singing Never Gonna Give You Up. The prank is causing a headache for local law enforcement who says the most they can do is cite the offender for littering. Apparently the absence of a criminal motive makes a difference.

[ Talk about a gaping security chasm! That QR could have directed users to a malware laden trap that provides a virus then provides a “PrankedU!” message. The victim thinks “cute joke” while the malware lurks in the background. Make sure your QR reader confirms before taking action from a scan. -ed ]

3/10/2016  When does privacy end?

Can manufacturers be forced to turn on your web cam? Your microphone?

According to Apple’s head of services Eddy Cue, if the FBI is successful in the San Bernardino case the next step is for the government to force Apple to turn on cameras and microphones of the iPhone. The capacity already exists with the MazarBOT which can cake over your phone with a text message users don’t even see. In October 2015 Britain’s GHCQ has that capacity. Does the NSA? Will law enforcement? Cue: “Where will this stop? In a divorce case? In an immigration case? In a tax case? Some day, someone will be able to turn on a phone’s microphone. That should not happen in this country.” More at The Guardian.

3/11/2016  Hiding in plain sight

While researching a new piece of malware Arbor Networks (part of NetScout) found a section of code, which when viewed as a bitmap displays what appears to be a distorted banner for the Krebs On Security web site. In the bitmap noise is a DLL which can be stripped out with some code and turn into the malware. Malware, hiding in plain sight. More, including the image and details on the new malware are at Arbor Networks.

3/14/2016  Does it matter your AntiVirus is certified?

ICSA Labs (an independent division of Verizon) publishes the Anti – Virus Desktop / Server Detection Certification (5 page PDF) now in version 4.1. The substantive content is barely two and a half pages. Any vendor can follow the guidelines, pay a fee, and be “certified”. That means something to the non-technically inclined consumer and … less … to those for whom cyber security is their specialty.

Tavis Ormandy is a security researcher with Google’s Project Zero. Their task is finding weaknesses and exploits before they bite. He says that particular certification is “about as ridiculous as you would expect”. Ormandy has found multiple security issues with big names in the anti-virus community including, Avast, AVG, Comodo, FireEye, Malwarebytes, TrendMicro and others. Some of those issues are simple, but using advanced skills he found “hundreds of critical memory corruption flaws” and “even more serious design flaws and logic errors.” all without having access to the source code or developer documentation. So what is that certification worth in terms of more effective protection? See the answer at Network World.

3/16/2016  Hotel IOT Insecurity

A hotel goes “high-tech” even to light switches. Tech-savvy guest hacked ’em all.

In a London hotel the light controls had been migrated from switches to tablets. In just a few hours an experienced white-hat hacker had access to the electronics in every room. How? The hotel used an ancient, serial protocol with no authentication whatsoever. More at ZDnet

3/16/2016  Massive Malvertising over weekend

Visit our site? Drop your adblocker. Is that unprotected hex? No joke.

Most advertising is not hosted on the web site you’re viewing. The ads are dynamically provided by one, or more, advertising sources. With millions of ads per minute (maybe per second worldwide) are those ads safe? If they are they serving ads with malware, malicious advertising (malvertising), definitely not.

This past Sunday major web sites including the British Broadcasting Company (BBC), MSN and The New York Times served up malvertising that connected users to websites with the Angler exploit which seeks vulnerabilities in Adobe Flash, Microsoft Silverlight, others and adding more as it evolves. (see TrendMicro) These large ad publishers (as opposed to ad providers) were also affected with increased malvertising: aol.com, my.xfinity.com, newsweek.com, nfl.com, realtor.com, thehill.com, and theweathernetwork.com (see MalwareBytes)

They are not the first. In February 2016 celebrity gossip site TMZ joined Rotten Tomatoes, Jerusalem Post, LifeBuzz, and more as servers of malvertizing. In September 2015 three thousand high profile sites in Japan were infected with malvertising.

The advertising suppliers might be responsible, but at least some of them have been hacked themselves. Or, at the time an ad is vetted (if there is any vetting) the ad target is an innocuous web host. After the ad is vetted and placed to be served then the malware is added to the ad target to ensnare the viewers. More at PCWorld.

[ Herein lies a problem for businesses and the public. Some sites are requiring adblocker disabling before displaying content, but are they responsible for damage from malware hiding in ads they serve? Don’t think so.

This raises a problem for those web sites depending on ad revenue. Where is the balance when consumers are compelled to drink from a poison-laced well?

So, who is responsible? There are many places to point fingers, but web sites who want us to drop our adblockers are asking us to trust them and all the participants in the chain. That is akin to unprotected sex. I trust my partner, but do I trust every partner my partner trusted?

Also – Malwarebytes AntiExploit kit has an auto-reporting capability. When it detects an exploit such as Angler it reports the detection in real time. This is one way Malwarebytes gets literally up-to-the second information. Recommended for your consideration. Yes, I use it myself. No, I gain nothing from the recommendation. -ed ]

3/16/2016  Sex Toy IOT (we’re not kidding)

At a news conference Trend Micro spokesman Udo Schneider placed a large, neon-pink sex toy in front of him and caused it to function from his laptop computer. The somber message is that the inherent danger of the internet of things reaches everywhere and to every connected thing. More at Reuters.

3/17/2016  Apple App Store spread AceDeceiver

New malware can infect non-jailbroken devices without user confirmation.

AceDeceiver exploites flaws in FairPlay Apple’s digital rights management (DRM) software. Although the affected app has been removed from the AppStore any device that had it will continue to spread via a man-in-the-middle attack (graphic) that gets between the user and the AppStore on each new download.

Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge. [ Source. Highlighting ours – ed ]

Three different iOS apps were available at the official App Store between July 2015 and February 2016, all claiming to wallpaper apps. Apple’s code review was bypassed at least seven times. The AceDeceiver only displays malevolent behavior in China, but that could easily change.

The broader impact: This vector does not require manipulation of certificates thus bypassing all the current or future certificate controls. The existence of AceDeceiver showed how easy it was to avoid code review and enter into the App Store. Automatic installation without user participation makes the user unable to stop it. It works on non-jailbroken (i.e. all-Apple) phones.

Much more detail at Palo Alto Networks and a summary at The Register/UK.

3/17/2016  State of the Phish Report

Wombat Security has published a report (12 page PDF) on phishing trends including impacts, costs of a successful phishing attack, the effectiveness by types of attack (the urgent email has a 28% click rate), the improved click-rate with personalization, click-rate by industry, common protection types, and more.

3/18/2016  StageFright – Welcome Back (not)!

Some evil things never die. The latest is Metaphor, a StageFright variant.

To get infected just visit a web page with a multimedia file contain malware. (MalMedia?). In seconds, your phone has been compromised. Details are in a 38 page PDF. There is a summary (video 56 seconds) showing a real time capture. More at The Hacker News. More on StageFright from BlackHat 2015 (video 56m).

3/18/2016  Oh ‘droid users …

A major chip in ‘droid & IOT use has vulnerabilities. As if cell phone users didn’t have enough concerns the Qualcomm Snapdragon chip has some major programming blunders allowing for root-level access to your device. The same chip family is also used on the internet of things and some of those don’t get updates at all. Details from Trend Micro. Summary from The Hacker News.

3/18/2016  Security professional arrested, but

He was the victim.

The consequences of finance related theft are easily understood by just about everyone. Your money vanishes from you bank, your charge bills get inflated, you’re out of money and you have bills to pay.

The consequences of identity theft are less understood. Some of those consequences are also financial. Loans may be taken out in your name, other debts may be incurred. Sometimes the actions of someone with your identity are other forms of criminal behavior and one day the police arrive and arrest you in front of your kids for a number of crimes including burglary. It happened to him, could it happen to you? What happened before, after and how to avoid the same problem at Krebs on Security.

3/19/2016  Ever wonder?

If you have an FBI file? Unhappy with the paperwork to find out? Wonder no more.

As a public service some folks have created www.GetMyFBIfile.com. In addition to the FBI you can also generate forms for files from the Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), Defense Security Service (DSS), U.S. Army Criminal Investigation Command (CID), U.S, Secret Service (USSS), and the U.S. Marshals Service (USMS). Why not National Security Agency (NSA)? According to the site information they did until they discovered it was a massive waste of your time as the NSA denied every request.

This web site asks you for information then PRINTS the forms you need to get your file from the FBI and some other places. If you don’t want to provide some information on the web site (they say they don’t keep information) LEAVE those fields blank and fill in by hand after printing but before mailing. It is not an interactive way to request your file.

The site prepares the form(s), you complete it(them) and mail it. No notarization necessary. Because federal agencies are entitled to collect “reasonable” fees there is a field for you to show the maximum amount you can get billed. At $0.10/page the web site people recommend a $30 limit for 300 pages. Again, you pay the web site nothing, they are preparing the pages as a public service.

If you want a report on someone else there is a companion site www.GetGrandpasFBIfile.com.

3/20/2016  ProtonMail ends 2 year beta.

Swiss-based ProtonMail has opened registration to all.

Scientists launched ProtonMail as a secure email service in May 2014 using over $500k from crowd funding and $2M from Charles River Ventures and the Fondation Genevoise pour l’Innovation Technologique in Geneva. ProtonMail is end-to-end encrypted. This means the intermediary servers do not have plain-text content, even if a government wants it. Registration has run at over 10,000 a day generating a delay. There is no advertising in ProtonMail (ads are security concerns) so ProtonMail needs its paid customers and donations. Mobile device support is also available. More, including how it works, at The Register/UK

3/20/2016  HTTPS transparency

Google tracks use of encryption on the internet

Google has a transparency report which has eight major topics, news and more. The most recently added topic has to do with the use of secure http over Google services and major sites other than Google that run https by default, or can support it, or not support it. You might be surprised by what does and does not.

3/21/2016  New Apple Vulnerability

A professor and three students from Johns Hopkins University found a vulnerability in iOS encryption allow decryption of intercepted iMessages, encrypted iCloud photos, videos and more. It isn’t simple to exploit. See The Register/UK and more at Naked Security / Sophos.

[ The surprise appearance of a new vulnerability is dismaying, but may actually support Apple’s position regarding the All Writs Act (start of the story) which applies when there is no alternative. This exploit appears to present such an alternative. -ed ]

3/21/2016  VA cited for info sec weakness

Three dozen wide ranging recommendations were made for “material weakness” in the information security program of Veteran’s Administration.

The Chief Information Officer testified before the House Oversight and Government Reform Committee’s subcommittee on information technology that the VA plans to address a portion of the audit findings by the end of 2016 and the remainder by the end of 2017. For the nation’s largest healthcare provider this seemed rather slow. The subcommittee chairman said “The goal … to eliminate material weaknesses by the end of 2017 is … too long … bad guys are moving at the speed of light, and we’ve moving at the speed of bureaucracy”. In written testimony the Office of the Inspector General noted the most recent audit completed in November 2015 was the 16th consecutive year that IT security controls have been identified as a material weakness. The report (53 page PDF) lists deficiencies in security management, identity management, access controls, configuration management, system development, change management, contingency planning, and much more.

The VA is seeking to nearly double its cybersecurity budget in fiscal 2017 to address custom software written in COBOL from the 1960s, their 834 custom applications, and their base of computers running deprecated Windows/XP. See summary at Data Breach Today

3/21/2016  NIST has new guidance

The National Institute of Standards and Technology (NIST) has created advice for organizations that allow access to systems from outside the enterprise by devices owned by employees, contractors etc. More at Data Breach Today

3/21/2016  White Hat Nation

Facebook started its Bug Bounty program in 2011 and since then one nation has been the clear leader in finding bugs: India. More at Naked Security / Sophos.

[ Glad they are are not with the dark side! -ed ]

3/22/2016  Realtime Video Alteration

“Facial re-enactment” changes the subject face in real time

Jon Stewart made extensive use of vast video archives to skewer people (especially politicians) with their own words from their own mouth. It was effective because, short of acknowledging a change of mind (a political rarity), subjects could rarely refute themselves. The veracity of video is questionable due to a capability previously existing only in science fiction and cinema.

The Computer Graphics Laboratory of Stanford University has released a paper (14 page PDF) describing a resource-sparing facial re-enactment capability to map the facial expression of a performer over the video subject. This is not a transplanted image. The software reads the expressions of the live performer and modifies the video face of the subject as shown in this video (6m 35s)(there are periods without sound) showing how seamless the process is. The concept uses simple RGB input and works in real-time. As a result a video showing someone saying one thing may be complete fiction. More at International Business Times and Naked Security / Sophos

3/23/2016  Another Hospital Infected

Hospitals are proving to be ill-protected and profitable targets.

Hospitals are susceptible to attacks on its equipment, they tend to focus on protecting data (not patients) and are having a hard time training people and otherwise protecting themselves from ransomware.

Methodist Hospital, based in Henderson Kentucky (just south of Evansville Indiana), was infected with Locky ransomware. To limit the infection the hospital declared an “internal state of emergency” and shut down its networks, reverting to 1970s communication and manual recordkeeping. The hackers are asking for a small fee of four bitcoins (about $1,600) and the hospital hasn’t ruled out paying the ransom. More at Krebs On Security.

[ What can you do to prepare? Even after paying the ransomware might be temporarily disabled and resurface. Or the crooks will take the payment and not deliver. A rising concern is that the crooks will exfiltrate the data and use it to sell identities. That won’t be resolved by a ransom. Kipling recommended against paying a long time ago. -ed ]

3/24/2016  What is next for Apple?

It has been reported for several years that governments have intercepted computers and components in transit, altered them, and sent them on their way, already vulnerable to intrusion even before being placed in service. Apple computer is looking to build its own servers as a way to prevent that. More …

3/24/2016  State Law & Cyber Risk Insurance

Your company has a data breach. What are your responsibilities? It depends not only on the state of the company, but the state of the residents. Because the responsibilities are different so are the insurance offerings. There is no one size fits all. The policy names include Cyber Risk, Data Breach, Privacy, Network Security and more. They are all different from theft and theft-by-electronic-means. Make no assumptions about what you need and what you are being offered. See this document (96 page PDF) for a state-by-state summary of requirements.

3/24/2016  Lottery not-quite-hack

Terminals used in the 5 Card Cash game of the Connecticut Lottery were manipulated to provide more instant winners. First-degree larceny, first-degree computer crimes and rigging a game are three felonies being charged. The game was been suspended in November, six people were charged by mid-March and more charges are expected. The terminals were not hacked, someone noticed if a “sold” ticket was a winner before it was printed. Winners were printed and claimed. The others were canceled prior to printing. More at the Hartford Courant.

3/24/2016  Webcasts on line

Sophos ran a webinar a day for a week. Unfortunately they were timed for the UK audience. Now they’ve put them on line. The titles are:

Social Engineering – when charming crooks talk to helpful users
Can you strengthen security by weakening it?
Malvertising: When trusted websites go rogue
Inside a hacker’s toolkit
What’s next for the Internet of Things?

3/25/2016  The value of a thing

is the cash it will bring. Using that metric it appears that stolen Uber accounts, selling for about $3.78 each are a bit more valuable that personally identifiable information (PII), selling for between about $1 to about $3.30. Why? Uber accounts are more rapidly converted to cash. More at CNBC.

3/26/2016  Dot-Gov Redirects

In brief – just because that URL you receive ends in dot.gov does not mean some government agency sent it.

There are two parts to understanding. The first part is called an “open redirect”. URLs that forward to another place are called redirects. An open redirect is where that other place is not defined in the URL. Sort of “forward to (some place we’ll fill in later)” Scammers insert their own domain and then send that URL to a URL shortening service. So www.usa.gov/redirect.php?url=MeCrook.com could become the short link 1.usa.gov/#ajhjhe which gives no clue as to the intended destination. This is not new problem. In October 2012, Symantec reported about 15 percent of 1.usa.gov URLs were spam messages. More at Krebs On Security

3/27/2016  Campaign Websites

So, how well are these sites configured for security? Summary: BernieSanders.com is ahead of HillaryClinton.com and DonaldJTrump.com beats TedCruz.org. Details at eWeek

3/30/2016  CNBC teaches security with an untwist

CNBC put up an interactive tool to test user-supplied passwords for strength. Unfortunately CNBC does not use HTTPS and was sharing that information with more than two dozen services. The article, and the tool, have been taken down. More at the Washington Times.

[ If you voluntarily entered your bona fide credentials into an on line anything please don’t complain when you get hacked. While the CNBC tool and some others are genuine in their sincerity to provide you feedback, many are not. Some on line or app games ask you to provide credentials to post your score on social media. You just gave them the keys. If you want to test a password for strength use something similar, not the real thing because once you disclose MyPa$$wordIs_A_secret_4me has a strength of zero. -ed ]

3/31/2016  Making money by printing it

Was that $100 bill printed by the US Mint or an artisan in Peru?

The texture, the raised lettering, the security thread and other measures are countered. How do these fakes get into the United States? Generally by the same route as people, some legally, some illegally. At a purchase price of 25% for new customers, many think the risk is worth it. More at The Guardian

3/31/2016  Apple updates expose users

The latest update of OS X El Capitan 10.11.4 and iOS 9.3 still contain a privilege escalation vulnerability that could affect 130 Million Apple customers bypassing the System Integrity Protection (SIP) developed by Apple. The exploit code is so short the developer sent it in this tweet on 3/27. Looking at the tweet won’t compromise your system. The exploit opens places ever root users are not allowed to go. (The Register)

3/31/2016  Deep Dive into Joker’s Stash

Security researcher Brian Krebs takes a long look at a web site where card information is for sale, with guarantees, volume discounts and more. See Krebs On Security

3/31/2016  March 2016

For 1/1-3/31/2016 the number of reported breaches are lower than 2015. At three months into the year we are at 95% of all 2015 compromised thanks to a few massive breaches. See the summary table.

4/02/2016  Epoch Ending

A period in time marked by a noteable event is about to occur. The “Internet”, capitalized because it is a proper noun is ending. The Associated Press announced via a tweet that the new stylebook, followed by so many journalists, as of June 1st, 2016 will no longer capitalize “internet”. There are arguments pro and con. We call our sun “Sun” because we refer to just the one. For many years the Internet was just the one, but as the network grew, there became many. There will be holdouts, but at least one standard setter has put their electronic type where their mouth is, on the internet. More at The Verge.

4/02/2016  Hacking Police Drone

IBM security researcher Nils Rodday presented at Black Hat Asia 2016 on how to invest $40 in hardware to hack a $28,000 quad-copter drone from two kilometers away. The long distance connection between the user and the drone uses Wired-Equivalent Privacy (WEP) a deprecated encryption protocol that can be compromised under a minute. There are other vulnerabilities. See The Hacker News.

4/03/2016  Your vote counts … right?

In some countries not far from the US the answer is decidedly no. Meet the hacker who rigged elections over the past decade. He also did smearing, hacking, and spying on rival candidates. His epiphany? “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”. More at HackRead

4/03/2016  Political fallout from failed communications security

Many people think that their conversations over copper, over the internet, over the air, are generally anonymous except perhaps to an intelligence service. Well, it ain’t so. Greece owes a lot on money to European creditors. In March a conversation was exposed by WikiLeaks and the disclosure may sink, or at least put a hole in, the bailout plan. Why? There is an 86 billion Euro bailout in the works and some of the people on the call are arguing (privately they think) that the debt should be reduced first which isn’t going to make some people very happy. More at NY Times.

4/03/2016  IRS counter-fraud slows tax returns

Thanks to the growing number of persons exposed by successful W2 scams and other exposures of personally identifiable information (PII) the IRS and state tax agencies are implementing counter-fraud activities which slow return processing. Great concept, but again, the lawful are paying the price. All the more reason to get your withholding settings close so you get the benefit during the year instead of waiting longer for that money which was yours to begin with. That is why it is a “refund”. More at Krebs On Security.

4/04/2016  Speeders get eTickets, but not from police

Admit it, you were speeding and this time you got an email to pay up or go to court. Just click here to pay it. Don’t! This is a rising scam. More…

4/03/2016  Truecaller Exposes

100 million users at risk. Update now.

You get a call on your cell phone. Does it say “Telemarketer”? Do incoming texts come from “Spammer”? Truecaller was created in an attempt to match the telephone numbers with known bad actors and block them. To use Truecaller on your ‘droid, iPhone, Blackberry etc. you identify yourself to them, name, telephone number and more. They send you a confirmation and you never have to log in again. This is because they also got your unique device ID. Unfortunately anyone impersonating your unique ID can see all the application information you provided and change all the settings you made. Number actually exposed could be zero, but this is a risk. Truecaller didn’t hew or haw, updated versions that close this opening are available. More …

4/03/2016  Reddit Warrant Canary sang on 3/31

Some legal proceedings carry “gag orders” where the person or company is prohibited from disclosing even the existence of the proceeding. There is a caveat: the agency that issued the subpoena, national security letter, etc. cannot force the company to lie and say there isn’t such a proceeding when there is.

In a clever twist of logic some companies have adopted Warrant Canaries which are published statements that change or vanishes when the companies are unable to disclose that their hands are tied by “secret” orders. So, if a company has a statement “We have not been served”, and that statement disappears, they’ve been served. Watching for all these birds is a chore for an average consumer so https://www.canarywatch.org/ was created. The number of companies whose canaries have been activated is eye-opening. In addition to Reddit there is Pintrest, Tumblr, Adobe, Qubes OS, Cloudflare, ProtonMail, several VPN providers and more. Of interest was a canary activation for Office of Inadequate Security, a site devoted to exposing poor security. Activated canaries include The Internet Archive and Cheezburger!

Follow CanaryWatch on Twitter for new additions. The canaries are re-checked to see if they’ve been restored. Hopefully the birds won’t sing too often.

7/06/2016 Update  Warrant Canary sang, or did it?

There is no question that the warrant canary at Silent Circle, a provider of secure email and messaging applications, has died. The company said it just a “business decision” to remove the canary.silentcircle.com pages. The company general counsel said “We have not received a warrant for user data” which leaves open warrants for other things. That statement was updated to “We have not received a warrant” which leaves open other demands for information other than a warrant, such as a national security letter. Silent Circle is based in Switzerland as is ProtonMail which said “ProtonMail has received about 30 warrants already with over 10 coming in the last quarter alone. We are now getting several per month. For Silent Circle to claim they have never been served with a warrant for user data beggars belief”. ProtonMail maintains a transparency page that provides much information. So, did Silent Circle get some order to divulge or not? Not knowing can’t be good for the users who went to Silent Circle for security in the first place. More at TechCrunch

[ Sad news CanaryWatch isn’t updating any more. -ed ]

4/04/2016  Ransomware Alert

Being held for ransom is a club with a growing membership. Good for crooks. Bad for us. The US and Canada have issued an alert including seven steps to prevent getting infected. Step eight is what to do if you got infected: don’t pay. More at Naked Security / Sophos

[ Kipling wrote eloquently on why not to pay ransom. -ed ]

4/04/2016  US Government files exposed for years.

An FBI alert dated February 12, 2016 says:

The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks. This group utilized the domains listed herein in furtherance of computer network exploitation (CNE) activities in the United States and abroad since at least 2011. Research and analysis indicate that these domains were associated with the command and control (C2) of customized malicious software. Furthermore, these domains have also been used to host malicious files – often through embedded links in spear phish emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement. [ source has a list of the domains. Highlighting ours -ed ]

An information security expert with 20+ years in US Special Operations Command said this alert shows that the US government still is not in control of what’s going on inside its most sensitive networks. “It’s just flabbergasting … How many times can this keep happening before we finally realize we’re screwed?” More at Motherboard

4/06/2016  Win10? NEVER!

Windows Version 10 (Win10) has perhaps drawn more criticism and generated more fear than any other OS or upgrade. The horror stories about a lack of drivers, malfunctions, and more get the press. Good upgrades from prior Windows versions and good initial installs are harder to find. The number of people who are tired of having to decline pushy ad-ware from Microsoft are growing in number and unhappiness.

Late in March, Steve Gibson (founder of Gibson Research, creator of SpinWrite and other things, and all around good guy) updated an application called Never10. (Never10 home  details) If you are happy with your current Windows, or know your hardware won’t support Win10, and you are tired of declining ad-ware, or scared that one day you’ll click the wrong thing and suddenly have a brick where you used to have a computer, this is for you. Earlier antidotes involved editing the registry (another fear generator), downloading scripts, or other technical means.

Mr. Gibson made it easier with Never10. Download the Never10 application and run it, Never10 will detect if Win10Update is already OFF. If ON, it offers a one-click to turn if off. Better – the setting can be undone if you want to install Win10. Never10 is a stand alone executable, it runs without modifying your system. You can delete it when you’re done. RECOMMENDED

4/06/2016  Social Media at work? Bad idea

18% of malware infections at businesses are delivered via social media. Get rid of social media? Not a solution because companies use them. 73% use Facebook, 64% use LinkedIn and 56% use Twitter to interact with customers, project a better public image and attract new talent. More at Panda Security

4/08/2016  Be Wary of eBay

7 Reasons to be wary: History of being hacked in big ways. Existing systems are little improved allowing for future hacks. Slow – eBay customers often hear of ssecurity problems from the media before they hear from eBay. Apparent unconcern about the problems of individual customers. Need more? See …

4/10/2016  UK Immigration hacks refugees

Refugees are generally fleeing something and repressive governments rank high on that list. While apparently legal hacking the cell phones and computers of refugees who are not suspects seems more than a bit on the heavy handed side. More at …

4/11/2016  US Senate would prohibit effective encryption

Just a draft bill for now, but if you enjoy protection via encryption you might be rather upset with the US Senate who wants a copy of the keys for themselves while making it easier for crooks. See ECN …

4/12/2016  5 too-common security myths

Trying to improve internet security often runs up against widely-held, by factually incorrect, cyber security myths.

The “Deep Web” isn’t the source of all the problems. “Deep” refers to how a web site is indexed by popular search engines. Well indexed sites are in the “Open” web. Web sites that are hiding in the shadows, but still accessible, are on the “Deep” web. The “Dark” web uses the TOR system and isn’t really any place in particular. Many people confuse the two but Myth #1 is “The network would be safer if we shut down the deep web”. No. More grief comes from the open web.

Backdoors are generally techniques to bypass security for software. Myth #2: Software must have back doors for governments. So not true. Given the recent cyber exposures at various government agencies the techniques will become common knowledge, not to you, but to the crooks. More at Panda Security

4/12/2016  Crooks getting smarter. Be cyberworried.

Today Symantec released the latest version of the Internet Security Threat Report. Summary: Expect more clever attacks by increasingly sophisticated crooks. Crooks are finding new vulnerabilities, also called zero-day vulnerabilities, faster and exploiting them just as fast. Adobe has had to issue a series of “emergency” patches. Which raises another question – why is such vulnerable software being released in the first place? Even web sites you may trust are havens for malware. Symantec estimates 75+% have vulnerabilities. 15% are so vulnerable crooks can access and manipulate the site easily. More exposures are happening, but fewer make the general media as non-reporting and under-reporting run rampant. More at NBC News

4/12/2016  Anti Surveillance Technique used by Terrorists

Your webcam can be activated by a remote access trojan (RAT) perhaps without illuminating the LED. That little camera may be watching you. To defeat such RATs, the Director of the FBI uses a common office supply, tape, to stop the camera from gathering intelligence. That part isn’t a joke (see reference) but being worried that having a lot of tape will put you on a watch list might be. More at Naked Security / Sophos.

4/12/2016  Irony so thick …

The Onion Router (TOR) is a system for anonymous browsing. The FBI found an exploit in the browser and last month a judge ordered them to release it. The FBI is resisting. More at The Hackers News

4/12/2016  Just because it is on the internet …

Does not make it true or accurate. One family has been the victim of numerous visits by the FBI, IRS, US Marshals Service, police, angry people and more. Are they the victim of some smear campaign? No. A service called “IP mapping” takes an IP address and reports where it is. (Try it) That should be where it “thinks” it is. The reported location may be a house, may be the internet service provider’s location, or in the case of an unknown location, they show the center of the United States which is at 39°50′N 98°35′W or in digital mapping parlance 39.8333333 latitude,-98.585522 longitude. More than a decade ago a company refined this to just 38°N 97°W. So when it can’t find a location, rather than report “Sorry, we can’t find it”, they report 38°N 97°W which is a particular spot called “Taylor Property”. More …

The same sort problem occurs when lost or stolen smartphones try to report their location to their humans. If they can’t triangulate they report something else much to the unhappiness of a family in Atlanta Georgia. More …

4/12/2016  Facebookers – a scam targeted at you!

Accept as a given that some people would rather do without food than FaceBook. So, when you get a notice that your account as been suspended for an account violation you get so fearful your thinking brain goes into park and your emotional brain goes into overdrive. (This happened to me when a “US Marshal” called about a warrant for me!)

Take a deep breath. It is a scam. Do NOT click on the provided link. It will take you to a page that LOOKS like FaceBook but isn’t. More at Hack Read.

4/12/2016  Hacking a radio station?

At least four US radio stations were hacked and broadcast a … furry … podcast instead of their regular programming for about 90 minutes. How? Someone used the Shodan search engine to search all the internet-connected devices and find Barix audio streaming devices that were unsecured. Crooks hacked it, connected the rather raunchy podcast then locked out the station engineers. More at Sophos.

4/15/2016  Senate Subverting You

The US Senate, in their zeal to, to, to … do something, have proposed a new law that essentially bans some core elements of cyber security. In the words of one “In my nearly 20 years of work in tech policy, this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”

Senator Ron Wyden of the Senate intelligence committee: “This would effectively outlaw Americans from protecting themselves … It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers, and criminals. … it will not make us safer from terrorists or other threats.”

Gary Shapiro, president of the Consumer Technology Association: “Intelligence community leaders such as former NSA and CIA director Michael Hayden, former Homeland Security director Michael Chertoff and former NSA director Mike McConnell have spoken out against similar proposals.”

Terrorists intent on using, say, a messaging app with end-to-end encryption need not rely on what’s built in the United States by above-board tech-firms. If end-to-end encryption is outlawed, the law-abiding will lose access. Outlaws won’t. More …

[ We’re written this before Laws affect only the Lawful. Crooks will use other methods and the law abiding will be rendered less capable of proactive defense in the name of security. -ed ]

4/15/2016 Update  Senate bill … more

The proposed bipartisan bill is Compliance with Court Orders Act of 2016 (10 page PDF). A discussion draft was released last week. It raised considerable discussion and this from the ACLU:

“This bill is a clear threat to everyone’s privacy and security. Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality. It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on. Senators Burr and Feinstein should abandon their efforts to create a government backdoor.” [ source highlighting ours -ed ]

The proposed version is no better. It would require people or firms to comply with court orders to decrypt phones and its data. Included in the list of who could be compelled is “any person who provides a product or method to facilitate communication or to process or store data.” The draft indicated that compliance could be compelled for “crimes resulting in death or serious bodily harm, terrorism and espionage, Federal drug crimes, crimes against minors, or severe violent felonies.” The proposal permits access under a court order without specification. Technology groups, legislative communities, the White House and more are not supporting the bill. See The Hacker News

4/15/2016  Let’s Encrypt the Web

While legislators propose ineffective, or counter-productive, legislation there is a movement from many participants to add security to the entire world wide web called Let’s Encrypt. The goal is to move tens of millions of web sites the standard, but not secure, HTTP to HTTPS. Without that trailing ‘s’ HTTP connections can be intercepted and read by anything between the user and the host. More at Wired

4/15/2016  URL shorteners open doors you might want closed

Short URLs cannot be relied upon to hide the actual content. Because they are so short they can be brute-forced and expose the content of other files not directly accessible by short URLs. Or, providing a short URL www.MyDomainNameGoesHere.com/ShortURL can expose all the files in MyDomainNameGoesHere. Unless that content is also public be wary. Read the paper Gone in Six Characters: Short URLs Considered Harmful for Cloud Services (11 page PDF) where “We demonstrate that the discovery of a short URL for a single file in the user’s OneDrive account can expose all other files.”

Using short URLs, (vs hundreds of characters in an actual mapping URL) to transmit mapping data is rife with exposure potential. The researchers identified a “young woman” who had shared directions to a medical facility. Starting with the short URL from Google Maps, they found her home, confirmed her address, full name and age. “That’s a very substantial privacy leak,” See Wired

4/15/2016  You phone can hack your router

Home routers are little bits of indispensable technology that most consumers take for granted. Sometimes the functionality is built into your cable modem making the wiring a little easier. Some of the “making it easier” just opened a big can of potential whoop-ass and it is yours getting whooped. Why? Turns out your mobile device can be used to infect it.

What does it do? Many bad things, but think of this one. You want to access MyBank.Com whose actual IP address is 1.1.1.1. The domain name servers have been altered in your router so you get sent to 2.2.2.2 which looks like MyBank.Com and will gladly take your log in credentials before telling you to try again later. While you wait crooks can use the credentials you so kindly provided to take your money.

Which routers and where? D-Link, TP-LINK, ZTE and more manufacturers are known to be vulnerable. Although Taiwan is most infected (chart) the US is in the top 5 along with Japan and China.

What can protect me? Bite the bullet and figure out how to change the default router account name and password. You don’t want to know how many million use “admin” for both. That is a good start. For more see the Trend Micro report and Digital Trends.

4/15/2016  Microsoft for the Defense!

Microsoft stands up for the First Amendment to our Constitution

The Electronic Communications Privacy Act (ECPA) allows suppression orders (“gag orders”) requiring parties to a case not to communicate with anyone else regarding that case. This can require a company to provide customer information to a third party without notifying their customer who trusted them with that information.

Microsoft objects. In the United States District Court, the Western District of Washington State at Seattle, they filed a Complaint For Declaratory Judgment vs The United States Department of Justice, and Loretta Lynch, in her official capacity as Attorney General of the United States. (17 page PDF)

The objection is not to the concept of gag orders, but their allowable indefinite duration. In the past 18 months the company has received almost 2,000 orders with no expiration date. Even after the investigation Microsoft can’t tell its customers there was an order. To protect national security during an investigation is one thing, but “the US government is misusing it to carry out unconstitutional secret data searches without ever telling people.” More at The Hacker News

4/15/2016  Is mass transit listening to you?

Not customer complaint type listening, but more like, audio surveillance, you know, eves dropping?

New Jersey does, in the name of anti-crime and counter-terrorism. Some other systems are either activated by the operator or automatically operated in case of a sensor-determined accident. These are on all the time, recording every conversation, just in case crooks are planning the next caper while riding on public transit. (source Associated Press via New Jersey 101.5 website)

Do riders have an expectation of privacy? If so, then this is warrant-less, inappropriate “indiscriminate mass surveillance”. In Maryland, the state Senate is moving forward a bill to ban the practice. State Senator Robert A. Zirkin, chair of the Judicial Proceedings Committee noted that over 80% of the Maryland Transit Authority (MTA) buses are audio capable. Similar legislation failed to pass in several preceding years. More at Naked Security / Sophos

[ Who listens to all those recordings? In the old days people did. See The Anderson Tapes 1971 directed by Sidney Lumet with Sean Connery, Dyan Cannon, Martin Balsam, a young Garrett Morris and a very young Christoper Walken. -ed ]

4/16/2016  Security Scorecard Fed/State/Local

The 2016 Government Cybersecurity Report analyzes the cybersecurity, or lack thereof, for 600+ local, state, and federal government organizations in the United States. The results are not good.

Federal government organizations received the lowest overall security scores. NASA and the Department of State were at the bottom. In state organizations, among those who did not get A, 90% scored F in at least one category. 80% scored F in Network Security. At the bottom of state organizations were Connecticut, Pennsylvania, and Washington. More at SecurityScorecard via PRNewsWire

4/16/2016  Uber reports to government agencies

Public conveyance companies have had to report pickup place, drop off, and similar information for years. What makes Uber different is that it can, and has been requested to, provide a lot finer granularity.

In its first transparency report Uber reported information provided to regulators covering MORE than 12 million riders and drivers during the last six months of 2015. That was just regulators. Federal and state law enforcement agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. Uber provided information for 469 requests.

In its transparency report Uber has placed a warrant canary which says it hasn’t received “any requests issued under the provisions of national security statutes.” More at Naked Security / Sophos.

[ Reddit’s canary died earlier this year. See also CanaryWatch FAQ and STATUS -ed ]

4/16/2016  Arbitration Clauses

Back in December 2015 we reported on how the Supreme Court enforced the arbitration requirement as a matter of contract law. Even if there is a major malfunction by the company there is no justice for the multiple injured parties as each would be forced to fund their own cases if arbitration generated an unacceptable result.

Earlier this month Representative Hank Johnson of Georgia, a ranking member of the House Judiciary Committee, implored Congress to call for an overhaul of arbitration and strictly curtail its use. In arbitration the legal system is replaced by private system which does not provide an even contest for “justice”. Many arbitrators consider the companies their clients. Perhaps worse, arbitration does not have to follow federal or state law. They can be bound by a religious or tribal doctrine.

Some cases that belong in an open court and not arbitration include civil rights cases and employment discrimination disputes. Representative Johnson: “Buried in the fine print of everything from consumer contracts and employee handbooks to nursing home agreements, forced arbitration clauses insulate corporations from accountability by eliminating access to the courts for untold consumers and workers”.

Such mandatory arbitration clauses are buried in million of contracts from renting a car, obtaining a job, borrowing money, or enrolling someone in a nursing home. Class-actions lawsuits are often the only realistic way that multiple individuals can fight a wealthy corporation with superior resources. More at NY Times

4/18/2016  Cyber Security Lessons Lost

Cyber Security isn’t a new concern. Published on 2/11/1970 “Security Controls for Computer Systems, a Report of the Defense Science Board Task Force on Computer Security” was over 70 pages of cyber security concerns that predated the 8/12/1981 launch of the IBM 5150, the “PC”, and the NSF-funded expansion of ARPANET by more than a decade. Now unclassified, the document was originally classified as confidential even though its preface said it contained no information that could not be found in any well stocked technical library. Classification was just to “control dissemination”. More on its relevance to today at Ars Technica

[ Too bad it was classified. If it had been part of a standard curriculum for computer science we might not have had all those vulnerabilities in the first place. -ed ]

4/18/2016  US-CERT: Dump QuickTime

Just in time for two new critical vulnerabilities, Apple’s QuickTime video presentation software won’t receive security updates anymore. According to the U.S. Computer Emergency Readiness Team (US-CERT), part of Department of Homeland Security (DHS), the application should be transferred to the trash can. More at KrebsOnSecurity

4/18/2016  Drone Struck Plane

Yesterday a drone struck an Airbus A320 bound from Geneva, Switzerland to Heathrow, Europe’s busiest hub. None of the 137 souls on board were injured. Do they known about the drone catching eagle program?

4/19/2016  Ransomware by Resume

Ransomware can be delivered via macros in documents or visiting a malware laden web site. A tech-trend in job hunting is to post your resume (not sending it) and sending a link to the potential employer. That might not be a good idea from the employer’s point of view.

Consider: The applicant provides a link to their resume stored somewhere in the cloud. The company clicks on the link from the email and downloads a file containing self-extracting malware Trojan which bypasses the anti-virus software and then delivers ransomware. The link may appear to be “DropBox” or “iCloud” or other cloud storage system, but actually be TheMalwareSite or something equally undesirable. Or the resume is in a ZIP file that contains malware, or a Word doc that contains malware.

Flip it around: someone is looking for a job and sees what appears to be a great one. Just go to the web site and download the info pack. Is the company for real or is it malware bait? Even if the company is real, did someone hack the system to redirect the applicant to a look-alike-site that contains malware?

This is a time for increased vigilance and practicing safe hex. More at Panda Security

4/20/2016  60 Minutes Hacks a US Representative

Cell phone users were known to be vulnerable in 2014. Why is this still a problem?

With the permission of Congressman Ted Lieu (California 33) CBS News gave his iPhone number to Karsten Nohl of German Security Research Labs. Nohl was able to intercept the iPhone, record phone calls, and track his precise location in real-time. How? Over 800 telecommunication systems around the world use a signaling protocol named Signalling System Number 7 (SS7) which is also called Common Channel Signalling System 7 (CCSS7) in the United States or Common Channel Interoffice Signaling 7 (CCIS7) in the UK.

First developed in 1975, with many variants, it has been demonstrated vulnerable since 2014, by the same Karsten Nohl. The vulnerability was no secret. It was published in ZDNet. In a 2014 presentation at Chaos Communication Congress 31c3 in Hamburg, Germany Mapping Vulnerability of the International Mobile Roaming Infrastructure they reported “SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud.” (the ZDNet link has links to videos of the presenation)

What can you do to avoid being snooped via SS7? See The Guardian. Also see CBS News

[ Why wasn’t the SS7 vulnerability addressed in 2014? Was someone taking advantage of it? Isn’t “signalling” spelled with one “l”? Back in December 2015 Nohl demonstrated how easy it was to steal PINs and plunder bank accounts as modern payment processing protocols still have many flaws. -ed ]

4/21/2016  Justice Wheels Turn for Consumers

A recent judicial ruling favors providing consumers a course of action in charge card breaches and a series of regulatory penalties are moving unauthorized disclosure of protected health information to being more important to companies involved with our personal data.

P. F. Chang’s  In mid-2014 the restaurant P.F Chang’s was breached in multiple locations. Almost two years later, in the United States Court of Appeals for the Seventh Circuit, on Appeal from the United States District Court for the Northern District of Illinois, Eastern Division decided (12 page PDF) to allow a class action to move forward. One key phrase was the plaintiffs “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an “objectively reasonable likelihood” that such injury will occur.” More analysis at Data Breach Today

Raleigh Orthopaedic Clinic  In 2013 a healthcare provider gave over 17,000 x-ray films with protected health information (PHI) to a vendor, but did not have a “business associate” (BA) agreement as required under HIPAA. The agreement binds the vendor to the same privacy requirements as the healthcare provider. The vendor never performed the contracted service of converting film x-rays into electronic ones. The films were sold to a recycling company that harvested the silver. Thus PHI was exposed to at least two companies not obligated to protect the information. In addition to the $750,000 penalty ROC agreed to comply with a resolution agreement (10 page PDF). Several other penalties are described at Data Breach Today

4/22/2016  Win10 QR: Good or Malware?

Windows 10 now offers up a QuickResponse (QR) code with diagnostic information if the infamous Blue Screen of Death (BSOD) should appear. Consumers are supposed to scan it with their smart phone, see information that is perhaps too complex to write down, and contact support. Certainly a nice idea, but opens an attack plane for the same consumer. If malware recreates a BSOD then the consumer will scan the code which can contain a number of malicious elements including opening a web browser and directing the phone to a malware trap. Some phones allow consumers to require permission for a scanned QR code to open an internet communications, but the phones are becoming so option rich keeping track of security options is a full time job. It may be we’re spared the dilemma because it may simply not be true, or someone has non-pubic information. In any case, beware what you QR-scan the same way you are careful about those emails that promise you millions if you help move money. For more see Naked Security / Sophos

4/22/2016  Mac Users! Good News

Considering ransomware, new and variants, are being created faster than signature-based antivirus products can maintain this new approach monitors behavior, not capability. Meet RansomWhere, a no-charge Mac OS X tool that monitors the file system behavior for the creation of encrypted files by questionable processes. Ransomware will encrypt a few (hopefully very few) files before being detected. Once detected RansomWhere will suspend the process and ask the user to continue or terminate the process. More at The Hacker News.

4/22/2016  Sadism in Malware

Obtaining pleasure from inflicting pain makes one a sadist. A new ransomware variant goes a step further past inflicting anguish by displaying disturbing horror film images. The only glimmer of good news is that the malware programmers were not as smart as they were cruel. The Jigsaw ransomware (a riff on the “Saw” series of horror films) had a flaw which has been analyzed and a no-charge decryption tool is available. More at Data Breach Today

4/22/2016  Is your website valuable?

Really, do you care if it evaporated tomorrow? If not, quit reading now.

If you care then be aware that your web hosting company isn’t perfect. 123-Reg, a European provider ran a maintenance function which “erased” 67 servers. That there are 115,000 123-Reg servers means the number affected was a fraction of one percent which means nothing to the hundreds or thousands of customers per erased server. Is the host responsible for backup? Probably not, but in the end they are not going to be as motivated as you are to preserve your work and your memories. So what should you do? Well, to start, backup, Backup, BACKUP and oh, yes BACKUP! More at Ars Technica / UK

4/22/2016  Hacking as a social statement

Some people hack for “the luz” a cyber-thrill from going where you are not supposed to be and doing what you are not supposed to do. Sometimes the damage is small: a smiley face where there wasn’t one before. Sometimes malware is planted to damage databases just because or for extortion. Sometimes hacking is a social statement.

Meet Phineas Fisher (a nom-de-hacker) who was upset by the Galileo Remote Control System (GRCS) sold by The Hacking Team (THT) of Italy. GRCS is a super surveillance system sold to governments including the nations of Egypt, Morocco, Brazil, Malaysia, Thailand, Kazakhstan, Vietnam, Mexico, and Panama. Customers also included the Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA).

So Phineas hacked THT then posted a document describing how it was done and why it was done. Perhaps related, perhaps not, THT had their license to sell GRCS outside of Europe revoked by Italian authorities. While THT is still in business Phineas has brought a little light to that shrouded secrecy and exposed the GRCS source code. Without a profit motive and with considerable effort this was a social statement against surveillance states by a hacker. More at Naked Security / Sophos

4/23/2016  Army Comm Vulnerable

Government review have repeated criticized cyber-security features of Warfighter Information Network-Tactical Increment 2 (WIN-T) over the past several years. The $12 billion communications system was, and remains, vulnerable to hackers, and is already deployed! More at Fortune

4/24/2016  SuperKeys? Not any more!

Recall that TSA Master Keys were exposed and replicated back in September 2015. At the Bsides Australia Conference that just concluded the family of “Do not duplicate”, or “restricted”, keys were duplicated. Traditional key cutting tools won’t do the job, but 3D printing did. Even the key blanks are well protected, but their design was patented, and patents are public. Actually, the key blanks were available as scalable vector images with precise measurements sufficient to create an accurate 3D file. More …

[ Does discussion of security specifics weaken or strengthen security? That was discussed in 1853 and the answer seems still appropriate today. -ed ]

4/24/2016  Google list of dangerous websites includes … Google?

According to Google’s list Google.com distributes malware, lots.

4/25/2016  A shop with 20 million charge cards for sale

FireEye has identified a new card shop in this report. “A previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards”. More at Data Breach Today.

[ 20 million cards, so where are the reports of the theft? Or, has charge card compromise become so accepted it isn’t reported? -ed ]

4/25/2016  Wallet Fake

Why bother actually mounting a distributed denial of service attack when you can just mention a few words and have people pay you hundreds of thousands of dollars? See CloudFlare

[ If someone is chasing your ship and says they are the Dread Pirate Roberts are you going to fight or just hand over the treasure and run? -ed ]

4/26/2016  Insurance and cyber-protection

Do commercial general liability (CGL) policies protect a company if they are the victims of cyber crime? What if the company accidentally did it to themselves? Some insurance companies have said no, effectively limiting the coverage. Yet, the fine print of the policies may not specifically disclaim the coverage. A company posted private patient information on line in such a way that it was exposed to the public. The insurance company declined to defend against the resulting lawsuit. The United States Court of Appeals for the Fourth Circuit (sitting in Richmond, Virginia) held in early April 2016 that an insurer had a duty to defend its policyholder in a case involving the inadvertent posting of patients’ private information online. See Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (No. 14-1944 4th Cir. Apr. 11, 2016). More …

4/26/2016  Users: Hacked! Company: Who? Us?

Spotify, a Swedish music streamer, has been hacked before. This past February hundreds of accounts appeared on line in PasteBin. Is this new data or the old data? Company says old data. Users disagree. Some report their email address and account details had been changed. Some report they were kicked off the music streaming service mid-song. Some report changed playlists. Some were unable to log in (presumably because the password had been changed). The company maintains there was no new hack. More at Naked Security / Sophos

4/27/2016  Hackers target 40+ US

The United Cyber Caliphate (UCC) are a group of hackers who issued a list with over 40 person at the Pentagon, Department of Homeland Security, State Department, and other federal agencies. What kind of list? The UCC is a pro-ISIS hacker group and they exposed the phone number, city, zip code and more. It was distributed by Telegram a messaging app with end-to-end encryption. More at The Hacker News

4/27/2016  Private Blackberry Net Seized

Blackberry systems are administered by Blackberry itself or by corporations for their own use, essentially a private system. One of these private systems is Ennetcom in the Netherlands. Police seized the network and arrested the owner because modified Blackberry phones taken in raids on drug cases, gangs and murders were tied to Ennetcom. The owner is citing crackdown on free speech. More at Naked Security / Sophos

4/28/2016  Internet TLD insecure for at least 16 years

American Samoa, top level domains ending is .AS were controlled by the AS Registry web site which allowed anyone to modify the records of any domain name. That includes changing the name servers so that users could be redirected to a malware distribution site before being sent to their intended destination. The exposure has been fixed, they think. After all, they had this problem since the last century. More at Naked Security / Sophos

4/28/2016  Dentists Bit By Malware

The American Dental Association (ADA) mailed to about 37,000 of its 150,000+ members a credit card sized device with a slide-out USB drive to distribute dental billing codes. The device was manufactured in China by a subcontractor to an ADA vendor. As welcome as a surprise dental procedure “some” of those devices contained malware. More at Krebs on Security

4/28/2016  Malware goes nuclear, literally

A nuclear power plant has been found to be infected with computer viruses in computers with “equipment for moving nuclear fuel rods”. It is unclear if “moving” refers to maintenance relocatioin or movement during routine operations. The malware was also found on removable media. The Gundremmingen power plant is about 75 miles northwest of Munich, Germany. More at Reuters.

4/28/2016  Win10 update request interrupt your work?

Not like this! See Beta News

4/28/2016  Microsoft Patching Delivers Malware

Introduced with Windows Server 2003 “Hotpatching” is a way to apply a patch without having to restart the operating system and maintain server uptime. Hackers have found a way to turn the Windows’ Hotpatching technique to hide its malware from Antivirus products. More at The Hacker News

4/28/2016  Qatar National Bank hacked exposing ….

Hackers have claimed to accessed QNB servers and leaked 1.4GB of personal data including hundreds of thousands of financial records, charge card numbers, PIN codes of customers including the Al-Thani Qatar Royal Family and Al Jazeera journalists. More at Hack Read and Data Breach Today

5/01/2016 Update  Qatar National Bank admits exposure

QNB has acknowledge the unauthorized access to its servers apparently by Turkish hackers. The hacker have released a video on how they exposed personal information of alleged agents of MI5. More at Hack Read

5/11/2016 Update  Just days later – 5 more banks

The Turkish hacking group Bozkurtlar that leaked Qatar National Bank data posted information belonging to five more banks in South Asia. More at Data Breach Today

5/03/2016  Company crashing, but how did it get so high?

Theranos was supposed to be a major medical revolution using new techniques to replace sometimes painful, sometimes expensive and sometimes inaccurate medical testing with pain-less, inexpensive and highly accurate testing. Turns out it was part sham, part hustle, much wishful thinking. Who was responsible? The tech media (as opposed to journalists) were swooning over another potential icon and never asked the hard questions which might have revealed the “Emperor has no clothes”. So whose investigation revealing the truth? John Carreyrou, twice winner of the Pulitzer prize, with The Wall Street Journal, an old publication that still uses old fashioned investigation and practices the journalism of Edward R. Murrow. An in-depth article from Vanity Fair

5/25/2016 Update  Class action against Theranos

Last week the company voided results of tests done over the past two years. Patients depend on accurate laboratory examinations for proper treatment. A suit that seeks class action status filed (21 page PDF) today in the United States District Court for Northern California alleged that “Edison” (Theranos’ blood-testing device) “did not work”, tests were not accurate, and patients were subject to “unnecessary or potentially harmful treatments” or treatable conditions may have been undetected. Violations of seven specific laws were cited including “unfair business practices”. The company response? “The lawsuit filed today against Theranos is without merit” and “The company will vigorously defend itself against these claims.” More at TheVerge.

[ Did that company response come from a text book? “Without merit”? After voiding two years of test results? Really? -ed ]

5/26/2016 Update  Another class action against Theranos

Another suit was filed (35 page PDF) in the same court as a class action complaint and demand for jury trial. The company response? “The lawsuit filed today against Theranos is without merit” and “The company will vigorously defend itself against these claims.” More at TheVerge

[ The exact same company response. Really? -ed ]

6/01/2016 Update  Founder value from $4.5B to zero

In 2015 Forbes Magazine had Theranos founder Elizabeth Holmes at the top of America’s Richest Self-Made Women with a net worth of $4.5 billion. Today, Forbes lowered that net worth estimate to zero. Theranos had no comment.

Theranos is not publicly traded. The original valuation was based on 50% ownership of the company with an implied $9 billion valuation based on private investment. The revised estimate is $800 million which includes $724 million in raised capital, intellectual property and a multiple of actual earnings. Holmes’ valuation is zero due to investors “participating preferred shares” that enjoy a higher claim to payment in liquidation. More at Forbes.

6/01/2016 Update  The Loophole & Congress’ reluctance to close it

How did Theranos get to test patients and diagnose serious medical conditions without having to demonstrate test validity to the FDA? Seem there is a loophole and Theranos isn’t the only one to exploit it. In a report (39 page PDF) from November 2015, the FDA reported 20 case studies, but that wasn’t enough to convince Congress to close the loophole.

[ We saw Bloomerg’s 14-20 December 2015 cover of Elizabeth Holmes and were struck by that deer-in-the-headlights vibe. “Theranos” has a Greek root “theran” which means a great hunter, same as the variant “theron”. This lead to a site with an interesting opinion on the powerhouse board of directors (notably short of medical talent) and an interesting, but not well supported, theory. -ed ]

7/09/2016 Update #4  Theranos

Theranos and its founder continue to lose their luster, and their licenses.

On July 7, 2016 the Centers for Medicare & Medicaid services sent a 33-page letter (html) which revokes two CLIA certificates, imposes a civil money penalty, and suspends the ability to received Medicare and Medicaid payments for hematology, or any laboratory, services. Although appeals seldom succeed, Theranos can still operate the lab in Arizona until after the appeals process is completed. More at the NY Times.

7/11/2016 Update  Theranos Chief and the unspoken

Don’t like a piece of factual information? Leave it unsaid. Example: In June 2016 Elizabeth Holmes, Theranos Inc. CEO, displayed a slide to employees saying the company had developed 304 tests using small volumes of blood. Leave unsaid that “developed” ranged from initial research to production. How much of each? “Most” were still in the research phase. Recently commercially available equipment was used for 200 tests. The Theranos Edison system did just 12. The number of class action suits is up to eight. More at WSJ.

[ At what point does positive spin become lying by omission? In 2005, Dr. Ian Gibbons, a British biochemist was hired. He, and other scientists at Theranos, produced 23 patents. His wife Rochelle reported said “[ he ] told me nothing was working,”. Dr. Gibbons committed suicide in May 2013. -ed ]

5/03/2016  FBI Alert

Federal Bureau of Investigation, Cyber Division
Message #A-000071-MW TLP GREEN

The FBI is providing the following information with HIGH confidence: The FBI has obtained information regarding multiple malicious cyber actor groups that have compromised sensitive business information from US commercial and government networks through cyber espionage. In some instances, the actors have been present on victim networks for over a year before being detected. Indicators of compromise (IOCs) contained in the attached appendices are employed by groups of individuals conducting malicious cyber activities using infrastructure emanating from China. Any activity related to these indicators should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement. See announcement (9 page PDF)

5/04/2016  Internet of Vulnerable Things

Samsung offers the SmartThings platform for managing the modern home. It can control locks, lights, thermostats and a growing number of “things” as developers include the SmartThings for their devices. Problem is that the control systems can be hijacked so you don’t have control, crooks do. They can turn off the alarm and more. This is not the first time this platform has had major hiccups.

5/04/2016  10-year old hacker

How secure is something hacked by a 10 year old? Not very, but Instagram paid out $10,000 in bug-bounty. See Ars Technica / UK and Naked Security / Sophos

5/05/2016  Recursive Pwn-ing

There are several excellent services that accumulate compromised (pwnd) credentials in one place so consumers can check if their credentials have been compromised. Unfortunately one of those services was itself compromised and exposed (again) over 860 million credentials. The end result is that rather than fix it the company is shuttering this no-charge service. How it got compromised traces back to some less-than-secure security practices described at Krebs On Security

[ The Have I Been Pwned web site has about 320 million accounts and if you haven’t checked at least once we recommend you do. HatTip to Troy Hunt for keeping that site running. -ed ]

5/05/2016  You can’t hide

There are people in some professions who conceal their real identities all the time as they exhibit another identity. Security services, intelligence agents and sex-workers are few of these. A tool has been created to use facial recognition software to compare source images and match them against millions of publicly available images on social media stripping away the covert identities. More at Naked Security / Sophos

5/06/2016  Death by GPS

Death Valley National Park in California is not a place to navigate via GPS. Why? Because while GPS will select the most direct route that route may go through areas that experienced people will avoid. Some “roads” start as two lane blacktop, then turn into 4WD only, then turn into goat paths. By then you are in the middle of a bad place. Too many people die because of a belief that technology knows best. More at Ars Technica.

5/13/2016 Update  Dunking by GPS

Police stated that alcohol was not a factor in a car being driven into Georgian Bay on Lake Huron. Following a route on the car’s GPS, in the dark, with rain and fog making visibility difficult, in Little Tub Harbour, the directions and the driver didn’t quite mesh and the car went down a loading ramp and into the water. The driver escaped the car, losing only a little dignity, and swam to shore. The boat launch was closed for a day as the car was removed. More at Toronto Sun.

5/06/2016  Dridex Lives!

On the internet things live forever. Sadly that includes malware. Dridex banking trojan made a major impact in January 2015 then the botnet was taken down by October 2015 and infections of Dridex fell dramatically until this resurgence. Worse, Dridex is now targeting banks in the United States. More at Data Breach Today.

5/08/2016  The One Ring Scam

Your cell phone rings once and stops. Do you call them back? Maybe, maybe not. Scammers have found ways to make the phone ring once. When you call back to a 1-xxx-yyy-zzzz number that xxx area code isn’t in the United States, but to a foreign area code, perhaps the Caribbean, where you are changed a premium connection fee and very high per-minute rate even if you are on hold. You may also find charges for items you didn’t expect. Some of those area codes include 268 (Antigua and Barbuda), 284 (British Virgin Islands), 473 (Grenada, Carriacou and Petite Martinique), 649 (Turks and Caicos Islands), 664 (Montserrat), 767 (Commonwealth of Dominica), 876 (Jamaica). 809 829 and 849 are all for the Dominican Republic. See more at AARP

5/06/2016  FBI Changes Ransomware Guidance

Christopher Stangl, section chief of the FBI’s Cyber Division: “The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes”. Sounds crystal clear. So, what are you to do? See Data Breach Today

5/08/2016  HTTPS not so “S”

The widely used OpenSSL open-source cryptographic library protects sensitive traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. Multiple vulnerabilities were found and there is a series of patches against six vulnerabilities, including those that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic. More at The Hacker News

5/08/2016  Why hotels are a cyber-target

Panda Security discusses why the lodging industry is a frequent target for crooks in this article, an infographic, and a 9 page PDF.

5/10/2016  Expose vulnerable election data

and get arrested.

Security researcher David Michael Levin, 31, discovered weaknesses and vulnerabilities in the “Elections Office” for Lee County Florida in late December 2015. Essentially a simple SQL injection led to the availability of non-public data from a database that lacked encryption. He made his discoveries public by posting a 4:34 YouTube back in January 2016. He wrote a report sent to Florida authorities. Agents interviewed him at his home where he showed them what was done and how he did it. Only on May 3, 2016, months after disclosing all the evidence needed to secure a warrant was he arrested. More at Hacker News

[ Perhaps the security researcher should have stopped when the vulnerabilities were displayed, yet, did anyone inform him he was a suspect? His own testimony at the interview was used against him.

Here is another story on police deciding when, and if, that Constitution thing really matters. October 2015 New Jersey State Troopers arrested a woman on charges of obstruction of justice because she chose to remain silent rather than answer “… do you know why you’re being pulled over tonight?” The event was caught on dash cam. See RawStory which has a link to the 3:31 video also available at YouTube. The woman was a lawyer, knows the meaning of the Fifth Amendment, the Miranda Warning, and what “obstruction” really means. She has sued because a Trooper unilaterally decided to repeal part of the Bill of Rights, at least for her. -ed ]

5/10/2016  Win10 update, at the wroooong time!

Playing to an audience of thousands on a live-streaming site, professional gamer Erik Flom had a technical event interrupt his play. The screen went black, then blue, then his computer started automatically configuring a Windows10 update. His … language … was broadcast around the world. More at Naked Security / Sophos

[ Apparently the primary purpose of a computer it not what you want to do right now, but to be always ready for an update when Microsoft decides to. Can you see the medical consequences with the increase in robotic surgery? How about the space program? “Read to dock … four seconds … closing rate slowing … three seconds … angle adjustment coming WHAT UPGRADE? (WHAMBO! A hole in the space station.) Yep. Can you spell Linux? -ed ]

5/10/2016  Android ‘botnet

Android users beware!

Google PlayStore has Viking Jump, Memory Booster, Parrot Copter, Simple 2048, and Wifi Plus. What do they all have in common? They were all infected with the Viking Horde before you installed it. Why is this malware different from others? Others just steal your financial and personal details but Viking Horde turns your device into their device. Yep, your phone has just become a minion to do their bidding, send spam, generate web-site-stopping traffic to deny service, and click on some advertisements to generate click revenue. The malware can compromise rooted and unrooted Androids. More at Hack Read

5/14/2016  Twitter bans intelligence services

Twitter offers all tweets to anyone who wants them, but pretty much as a Niagara Falls of data, not in any cogent form. They also offer an early alert service via Dataminr, a real-time information discovery service that analyzes the mega-feed of tweets, geolocation data, data traffic rates, news wires and more to discover breaking news including natural disasters, political unrest and terror attacks. Dataminr (partly owned by Twitter) is the only company Twitter authorizes to get at its entire public stream and sell it to clients, which include organizations in finance, corporate security, crisis management and the news. While one of those clients is the Department of Homeland Security (DHS) intelligence services which had received the service were cut off. More at Wall Street Journal

5/14/2016  Congress bit by Ransomware

The Information Security Office of the US House of Representatives blocked all apps hosted by Google’s appspot.com from being used on its servers last week. More at Fast Company. More recently Yahoo Mail accounts were blocked because of multiple ransomware attacks. More at NBC News.

5/14/2016  Win10, eight reason why not!

Peripheral support, privacy, (Win10 phones home a lot why?), minimum system requirements, departure of some useful applications, the way file exporter works (or does not work) with OneDrive, forced upgrades when Windows wants regardless of what you want (see story). More at Hack Read

5/14/2016  Android phones: pre-hacked

Chinese semiconductor company Allwinner is a major supplier of application processors found in many low-cost Android devices, including computers with ARM-based processors, and other devices around the world. The Linux kernel is shipped with a backdoor. The simplicity of the backdoor and its lack of concealment might indicate it was a programming tool used for diagnosis during development, but it made it into production, lots of production. See The Hacker News for more.

5/16/2016  Apple deleted Hack Alert App

Stefan Esser, a German cybersecurity researcher, developed an app to tell users if their iPhone has been secretly hacked, jailbroken or being spied upon. It passed three review cycles for some other problems before Apple decided they didn’t want the application available. More at Hack Read

[ We confess, we just don’t get it. Does deleting the security app mean that the phone can’t be hacked? No. So why would Apple stop consumers from learning the bad news? -ed ]

5/16/2016  The Dark Cloud

The “Dark Cloud” is a network of hacked computers tasked with hosting a website without the computer owner’s knowledge and usually for a criminal purpose. The domain naming service (DNS) is updated frequently so users who seek CrookWeb.Com will be redirected to the current host. Law enforcement who try to trace the web site through DNS will be chasing CrookWeb around the world racking up frequent flier miles, but few arrests. How many ‘bots on the dark web? Thousands! In addition to hosting web sites these compromised computers are used to send spam, act as command and control systems for malware, and engage in click fraud. More at Krebs on Security

5/16/2016  Samsung Pay Token Flaw

The Blackhat Security Conference to be held in Las Vegas 7/30-8/4/2016, has scheduled a presentation “Samsung Pay: Tokenized Numbers Flaws and Issues”

… makes it impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card. How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users’ security. What are the odds to guess the next tokenized number knowing the previous one? [ from the briefing ]

5/17/2016  Apple updates security and bricks iPads

Apparently the iOS 9.3.2 security updates has stopped some iPad Pro devices mid-update leaving users with only two choices: bad and worse. More at Naked Security / Sophos

5/17/2016  ‘Botnet of 1 million computers

Bitdefender, Romania-based security researchers, reported a massive click-fraud botnet, which they named “Million-Machine Campaign”. The system is targeted for click-fraud against Adsense. Machines are infected by malware which modifies the computer’s local registry keys and adds two new entries “Adobe Flash Update” and “Adobe Flash Scheduler” to keep the malware running after each power cycle. Worse, the malware uses a free root certificate so the browser won’t show HTTPS errors. In more ways this malware modifies your machine make money for miscreants. More at Bitdefender and The Hacker News

5/17/2016  Bank App Flawed, Very!

During the fall of 2015 a white-hat security researcher found a few lines of code could steal money from any customer of one of India’s biggest banks. All he needed was the account number and the use of the bank’s flawed mobile app.

Worse: another researcher who consultants for other top Indian banks said he wasn’t surprised. “All I can say is that things are much worse than this chap has discovered,” he told Motherboard in an email. “I shudder to even think. […] The flaws are so systemic and deep that only prayer will help these guys. I’m surprised they’re not attacked massively yet.” It took the bank 12 days to even reply to an email reporting $25B in exposed funds. More at Motherboard / Vice

5/17/2016  Security Software Opens Doors

Classify this as an ooops of gigantic proportions. The Symantec antivirus engine, which is used in both Symantec and Norton branded security suites, actually compromises computers running Windows, Mac and Linux. To expose the machine someone simply sends an email, the security software intercepts email before the user sees it, and compromises the computer auto-magically. More at Engadget.

5/17/2016  Voting On Line

More than 30 states offer online voting, but is it secure? Not yet.

… a University of Michigan professor and director of its Center for Computer Security and Society, cites a pilot project (18 page PDF) six years ago in the District of Columbia where the public was invited to attack a proposed Internet voting system. Halderman led a team that within 48 hours was able to gain nearly complete control of the server and change every vote. “We don’t have the technology to vote online safely,” said Halderman, who made a video that shows how his hackers were able to even get inside the security cameras and watch the people running the D.C. system. “It will be decades more before Internet voting can be secure.” [ (source) Highlighting ours – ed]

Alaska requires online voters to agree via a disclaimer “When returning the ballot through the secure online delivery system, you are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”

Utah’s iVote study found (14 page PDF) the security risks were not worth the benefit. A month after the Utah March primaries it became clear that nearly a third of the people who tried to vote online were unable to do so. The chairman of the Republican Party in Utah called it a success.

Other technical problems are legion. More at the Washington Post

[ a third of people could not vote and the Republican Party in Utah called it a success?? On what planet? Alaska: “Waving” is what the flag does in a good breeze or what you do with your hands. “Waiving” is giving up a right. Spell checkers don’t catch wrong-word use. -ed ]

5/22/2016  One Ransomware goes out of business

TeslaCrypt ransomware has closed up shop and released its master key. ESET has provided a decryptor at no-charge. [ use link or go to the ESET knowledge base for TelsaCrypt at http://support.eset.com/kb6051/ ] More at We Live Security

5/22/2016  Hackers reach outer space

10 times between August 2014 and Auust 2015 hackers attacked the Joint Polar Satellite System (JPSS) with medium to high severity according to the General Accounting Office (GAO) report (70 page PDF). JPSS cost over $11 billion dollars and is administrated by the National Oceanic and Atmospheric Administration (NOAA). Federal guidelines require identified issues to be fixed within 30 days, but that is going to be a problem as the program has more than 1,400 critical to high risk vulnerabilities already more than four months old. More at Washington Examiner

5/22/2016  New Notification Rules

The European Union has given regulators the ability to fine a company up to 4% of their world-wide annual revenue if that company does not disclose a breach of personally identifiable information (PII) within 72 hours. Much more at Data Breach Today.

6/28/2016 Update  US & EU reach Privacy agreement

The EU adopted significantly more powerful rules regarding disclosure of breaches of personally identifiable information (PII) which raised questions about US-controlled data that was transferred to facilities in the EU and information on Europeans held in the United States. Examples of such information include payroll, human resources, and marketing information. The recent exposures of government and commercial surveillance practices three years ago indicated a schism between US and EU practices and generated distrust, mostly EU distrusting the US. Since about 2000, the previous standard was “Safe Harbour”. This allowed businesses on both sides to avoid the more rigorous EU rules by a simple statement of compliance with EU standards when storing information in the US. More at Reuters.

6/28/2016 Update  BrExit complicates privacy rules

With the potential of Great Britain leaving the European Union in two years or less the question of compliance with EU privacy regulations has been answered clearly, at least from the EU side. If the UK wishes to remain in the common market, but not as a member of the EU, they have to adhere to the rules and regulations of the EU and that includes compliance with the EU General Data Protection Regulation. Demonstrating “compliance” will be a monumental task considering the mass surveillance in effect in London alone. More at Data Breach Today.

[ Are the people sufficiently tired of being watched, monitored, deprived of privacy in the name of a surveillance state as to demand the end of Big Brother so effectively that Resistance is Futile? Or, is the effort doomed as the surveillance activities are being embedded and hidden so well it will continue and Resistance is Futile? Either way, the Borg appear to have arrived on Earth. -ed ]

5/23/2016  Yahoo Mail Day #3

It isn’t your imagination. Yahoo mail has been having problems for three days.
Status Map. Comcast is having major problems along the east coast. Status Map.

5/23/2016  Student vs Government

A student found an encryption flaw in flaws in the implementation of Terrestrial Trunked Radio (TETRA) a secure radio communications protocol widely used word-wide by law enforcement and emergency services. The student dutifully notified the government and … nothing happened. During 2014 he accessed TETRA three times. In March 2015 the student went public, was arrested and convicted of … hacking TETRA. More at Naked Security / Sophos

5/23/2016  Spoofing Instagram Account Verification

A researcher, using only their own test accounts, proved that the Instagram Account Authentication email could be spoofed allowing someone else to control the account even to the point of locking out the intended user. The researcher notified Instagram who quickly fixed the problem and awarded a bug bounty to the researcher. More at Naked Security / Sophos

5/23/2016  Counter Drone Device

Deploying eagles to catch drones works, so does deploying other drones to drop nets, so does wide frequency jamming. The problem is that these might turn the drone into falling debris and harm someone or something on landing. Now comes a targeted sort of jammer that commands the drone to land. Military / Government version works now. Civilian version coming. More at Ars Technica

5/23/2016  Low Battery→Uber Price Hike?

The Uber app knows your battery level so it knows when to use power-saving mode. So, does that knowledge translate into sudden “surge pricing” where your base fare can be multiplied many times? Perhaps a 3.2 so it looks like a computed number instead of just 3.0? Uber says so. Unfortunately Uber has done some other bad things in the past. More at Naked Security / Sophos.

5/27/2016  AES-256 drives unbreakable protection?

Surprise, depending on the chipset used on your AES-256 encrypted hard drive it can be spoofed. See Black Hat briefing.

5/27/2016  Pastejacking

Perhaps the most common tool in today’s, and yesterday’s, computers is the clipboard. You see something, you copy it and paste it. There are many super clipboards out there and, unfortunately crooks figured out how to let you see one thing and copy another. Paste it and that other might be malware, or worse. There is a link to a demonstration where you copy [ echo “not evil” ] and paste [ “evil”\n ]. This can be done with JavaScript and CSS. The straight forward work around is to paste into a non-executing environment such as Notepad. For more see Naked Security / Sophos

5/27/2016  When is a USB charger a Transformer?

When it is more than meets the eye. How about a functional charger that also snoops on wireless keyboard transmissions according to this FBI announcement (3 page PDF) and more at The Hacker News

5/27/2016  Cookies? Who needs cookies to track you?

or at least track your computer via its audio fingerprint. Not the sound the computer makes but though the AudioContext API. Send a low-frequency sound and measure how the computer processes that data to create a fingerprint. Who is tracking you this way? Researchers at Princeton University have found multiple domains of Google are tracking users on nearly 80 percent of all Top 1 Million Domains. What domains?

Google: Ajax.GoogleAPIS.com  Fonts.GoogleAPIS.com  Google-Analytics.com  Google.Com  GoogleAdServices.com  
GoogleSyndication.com  GoogleTagManager.com  GoogleUserContent.com  Gstatic.com  

Facebook.com   Facebook.net   

DoubleClick.Net  Twitter.Com  Yahoo.com  

and more.

There is a test at The Hacker News to see your fingerprint.

[ Privacy? Disclosure? Are those just words? -ed ]

5/29/2016  Power Grabs That Missed the “news” #1

Grabbed: Your email without a warrant.
Grabber: Federal Law Enforcement.
Reporter: One US Senator.

2017 Intelligence Authorization Act would have allowed federal law enforcement to demand email without a warrant, even without a warrant from the almost-rubber-stamp FISA court. Who opposed the measure? Senator Wyden.

5/29/2016  Power Grabs That Missed the “news” #2

Grabbed: Net Neutrality & other protections administered by the FCC.
Grabber: Apparently the majority in the House of Representatives
Reporter: The Register/UK

5/29/2016  Power Grabs That Missed the “news” #3

Grabbed: Your Cell Phone
Grabber: Crooks
Reporter: The Telegraph/UK

Public charging points are becoming infected to distribute malware. There are settings that can help resist infection.

5/29/2016  Power Grabs That Missed the “news” #4

Grabbed: The first wireless device
Grabber: A music hall magician
Reporter: The Telegraph/UK

In 1903 the Marconi wireless telegraph was being demonstrated at the Royal Institution in 1903 when it began receiving Morse Code for a poem not being sent by the demonstrator. Hacked!

5/29/2016  FemBots? No, just PornBots!

It is bad enough that crooks hack your accounts, but now they are using them to friend or like other people and communicate porn advertising. More at Hack Read.

5/30/2016  Fake News = Malware Bait

Would you click in a link to the story containing the information you’re just dying to know? Me too, but something you should know: Some of the most “attractive” news is fake. Worse, some of it is malware bait. Recently a story surfaced that the Anonymous hacker collective had breached the IRS and posted the tax returns of a candidate who won’t release them. It is a fake. Anonymous has disclaimed it, the IRS denies it, and the candidate says those tax returns won’t be released. The original source was a satire web site, but those who re transmitted the story either didn’t understand that, or chose to ignore it. More at Hack Read.

[ Keep this in your head: Anonymous is generally a-political. Also, one of the best security tools is between your ears. The associated graphic is based on the one at Hack Read. -ed ]

5/30/2016  US Smartphone penetration

For the three months ending in February 2016 almost 199 million people in the United States owned smartphones for a 79.3% mobile market penetration. The number is up, but the percentage is flat. More at Comscore.

5/31/2016  Illegal Arbitration Clauses can’t be Imposed

On 5/26/2016 The United States Court of Appeals for the Seventh Circuit in Chicago Illinois ruled that companies cannot force employees to sign away their rights to a collective legal action, often called “class actions”, by imposing mandatory arbitration or similar “private” justice as a condition of employment. The court cited the 1935 National Labor Relations Act (NLRA) as protecting that collective right.

The Seventh District ruling conflicts with a Louisiana Appeals Court decision (and others since) that relied on the 1925 Federal Arbitration Act (FAA, not to be confused with the Federal Aviation Administration) to allow arbitration. In its decision, the Seventh District ruled that the FAA did not protect all clauses simply labeled arbitration and illegal clauses could be thrown out. The case, Lewis v. Epic Systems, (22 page PDF) involved non-payment of earned overtime. The mandatory arbitration clause for wage-and-hour labor was considered illegal. Given the different rulings in different circuits the Supreme Court is expected to be petitioned to reconcile the rulings and, hopefully, clarify the law. Meantime, other similar cases are in process. More at the NY Times

[ We laughed and cried at the same time. The court essentially ruled that illegal clauses are … illegal! This is an update to a series of articles on Class Actions and Arbitration. Some of the recent articles were

11/01/2015 Class Action Lawsuits – Great equalizer or not?
12/15/2015 Update: Class actions limited … again

1/20/2016 Supreme Court Upholds an aspect of Class Actions
2/04/2016 Bill to Limit Arbitration
4/16/2016 Arbitration Clauses

-ed ]

6/01/2016  Troy Hunt interview

Who is Troy Hunt? Why should you be happy and grateful for what he is doing?

More than a few times we’ve included this advice: The Have I Been Pwned web site has about xx million accounts and if you haven’t checked at least once we recommend you do. Thanks to recent disclosures from LinkedIn, Myspace and Tumblr that xx is getting larger all the time. Troy Hunt runs that site and last week he had a virtual-space interview with eWeek’s Wayne Rash that touched on how Hunt got started, how the site has grown, and why he sends out as many as 180,000 emails per single session.

6/02/2016  Algorithm Rule, but not always wisely

PayPal in the United Kingdom wanted to not deliver to ISIS (the terrorists) so they blocked delivery to anything that contained those letters in that order. So that includes an area commonly know as The Isis and a cul-de-sac named Isis Close. More at BoingBoing

The brainless filtering of blacklisted words is the “Scunthorpe problem”. For example: a resume that contains the word “specialist” might be sent to the spam folder because of the substring “Cialis”, an erectile-dysfunction drug. More at The Guardian.

[ This isn’t a new problem. There is a Bader-Meinhoff Road. You’d think with so much revenue PayPal could program a little better and avoid the problem. -ed ]

6/02/2016  Arbitration using not(law)

How a company who had guaranteed resolution in a court of law just moved the problem to arbitration in a place where the people lose over 90% of the time. How did they do that? More at NY Times.

[ This is an update to a series of articles on Class Actions and Arbitration.
Some of the recent articles were

11/01/2015 Class Action Lawsuits – Great equalizer or not?
12/15/2015 Update: Class actions limited … again
1/20/2016 Supreme Court Upholds an aspect of Class Actions
2/04/2016 Bill to Limit Arbitration
4/16/2016 Arbitration Clauses
5/31/2016 Illegal Clauses are Illegal.

-ed ]

6/03/2016  VISA prototype payment ring

Visa is providing a prototype ring with NFC-enabled antenna for 45 athletes at the summer Olympics in Rio de Janeiro this August. Might get to consumers, sometime. More at Data Breach Today.

[ Despite the marketing it isn’t the first such device. Prolific social hacker Samy Kamkar (web site and YouTube Channel) created Magspoof in 2015 and that device can get loaded with the charge card information of the consumer’s choice. -ed ]

6/07/2016  Microsoft EMET protection – beaten

Angler is known to be a powerful exploit, but it was recognized and blocked by many anti-virus and exploit blockers including Microsoft’s EMET. Like many such threats Angler mutates and the latest version completely avoids Microsoft’s best protection. The technical explanation from FireEye and a version a little easier to read from Tom’s Guide.

6/07/2016  Are AdBlockers Deceptive?

Online ad publishers are losing money to adblockers: TRUE. Consumers who block ads reduce their chances of being victimized by malware / ransomware / etc. TRUE. Ad publishers are fighting back by disallowing some content if they detected an adblocker. TRUE. Consumers are voting with their mouse and not lowering their shields. PARTLY TRUE. This being America the ad publishers are going to court to stop, or at least hinder, adblockers. SADLY PARTLY TRUE. Not exactly court but

The Newspaper Association of America (NAA) filed a complaint (17 page PDF) with the US Federal Trade Commission (FTC) requesting an investigation of “deceptive” and “unlawful” practices. More at Naked Security / Sophos.

[ I see a child holding a thumb to their nose, wagging their fingers and saying “Naa, naa, naa, naa, naa!” I’m one who does not lower shields to view content. Why? If the ad were hosted on the site I might trust someone like CBS to test their ads and protect their readers / viewers. Many of the ads are passed through from ad publishers who might not. Any ad that arrives via that route might have been submitted for review, then modified. Or the ad might use “dynamic” content that contains malware. The risk is just too high and so I don’t watch CBS video. Practice safe hex! – ed ]

6/09/2016  Fake Apple Domains

There is one Apple.Com. FireEye has found over 200 domains with various names that sound like an Apple domain intended to induce users to enter their credentials and become victims. More at eWeek.

6/12/2016  China’s Cyber Launching Pad – in Wisconsin

Chinese hackers compromised a small welding shop’s computer in Wisconsin. They were not after the company data, they used it to launch attacks on other systems. The good news? Another company is watching their activity and warning the potential victims. The bad news? There are dozens of known compromised computers being used this way. This one Wisconsin computer was used to steal due diligence on an impending acquisition, confidential trading plans from a financial services firm, and proprietary source code. More at NY Times.

[ Who would think a small business with one computer would be a target for foreign cyber operations? With limited computing power and relatively low value on stored data, why? Their low cyber-security budget and US IP address made them a valuable target. How many don’t we know about? Dozens more? Hundreds? How much is protection costing in productivity? -ed ]

6/14/2016  Is internet service a “utility”?

Being a defined utility allows regulation by a governing body, in the case of the internet, the Federal Communications Commission (FCC). Without that regulation providers could degrade some services and enhance others at their choice and at their price. In late 2015 wireless broadband services were found to be common carrier utility services subject to anti-blocking and discrimination rules. In case 15-1063, in the United States Court of Appeals for The District Of Columbia Circuit decided today (184 page PDF) they decided the internet was a utility. More at NY Times

6/14/2016  Texas DOT road signs – Hacked

Texas Department of Transportation traffic signs are being hacked to display political messages. More at Fox News. More images of the hacks at Hack Read

6/14/2016  Russia hacks DNC

“Opposition research” on the Republican candidate was taken along with other things. More at Washington Post and NY Times

6/15/2016  DNC O/R on Trump on Line

Mother Jones has put the DNC opposition research on line. Access via link above or at 210 page PDF. There are links to published documents in support of the research.

[ the links in the PDF table of contents don’t work for me via either link. Enter the page number in the navigation bar works just fine. There appears to be an increasing index error. Early sections are a page off because there is no page numbered 1. Later sections are off by more. Search the PDF for the keywords. Or download (about 1.6MB) to read it off line. Links to external sources work. If the document isn’t comprehensive it is very close. -ed ]

6/14/2016  Email explosion!

Putting the ‘s’ in HTTPS is a good idea. It provides a number of security services to protect the web site viewer. Unfortunately getting a “certificate” installed isn’t easy or cheap. A company called “Lets Encrypt” offers a no-charge implementation and simplified installation. They’ve done great work with a few hiccups. First: credentials for their GitHub code repository were compromised. This could have allowed a hacker to make code modifications to turn all those great protections into malware. According to GitHub the compromised credentials were not used. Great break!

The second hiccup involved an email notification to their users. The first email had the name of the user. The second email to a second user had the message and the visible CC of the first user’s address. That is a compromise. Users emails don’t get shared. Unfortunately it didn’t stop until someone noticed a lot more email than usual going out. The process was stopped with email 7,618 which went out with 7,617 CC addresses. More at Naked Security / Sophos

6/14/2016  North Korea Hacks South Korea, for years

According to police the hack started in 2014 but was only detected in February 2016 after two companies were hacked. Estimate of exposure include “at least” 160 government agencies and companies, over 140,000 computers total. More at The Hacker News.

6/14/2016  Pentagon

March 2016, the Defense Department launched a cyber-security challenge with bug bounty when it invited hackers to find weaknesses in its networks and public faced websites. Over a thousand white hat hackers participated. Finding the worst was worth $15,000. Over 100 were found.

6/22/2016 Update  Pentagon

The number of vulnerabilties in the hack-by-invitation-only has risen to 138.

6/21/2016  Just a little typo

“I never met a crisis I couldn’t exploit for my own purposes” (too many politicians)

Placing an amendment in a criminal justice appropriations bill, instead of making a separate piece of legislation, Senator Mitch McConnell set up a vote late yesterday to expand the Federal Bureau of Investigation’s authority to use National Security Letters WITHOUT a warrant to include email metadata and some browsing history information. It seeks to exploit a mass shooting in order to expand the government’s digital spying powers and, hidden in an amendment, many people (and too many senators) won’t even know it is there. FBI directory Comey says the legislation just fixes a typo. Per Reuters

6/22/2016 Update  Reason Invades Senate

Today, by two votes, the Senate rejected that “little typo” slipped into the criminal justice bill yesterday. One of those two was Senator Mitch McConnell who changed his vote to nay. Voting against it allows him to bring the same measure up for consideration again, and again, and again. More at Reuters.

[ Maybe he will try to beat his own record of 60+ votes to repeal the Affordable Care Act. In salaries alone we pay $174,000 per year per Senator. That is 17.4 million a year for symbolic votes while ignoring pressing issues. Is this why we put them there? -ed ]

6/22/2016  Clinton Foundation

A few weeks ago the DNC was hacked and the opposition research on Trump was taken and made public. Reportedly Russian hackers were also responsible for this breach, but there has been no claim of responsibility or purpose, but if it follows the same pattern expect documents good, bad, ugly and embarrassing to be made public.

6/23/2016  Ransomware increasing

Yesterday Securelist / Kaspersky released a report on ransomware from 2014 to 2016. Despite increases in social awareness, improvements in exploit blockers, and other protections infections are up. Here are just two facts: The total number of users who encountered ransomware between April 2015 and March 2016 rose from 1,967,784 to 2,315,931 (17.7% increase). For those who encountered ransomware, the proportion who encountered cryptors rose dramatically from 6.6% in 2014-2015 to 31.6% in 2015-2016 (up 25%). More

6/23/2016  Apple Airports

A security update for Apple’s wireless routers raises more questions than solutions. There appears to be no description of why the update was required or what it fixes. Apple’s security advisory isn’t detailed and the database of Common Vulnerabilities and Exposures (CVE) entry 2015-7029 was reserved 9/16/2015 and hasn’t received any detail since. One theory refers to the router’s susceptibility to a DNS “booby trap”. Simply asking a malicious DNS server “Where is Google.com” can generate a malformed reply which compromises the router. More at Naked Security / Sophos.

6/23/2016  Android “Stopwatch” does more

A stopwatch app on the Google Play Store contains more than a clock, it has malware dubbed Android/Trojan.Pawost. When installed it used Google Talk to call a specific area code, send SMS messages, blocks incoming SMS messages and compromises personal data and phone specifications. More at Hack Read.

6/23/2016  How do I hack thee?

Let me count some ways. One session at the upcoming BlackHat security conference 7/30-8/4/2016 will show just the top eight submissions to Pwn2Own 2016. Each provided an exploit to allow remote code execution (RCE) to promote the user to the highest privileges (admin/system/root) via browser native code or a plug in. In a change from previous years the kernel of Windows or Apple OS/X were the most exploited. Even using application sandboxes left a large attack surface vulnerable. In what may be described as gallows humor, the situation is described as “shell on earth”.

6/28/2016  How did we get a surveillance state?

One opinion from a place we’ve not quoted previously, on how it was economic, not political.

We started out collecting this information by accident, as part of our project to automate everything, but soon realized that it had economic value. We could use it to make the process self-funding. And so mechanized surveillance has become the economic basis of the modern tech industry.

This creates a ratcheting effect where the behavior of ever more people is tracked ever more closely, and the collected information retained, in the hopes that further dollars can be squeezed out of it.

Just like industrialized manufacturing changed the relationship between labor and capital, surveillance capitalism is changing the relationship between private citizens and the entities doing the tracking. Our old ideas about individual privacy and consent no longer hold in a world where personal data is harvested on an industrial scale. …

[ from the Conclusions section ] … the surveillance economy is way too dangerous. Even if you trust everyone spying on you right now, the data they’re collecting will eventually be stolen or bought by people who scare you. We have no ability to secure large data collections over time. [ from The Moral Economy of Tech. source ]

[ More thoughts of Maciej Cegłowski at Idle Words whose motto appears to be brevity is for the weak – ed ]

6/28/2016  Living Free in a Surveillance State

Face facts: The police, uniformed or other, get taxpayer funding and the latest tools. The Stingray cell phone collector, ultra high resolution cameras, drones, tools that kill cell phone reception, unmarked vans scanning people with x-ray technology and more. Civilians, ordinary and protesters, have to make do with lesser tools. That is changing thanks to BackSlash and other tools.

To defeat facial recognition try these glasses or a life-like face mask of an artist who gives people permission to use his likeness. Or an app so people know their rights and can record what is happening to them. The recordings in the app are protected from alteration without detection. Detect Stingrays with another app.

The BackSlash kit contains portable routers to allow a crowd to create a mesh network so as long as one node is outside the cell blackout area, those inside can also reach out. There is also an alarm function so that persons who are forced away from one area into another (sometimes called free-speech zones, sometimes called unobserved places where violence can be bestowed without fear of repercussion) can alert others not yet in that zone. More at Hack Read.

6/29/2016  Facebook Privacy – HOAX

Did someone tell you that your material on FaceBook would become FaceBook’s property to use as they see fit? Me too. It is a hoax. More at the Hacker News.

6/29/2016  Automated Legal Adviser wins 64% of its “cases”

In 21 months since the service was launched in London, then in New York, DoNotPay has taken on 250,000 cases and won 160,000, a success rate of 64%, in appealing over $4 million dollars in parking tickets. The cost? There are no charges for the advice given by this chatbot written by a 19-year old. The ‘bot walks you through easy questions (“Did you see any signs?”) and prepares forms for you to use at court and, if necessary, appeal. Next for the inventor is helping people seeking flight delay compensation. This is a major improvement in chatbot technology over ordering food for delivery. More at The Guardian / UK.

6/29/2016  Forced into Windows10, lockup, suit, a win????

In April 2016 we wrote about how Windows 10 updates when it wants to, regardless of what you are doing. Sometimes Win10 would install, be unstable and render the computer inoperable. Win10 was foisted on a California travel agency who, lacking a decline button, says it was forced into accepting Windows 10. Microsoft customer support didn’t fix the issue and the company sued. In a quintessential David vs Goliath contest they won. Microsoft appealed then dropped the appeal and paid $10,000 while denying wrongdoing. More at The Seattle Times.

6/29/2016  List Social Media Handles

The Department of Homeland Security (DHS) has requested that this question be added to the Electronic System for Travel Authorization (ESTA) and to the
Nonimmigrant Visa Waiver Arrival/Departure (Form I-94W): “Please enter information associated with your online presence—Provider/Platform—Social media identifier.” An answer is optional for now.

[ Now think a moment. If a person is entering the United States to do bad things are they going to share those plans on social media? Are they going to reveal to DHS all their social media links? We should be so lucky. So, as laws only affect the lawful, the law abiding will spend more time filling out forms so perhaps that data can be used for other purposes. The lawless won’t.

Irony abounds. To enter the Land of the Free, home of First Amendment (including the Freedom of Speech), DHS wants to know what you’ve written on line. So Adolph Hitler would list nothing there and give no clue as to Mein Kampf. Neither would Lenin.

If you want to comment before 8/22/2016, you have to use snail mail. There is no electronic comment capability. While the question is optional, many such things become permanent and who knows where that data may wind up? Given the above, how many scarce resources are going to be consumed in expanding a department to include the Office of Blog Review? -ed ]

6/30/2016  Security Software: You want bugs with that?

Symantec software contains multiple security risks. More at Data Breach Today

7/02/2016  Dangers of a Cloud-Based Provider

If you are a health care provider you may be using software that connects your workstations to a provider not at your facility. There are advantages to “cloud based” services, and dangers.

The Department of Health and Human services tracks exposures of health care providers and makes that information public but only if the exposure was 500 patients or more.

The listing shows the entity whose data was affected, but not much else. As of 6/30/2016 17 of those entities were customers of Bizmatics, a cloud-based provider. How many other of their reported 15,000 clients had exposures? More at Data Breach Today.

Update:  Dangers of a Cloud-Based Provider

We found three Bizmatics customers: Stamford Podiatry Group  Integrated Health Solutions and ENT and Allergy Center. Collectively over 76,000 patients were exposed. If the average is 25,333, then for 15,000 customers over 380 million patients were exposed.

7/02/2016  Not your typical ‘bot network

Your computer gets a virus which, completely unknown to you, allows the virus maker to use your computer to do their bidding as part of a network of robots, a ‘bot net. Send spam, mount denial of service attacks, and more all from your computer. With internet everywhere it isn’t just traditional computers anymore. In January 2014 100,000 home appliances, televisions and more, all part of the internet-of-things, were hacked to send emails with malicious content.

Imperva warned about closed circuit television (CCTV) botnet attacks in March 2014. In October 2015 they reported a 900 ‘bot network. Considering that there are over 240 million professionally installed CCTV as of 2014, there is a lot of computing power attractive to hackers.

The CCTV ‘bot armies are growing. In late June 2016 25,000 CCTVs were compromised to send denial of service attacks. 75% of these CCTV were in the USA, France, Indonesia, Israel, Italy, Malaysia, Mexico, Spain, Taiwan, and Vietnam. The other 25% were in 95 other countries. Such a widespread base is difficult to counter-attack. It is better that the CCTV systems be properly installed without using the default password.

7/05/2016  A great headline

“Ashley Madison hook-up site to be probed by the Federal Trade Commission.”

Why? Well, A-M used fembots instead of real females, that could be deceptive advertising. There is also the claim to privacy, yet poorly securing the information. More at Reuters

7/05/2016  Win10 Upgrade isn’t a request anymore

Looks like the nice language has ended. Microsoft isn’t recommending an update to Win10 anymore. Do you see any option to say “no” on this screen? The presentation is changing, but not the message. More at Naked Security / Sophos.

7/05/2016  Apple can turn off your camera

Once their patent 20150042819 is embodied in your phone. Simply put, an emitter is placed where they don’t want you to capture images or video. Intended for prohibited venues such as concerts it also makes possible the inability to visually capture the malfeasance of others who improperly use the suppression capability. Would we know about Tienanmen Square if the tanks were enabled with suppression emitters? Granted as patent 9,380,225 6/8/2016.

7/05/2016  Chrome Users! Beware Tagging Emails

Chrome users are being targeted with emails regarding a Facebook notification that you’ve been tagged by a friend. Clicking on the link downloads malware. Click on the download and you’re infected. Other browsers may also become targets. More at Hack Read.

7/06/2016  TP Link Users!

There is a reason that calendaring is such a popular application.

To configure routers easier some hardware vendors have users access a domain name instead of the strictly formatted IP addresses. TP-LINK apparently didn’t re-register domains tplinklogin.net and tplinkextender.net. Users should no longer use those domain names. They are up for sale and malware distributors would just love more visitors. If you haven’t changed it, use the default local address http://192.168.1.1 More at The Hacker News

7/08/2016  Android #1: Hummer

The first of three stories on problems or situations affecting Android phones.

There is a reason that malicious software are called “virus”. In 2014 Cheetah Mobile found “Hummer”, a virus targeting mobile phones. At its peak in the first half of 2016 it infected over 1.3 million devices each day and spawned its own underground industry in China.

Hummer will “root” the device giving it the highest level of permissions to silently install (or re-install) applications, malware, porn, and adware without user permission or awareness. A factory reset on the device won’t purge it. Already infected? Cheetah Mobile has (literally) a Killer app available from the Google Play Store.

More than 25 nations are affected. India is the most affected and half of its top six infections are members of the Hummer family. The US is 16th. Worldwide, “Hummer” is a significant threat with a “family” of more than a dozen variants. More at The Hacker News.

7/08/2016  Android #2: FDE Crypto not always secure

For security Android has “full disk” encryption so if your phone is lost or stolen, the contents have some protection. Or not. If your phone has Qualcomm chips, a security researcher found the keys can be extracted to unlock the data. This capability is available to crooks and cops. More at The Hacker News.

7/08/2016  Android #3: “Godless”

Last month researchers at Trend Micro discovered a new family of malware titled “Godless” distributed by malicious apps in app stores. One such malicious app is “Summer Flashlight” available from Google Play. Godless has affected over 850,000 devices worldwide with India being hardest hit. Even though “Summer Flashlight” has been removed from the Google site it continues to exist in mirror and other sites. Godless uses an open-source rooting capability to elevate its privileges to communicate with a control and install applications without user permission and awareness. Some of those applications are spyware. More from The Hacker News.

7/08/2016  OS/X #1: “Keydnap”

This malware indends to steal the content of the keychain and maintain a permanent backdoor. The downloader is in a file with a “safe” extension such as JPG. The unwary would click on it. It isn’t “JPG” it is “JPG[space]” and is a Mach-O executable. The space at the end causes a double-clock to launch the “Terminal” program. There are security settings that should prevent this. Are yours set properly? More, including a video of the deploying malware at We Live Security.

7/08/2016  OS/X #2: Webcam → ON! ”

Meet Eleanor-A malware for OS/X. It pretends to be the “EasyDoc Converter” a tool for Mac users to read Windows files. Easy to install, but lightweight in functionality. Go ahead and delete it, but you won’t see what it leaves behind. Start with a hidden folder with programs and scripts. They look relatively benign. Individually they might be. Collectively, not so much.

The programs include The Onion Router (Tor) that connects the computer to the anonymising network as a “hidden service” with a random name. Also is a script to be run by OS/X’s nice PHP program. A third program loads that generated random name to Pastebin. Now anyone who knows can go to Pastebin, find the random name, access the hidden service, take over your computer and use some utilities to send or receive files, take pictures of video with your webcam and more.

Guidance on how to spot Eleanor-A and more are at Naked Security / Sophos

7/12/2016  Pokemon/GO

Unless you have been living in a media blackout and totally unconnected to the internet you know about the new Pokemon/GO game, a geocaching theme mixed with the Pokemon game universe. What you might not know are the dangers described below.

7/12/2016  Pokemon/GO – beware the download

Some gaming and tutorial websites have recommending that users download from a non-Google Play link. Google Play has had its share of malware infected apps, but the non-Google sites are worse. P/GO has been found with DroidJack, a Remote Access Tool (appropriately abbreviated RAT) that exposes Android devices to unauthorized external access. See The Hacker News

7/12/2016  Pokemon/GO – Data Sucker/Privacy Danger

Niantic Labs co-developed the game and according to their privacy policy they collect your email address, your current IP address, where you were before you logged in to P/GO, username, and current location. Niantec may share that data with other developers, third-parties of several varieties and law enforcement or to stop “illegal, unethical, or legally actionable activity.” Given the massive number of players this may be the highest resolution/granularity of location based social information created to date.

You need a Google account, created before you access P/GO. Initially undeclared, P/GO also has complete access to your Google account. Which means that it can read your email and send email in your name without your knowledge or consent. Also access your Google Drive to add, change or even delete the contents. Review your search history. Review your Maps navigation history. Access your Google Photos (including any marked private) and more.

The email access opens more doors. Many sites offer “Forgot Password” links. Enter an email address and they will send a password associated with that email account to that email account. That would be the email account at Google that you just gave permission for someone else to read.

That was changed, at least the “undeclared” part. New log ins require a one-time explicit permission to access your Google account. According to the company the scope of accessed information is restricted, but millions of people have already been exposed. There is a way to remove the permission on your own. See the Hacker News source below.

Sources: Buzzfeed, The Hacker News, Adam Reeve and the image we used was found on Facebook / Sarah Ray.

[ The odd part is that this was either incredible ignorance or something akin to world data sucking plot. Many apps have “Sign in with Google” which gives the security of knowing your user without that user having to give away the keys to a huge data trove. Swati of Hacker News has a better protection idea. Create a new Google account just for game access and without any personal information. -ed ]

7/12/2016  Pokemon/GO – CIA/NGA association?

There is no disputing that Pokémon Go was created by Niantic, formed by John Hanke, the same one who helped develop Keyhole now owned by Google for Google Earth. Who helped fund Keyhole? In-Q-Tel, sometimes called the venture capital arm of the intelligence community. Their mission is “QT identifies, adapts, and delivers innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community.” “… the funds In-Q-Tel gave Keyhole mostly came from the National Geospatial-Intelligence Agency (NGA), whose primary mission is “collecting, analyzing, and distributing geospatial intelligence.” Given this huge volume of location-based information a “Pokedex” could be ceated. What is that? See Blackbag / Gawker

7/12/2016  Pokemon/GO – DroidJack/More

A P/GO app downloaded from an alternative site was found to be a “remix” where the malware code is inside the P/GO game. The game works the same and looks the same, but the malware can listen on your calls, intercept messages before you can see them, log all your web browsing (including your banking user ids and passwords), activate your web cam, turn your phone into their phone to send high volumes of spam or participate in denial of service attacks (both at your data cost). DroidJack, aka DJ, isn’t a newbie. Its history extends to SandroRAT, a remote access toolkit from the dark ages (2014). More at Naked Security / Sophos.

[ RATs and malware in general are much easier to avoid than to clean and recover. Practice safe hex and use anti-malware and anti-exploit software. -ed ]

7/12/2016  Pokemon/GO – Crime Lure

Someone added a beacon to a PokeStop in O’Fallon Missouri. People who arrived there were unpleasantly surprised to find crooks who relieved them of their valuables. More at Data Breach Today.

7/13/2016  Ransomware – we told you

We’ve told you many times not to pay ransomware. Back in 2014 we even quoted Kipling. Why not pay? a) It encourages more behavior just as bad. b) The crooks might not unlock your files, even if they can. c) Not all crooks are good enough and, even if they wanted to, can’t unlock your files. Now reason d) Crooks never encrypted your files in the first place, they deleted them. Even if you pay you won’t get anything back. More at Naked Security / Sophos.

[ Practice safe hex, backup, Backup, BACKUP and, oh yes, BACKUP! -ed ]

7/14/2016  FDIC hacked for years, kept quiet

In a 25-page staff report (html) for the Republican members of the House Committee on Science, Space and Technology, the researchers found that not only was the FDIC hacked many times from 2010 to 2013, but the FDIC actively concealed this fact. A senior FDIC attorney told employees not to use email (official government records) to discuss the hacks. The FDIC is perhaps best known to the public as the insurer of deposits at banks around the country. It has a less public role as bank monitor for banks that are not examined by the Federal Reserve. More at CNN.

Who dunnit?

The FDIC has security policies, procedures, guidelines, and processes, but they all appear to be paper tigers and are not followed. There is no requirement for timely reporting. So, who hacked the FDIC? China is variously reported as a “suspect” and a “proven culprit”, but denies the hack. The evidence is thin. More at Data Breach Today.

[ Concealing the information from the public under the broad “national security” rubric is perhaps permissible, but misleading government auditors and oversight is another. Knowing how hacks were done provides education on how to better protect against future hacks. As for China, even if they did it, or supported a proxy in doing so, would one nation admit such an impolite activity? Solid evidence is necessary and may be hard to obtain. -ed ]

7/14/2016  Energy Grid Hacking Tool

Programmers have a particular style of coding, modules they prefer to use and re-use because it works. Collectively these are signatures. SentinalOne, a cybersecurity firm, found a sophisticated piece of malware designed to do reconnaissance on energy grid systems in advance of an attack. The researchers believe that “Furtim” actively tries to avoid antivirus products, sandboxes, virtual machines (honey traps) to evade detection. This makes it more sophisticated than the work of civilian hackers and has the signature of a government, part of eastern Europe. More at Motherboard / Vice.

[ Knowing this makes possible better prevention. So how safe are our power distribution systems anyway? Like the FDIC were they hacked and we’re not being told? -ed ]

7/15/2016 Update  Energy Grid Hacking Tool

SentinalOne published an update on inaccurate reports the malware targets Supervisory Control And Data Acquisition (SCADA) a standard for industrial controls.

7/14/2016  Pokemon/GO – Q & an “oops”

Apparently we were not the only ones to question the gigantic data slurp. The top Democratic senator on the Science & Technology Committee and ranking member of the Privacy, Technology, and the Law (a sub-committee of the Senate Judiciary Committee), Senator Al Franken of Minnesota, also wants to know.

In a letter (html) Senator Franken asks seven direct questions related to “I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent.”

[ We look forward to direct answers. So are the people at Naked Security / Sophos -ed ]

Oops

At least one P/GO “gym” is actually a private residence. Ooops

7/14/2016  Do you need PERMISSION to visit a web site?

In a 23-page opinion (html if your browser has a PDF reader) in the United States Court of Appeals for the Ninth District, case 13-17102, the court affirmed in part and reversed in part, then sent the whole thing back to the original court. They held that the 1986 Computer Fraud and Abuse Act (CFAA) and California Penal Code 502 were violated when, after receiving a cease-and-desist letter, the defendant “continued to access Facebook’s computers without permission.” (source: page 5 in the Opinion section)

[ We understand that the defendant was accessing Facebook’s computers in a manner other than the generally acceptable manner. The written opinion by the appellate court was phrased apparently without this qualification. Thus the statement appears to indicate that use, of any kind, requires permission to avoid being in violation of the CFAA. -ed ]

7/14/2016  Share a password? You CROOK!

In the United States Court of Appeals for the Ninth District, case numbers 14-10037 and 14-10275 this 67-page opinion (html if your browser has a PDF reader) the court appears to have made password sharing a crime. More specifically, the credentials of an employee were revoked. That employee, with the help of another, used the credentials of a current employee in violation of the 1986 Computer Fraud And Abuse Act (CFAA) and, because trade secrets were compromised, also in violation of the 1996 Economic Espionage Act (EEA). One judge dissented (page 3) indicating that password sharing is not a crime under the CFAA and the millions of people that do are not federal criminals.

7/14/2016  Pokemon/GO – The Real World will kill you

Unlike starting a game over, the real world penalties for not maintaining situational awareness in the real world are much heavier. Encinitas, California: Two people went over a fence onto unstable ground and fell more than 50 feet. Alcohol appeared to be involved. That isn’t all. While playing the game at least one dead body has been found. People have walked into walls, trees and revolving doors. People have tripped, fallen off skateboards and more as they were distracted. Phones have been stolen while their users were playing the game. People have gotten locked inside buildings and at least one cemetery as they searched for virtual things while the real world closed up. More at NBC/SanDiego.

7/15/2016  UK Railway Breached

The railway network in the United Kingdom was the target of at least four cyber attacks since July 2015. Like the energy grid (above) surveillance malware these attacks didn’t damage anything. Reconnaissance appears to be their mission. Trains have a vulnerability to improper routing, signal errors, and, if a switch is thrown while the train is passing through, derailment. Given volatile cargo that alone is a material threat. More

[ So how safe are US railways? We’ve had some major incidents over the past year. Are they accidents or hacks? -ed ]

7/15/2016  Bug Bounty by Fiat-Chrysler

First among the US Big-Three automakers, Fiat Chrysler Automobiles (FCA) launched a bug bounty program to motivate hackers to work with them. Why? Last big discovery resulted in a very expensive 1.4 million unit recall. The rush to connectivity has far exceeded the security available. (see car hacking since 2010). There are some rules which include definitions of allowed targets and a requirement to obtain an email account at the BugCrowdNinja.com domain so that FCA knows it is you. Prizes max out at $1,500. More at Naked Security / Sophos.

7/15/2016 Update  FCA Bug Bounty vs Proposed MI Law

Michigan has a bill, apparently still under consideration, that makes hacking a car worth a life sentence. So, does that make participation in the FCA Bug Bounty program a criminal act? Is FCA aiding and abetting? The rules don’t address the point.

7/15/2016  Cops vs Crooks

Earlier in July Europol announced 105 arrests, across 15 countries, to bust a gang of “carders”. What is carding?

7/15/2016  Now Your Siri Works for me!

Do you use Siri or any of the other voice control assistants? Do you listen to video? You might want to turn off your phone. According to researchers commands barely audible to us are executed by Siri just fine. Examples and more are on their project page. In the demonstration the phone is instructed to open a web site. The one they used was benign, but it could have easily been InfectMyPhoneWithMajorMalware or similar unpleasantness. Background noise appears to have little effect. Imagine this infection being broadcast over public address systems at sporting venues, or embedded in the National Anthem. For arguments pro and con for leaving voice controlled assistants always on see Naked Security / Sophos.

7/15/2016  Attacks on Google

Would you believe over 130 state-sponsored attacks per day? According to Google senior vice president and Alphabet board member Diane Greene that is just the number of notifications Google makes to customers. More at Reuters.

7/16/2016  Was Windows ever secure?

Each month, in a ritual that is sometimes called “Patch Tuesday”, Microsoft, Adobe and some others release the latest fixes. At some point you might expect the volume of such fixes to slow as things get fixed. You’re not alone in that hope. It is becoming apparent that some of the operating systems and applications have not been secure since their inception.

Bringing that concept to the front page is Microsoft’s security release earlier this month containing 11 security bulletins with about 50 fixes. Six bulletins were “critical”. The other five were only “important”. This one generated much attention.

MS16-087: Security Update for Windows Print Spooler Components (3170005)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.

 
It affects every currently supported version of Windows. It allows a crook to exploit a condition and get between a computer and a printer. From there the crook can execute remote code execution (RCE) to do darned to near anything. This was discovered by Vectra who called it a “Watering Hole Attack” The link leads to considerable detail. They also posted a video (Youtube 12m 30s).

7/18/2016  Pokemon/GO, some genius, some not

Some who play Pokemon/GO are clever and some are clueless. Clever is learning that your house is a PokeStop and setting up a lemonade stand on a hot day or providing battery chargers. The best of clever might go to the Manchester, New Hampshire police who reported that a Charizard (a rare character) was appearing at their place. They sent emails to a “select group” to capture it before the general public arrived.

The not-so-smart were that select group who showed up. They were all persons with outstanding arrest warrants. Other not-so-smart people failed to maintain situational awareness in the real world and ran their car into a tree, fell off the edge of a cliff, been lured by crooks for robbery and assault, and behaved such that they were mistaken for burglars and received a loud welcome from Smith & Wesson. The worst was a convicted pedophile on parole who was playing the game with a 16-year old thus violating probation. More at Naked Security / Sophos.

7/19/2016  Xiaomi Including Samsung, HTC & Nexus

Xiaomi is the third largest smartphone manufacturer in the world. In 2015 it shipped over 70 million units each with their custom Mi User Interface (MIUI) pronounced “Me You I”. MIUI is a variant of Google’s popular Android operating system. The Xiaomi MIUI is used by more than 300 Android devices including those with the name Samsung, HTC and Nexus.

David Kaplan of IBM X-Force discovered a vulnerability that may allow hackers to obtain super-user privileges and completely control the device. There is a patch from Xiaomi. Details are in the IBM link above. More general information is available at The Hacker News.

7/19/2016  Protect your SSN, good service or not?

There is a new service that monitors social security numbers used to see if yours is one of them. The CIVIC service is available at no charge for the moment and has some additional benefits. More at Wired.

[ As nice as the idea is there is a potential drawback. To use the service you have to provide your Social Security number. That makes CIVIC what the military might call a high value target for identity thieves. How secure are they? Consider the increasing volumes of hacks and the over 1.7 billion exposures in 2016 to date this could be “too many eggs” in one basket. -ed ]

7/21/2016  Library of Congress, DDoS attack stopped

The Library of Congress is probably the closest modern equivalent to the Library of Alexandria, a huge, public, accessible repository of information. Alexandria was lost in conflicts and the LOC is under attack not from barbarians at the gate, but miscreants of the internet. A denial of service attack was launched July 17, 2016 and affected library operations, internal websites and employee email until July 20, 2016. According to the Librarian the attack was “… a massive and sophisticated DNS assault, employing multiple forms of attack, adapting and changing on the fly.”

7/21/2016  Phineas Fisher interviewed (sort of)

The Hacking Team created surveillance systems for nations. They were hacked in April 2016 by “Phineas Fisher”, a nom-du-hack, as a social statement. Fisher does not seek personal fame, but agreed to give his (her?) first interview via a sock puppet voiced with text he (she?) provided. No face, no voice, no body image, clearly preferring the shadows. A transcript is available at the link along with a 5m 45s video, worth the watch.

7/21/2016  Will we EVER learn?

November 2014 saw loud warnings about the abysmal cybersecurity in baby monitors and webcams that allowed researchers and journalists to view what most people thought was private. July 2016, the same situation exists. Who is sounding the alarm again? It isn’t the US Federal Trade Commission or other consumer protection agencies. It is the Information Commissioners Office (ICO) of the UK. Thanks to Shodan and a quick how-to anyone can search for pictures of sleeping babies, home security systems … More at ArsTechnica

7/22/2016  StageFright comes to Mac/iPhone

StageFright for Android was particularly frightening because the damage was done via image files and there are many ways those get displayed without user intervention. It started big time in mid 2015 and resurfaced with a vengeance earlier this year.

Mac and iPhone users are welcomed to the club. The vulnerability in both OS X and iOS “ImageIO” (how Apple handles image display) has been around for years. No less than four vulnerabilities were addressed in recent updates to OS X (10.11.6) and iOS (9.3.3). More at Naked Security / Sophos.

[ Was this just discovered or did Apple keep it quiet until they had the first round of fixes? -ed ]

7/22/2016  Datadog gets bit

You may never have heard of them but Datadog is a software-as-a-service (SaaS) platform that supports AirBnB, Coursera, Imgur, New York Times, PBS, Samsung, Slashdot, and Ziff Davis. Their servers were breached earlier in July and they are recommending a password reset. The good news is that Datadog protected that information well. More at Naked Security / Sophos.

7/22/2016  Tor & Riffle

Some providers of Tor nodes are closing shop making it a little more difficult to use the anonymizing network. Riffle is another system in development. Last year they published a list of Tor vulnerabilities and ways to address them. Massachusetts Institute of Technology (MIT) and the École Polytechnique Fédérale de Lausanne (EPFL) have developed a Mixnet that routes user messages through a chain of proxy servers (called Mixes) in order. From a Mix the messages are sent in random order to the destination. Riffle also uses the Onion Protocol (OP) to encrypt its messages with multiple encryption layers, decrypted as the message passes through the network. On top of OP Riffle uses the Verifiable Shuffle which generates a proof indicating that the message it sent is the same as the message it received. Lab testing shows that Riffle is more efficient moving the same amount of traffic at 10% of the resources required by Tor. More at The Hacker News.

7/22/2016  Mac Users – Check MacKeeper Updates

One downside to automatic anything is we take them for granted. Most consumers don’t do checklists to see what worked and what didn’t. It appears that MacKeeper anti-virus software did not update itself for a period of six weeks to three months depending on who is talking. In internet time that is a very long time. More at BankInfoSecurity.

7/23/2016  Crime & (sorta) Punishment

In late 2014 and early 2015 SeaWorld in Florida was accused of mistreating its whales. The story of Tilikum was the subject of a documentary film Blackfish.

As a social statement SeaWorld was hacked. So were computers in Taiji, a town in Japan with an annual dolphin hunt. The hacker didn’t stop and attacked Iraq’s Ministry of Foreign Affairs, the Department of Agriculture in Thailand, the Security Ministry of China and the combined police department of Devon (also known as Devonshire, southwest England) and Cornwall (the most southwest of England, west of Devon).

None of that led to his arrest. The hacker sought new horizons and sent bomb threats to two US airlines. That investigation got the 14-year old caught and convicted. The judge decided against incarceration in favor of rehabilitation. That means courses in thinking skills, victim awareness, and 120 hours of reparation work. His mother got a bill of about $800 for court costs. Lastly, and this might really hurt, the judge ordered his computer destroyed. More at The Sun/UK

[ The damage to SeaWorld was measured in big bucks, the diplomatic disruptions are not quantifiable and the inability for some to reach the police could have been fatal. Yet, we doubt jail would have helped. We hope that GCHQ is watching this now 16-year old and encourages his moral and technical education for clearly, the kid has skills. -ed ]

7/27/2016  Massive Underreporting In USA

“ACI Worldwide and Aite Group conducted its biennial global fraud study of more than 6,000 consumers from across 20 countries, revealing that card fraud rates are on the rise worldwide.”

and

“Of all cardholders – debit, credit, and prepaid – 30% have experienced card fraud in the past five years.”

Those are just two bullet points. The entire report is available for download after providing your contact information.

More: 17% say they have been victimized victim multiple times. The rates are higher in some countries with Indonesia leading the way at 69% followed by Mexico / 56%, Brazil / 49%, and the United States / 47%. More at Naked Security / Sophos

[ If 47 out of 100 charge card holders are the victim of fraud where were the reports of compromise? There were over half a billion charge cards in service as of 2012. That should extend to over 200 million compromises, but where were those reports? -ed ]

7/27/2016  Tor’s Honey Onions

A Honey Trap is an old intelligence tactic compromising someone with something, or someone, they want. In the internet world cybersecurity is sowing the real world with computers that look like targets to hackers. Sometimes those honey traps are designed to waste hacker time. Some actively trace the hacker. Some machines exist only in the memory of another machine, they are virtual.

Now consider The Onion Router (Tor) network that depends on volunteer nodes to anonymize and conceal users. In theory Tor users can’t be traced. Is it important to be anonymous? If you’re browsing catalogs for garden equipment, probably not. Trying to do confidential things, potentially quite a deal. Tor has another protective layer, the “Hidden Services” which have common names but randomly regenerated pointers. Skipping the details, if you know it exists, you can access “SecretComputer” and one minute that might be a long string of random characters and a different string in the next minute. Literally you don’t know where you are going and neither does anyone else.

Some Tor nodes were created by crooks, either directly or via compromised bona-fide Tor nodes. Others by law enforcement or intelligence services. The crooks and cops upped their game and created Rogue Nodes to reveal those Hidden Service addresses. How many are there? Two researchers created Honey Onions, or honions, (2 page PDF) that are hidden service directory nodes that track traffic. They published some hidden services to a few other Tor nodes and track which came to see what was there. The answer? The lower limit indicates that 3% of all hidden service directory nodes are not playing by the rules. Figure 3 of the report has a map showing the location of these nodes. If you’re doing work that needs to be secret, Tor alone isn’t enough. Beware. More at Naked Security / Sophos.

7/28/2016  LassPass broken twice, but there is good news

[ I stopped using passwords decades ago (that is internet time, about 2 years real time) in favor of pass phrases with a mnemonic device as an assist. More than a few people said not to work so hard, use a password manager, remember one password and let it remember all the others. My response was that I didn’t like all my eggs in one basket. That basket was broken yesterday and a year ago. – ed ]

Broken Yesterday
Security researcher Tavis Ormandy showed how an attacker could wrap an event handler around the program’s handler to intercept and modify messages to trick LastPass into processing an openURL command allowing access of any LastPass remote procedure calls (RPCs) that were “privileged” thus a total compromise of LastPass. See his source code and emails. More at The Hacker News

[ Good news. LastPass responded quickly and positively. The acknowledged the problem, confirmed it, reported it did not address all versions of LastPass, provided a beta-version to Ormandy for test, offered a bug-bounty (Ormandy declined in favor of a donation to Amnesty International), and went public with this post. A major bug in security software – bad. The quick fix and public disclosure – good. -ed ]

Broken Before
Mathias Karlsson, another security researcher, found a flaw in the parsing function of LastPass that could be exploited to expose credentials. Sample code and screen captures are in his post. According to LastPass this bug was reported a year ago and fixed. Only yesterday did the researcher make his findings public.

[ The elegant simplicity of this hack is surprising and the observation of the researcher is impressive. How long that bug existed was not disclosed. -ed ]

7/28/2016  U gots ransomware? New help

NoMoreRansom.org is a one-stop shop for combating ransomware. Created by the Netherlands’ police, Europol, Kaspersky Lab and Intel Security, its home page provides users information on multiple variants of malware and access to no-charge tools to defeat some of the variants. More at Data Breach Today.

7/29/2016  SMS based 2FA deprecated

The National Institute of Standards and Technology (NIST) publishes many standards-setting documents including NIST Special Publication 800-63B, Digital Authentication Guideline, Authentication and Lifecycle Management (DAG) which has a new draft version out for review. NIST DAG Section 5.1.3.2. Out of Band Verifiers includes this tidbit:

Out of band verifiers SHALL generate a random authentication secret with at least 20 bits of entropy using an approved random number generator. They then optionally signal the device containing the subscriber’s authenticator to indicate readiness to authenticate.

Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance. [ the bolding is theirs. OOB is Out Of Band -ed ]

 
Why? SMS two-factor authentication (2FA) is insecure. The confirmation sender can’t confirm that the recipient is the correct recipient. Highjacking the destination number is possible.

[ NIST DAG goes on to recommend biometrics apparently lagging the real world again as those have been spoofed since 2009. -ed ]

7/30/2016  Laundering Bitcoin – NOT Guilty

Why? Because Bitcoins are not money and only money can be laundered. Barter is the closest method of trade to Bitcoin. For now. The judge made clear that Bitcoin has much to do to become money and the law needs to catch up. (8 page PDF) More at the Miami Herald

7/30/2016  How crooks use 2FA to make money

We reported that two factor authentication (2FA) via simple messaging was being deprecated because it was not secure. This might make 2FA via any telephone call very expensive for companies. Some clever crooks figured out how to make money from 2FA companies. Create new accounts and associate premium telephone numbers with them. These can cost the call maker $9 for the first minute and more. Illicit organizations share the fee with the phone number user who suckers people into calling and keeps them on hold. Once you’re set up ask for a new 2FA token, get a call, make money. Repeat. More at The Hacker News.

8/01/2016  Microsoft: New August / Same Pains

 
Problems with hookers
Hooking is improperly getting between operating system services and bona-fide applications which use those services. When the application wants a function it gets it, plus a wrapping of malware. If the application had used the malware directly anti-virus tools might stop it. Mal-hooking gets around some protections. Microsoft’s “Detours” is a hooking engine and it may have a vulnerability since version 3, more than seven years ago. More at Data Breach Today

Windows 10, sued again
Microsoft is … aggressive … in getting windows users to “upgrade” to Windows 10. PCWorld shows 10 popups that are perhaps too motivational and that gets Microsoft sued, again, and again. Here are some earlier tactics.

California
Late June 2016 Microsoft paid $10,000 to a single user whose computer had been turned into a doorstop by the Windows 10 “upgrade”.

Israel
Installing Windows 10 on computers without user consent may violate computer law in Israel. The suit, filed in Haifa district court, seeks certification as a class-action.

Florida
Three from Florida sued Microsoft in U.S. District Court in Florida for violating restrictions on unsolicited electronic advertisements and Federal Trade Commission rules on deceptive and unfair practices. It seems that some of the “Upgrade to Windows 10” notices were misleading when they said the systems had already been upgraded. This suit seeks certification for class-action. More at Hack Read. Last go-round in Florida cost Microsoft $202 million.

France
In June, with delivery of a formal notice (12 page PDF) a consumer protection agency of France declared Windows 10 is sucking up data and snooping on users without their consent. Microsoft has three months to fix it or face penalties. More at Naked Security / Sophos.

Still need a reason to avoid Windows 10? Here are 8
From Hack Read. Remember: You don’t have to take it (Twisted Sister Official Video @Youtube)

8/02/2016  Social Security requires cell phone

The Social Security Administration (SSA) said “all new and existing my Social Security account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.” More at KrebsOnSecurity

[ This is two-factor authentication (2FA) and is generally a good idea. Problem is that 2FA via text message is going to be deprecated under a new version of the National Institute of Standards (NIST) Special Publication 800-63B, Digital Authentication Guideline, Authentication and Lifecycle Management (DAG). According to the Library of Congress both NIST and SSA are part of the executive branch in our government. Maybe they need to talk?

How many retired seniors don’t do text messaging? How does this work for tens of thousands of US retirees living out of the country? What provisions are in place so SSA doesn’t spend your money on sending fraudulent requests for 2FA tokens to a high cost telephone number? Why can’t I access the SSA site if I have wired internet and live in a cell phone dead zone? How do those assisting retirees access the site when only one SSA account can be associated with one telephone number? I hope SSA gets this right, but given the investment in 2FA that will be deprecated, I’m not hopeful. -ed ]

9/06/2016 Update:  Social Security DROPS cell phone requirement

SSA removed the requirement for cell phone to access an online account. Good thing, it was a really bad idea. See ssa.gov/myaccount/ and Krebs on Security.

8/04/2016  Cyber War I

Sometimes wars are conducted far from civilian eyes. More recently those eyes are getting into more and more places and letting us know what is going happening.

US Submarine Offensive Cyber Capability
That US submarines have had intelligence gathering missions has been known for decades. “Special Operations” have included placing deep sea taps on trans-ocean communication cables for maybe half a century. Did you know we have special cyber-warfare submarines with portable hacking platforms? See Hack Read

Israel Hacks Iran
A pro-Israeli hacker reportedly breached an Iranian ISP and will dump the credentials obtained for public viewing. More at Hack Read

Somebody Hacked Israel
Getting people to open malware laden attachments is a good way to get inside systems. So who sent email to Israel’s Defense Forces (IDF) with pictures of ladies of the IDF? More at Hack Read.

Russian Government Web Sites Hacked
About 20 government networks were hacked and malware allowed remote control of cameras, microphones, keyboard loggers and screen captures. Who hacked Russian Government web sites? Was it the US in retaliation for Russia’s hack of election related web sites? A recently occupied country? More at eHacking News

8/04/2016  Ready to vote!

Voting machines have been fixed since last time and are more secure than ever! More at Wired

[ We really need a sarcasm font, because that just ain’t true as the Wired article makes clear. Two points: Stalin: “Those who vote decide nothing. Those who count the votes decide everything”. Your grocery checkout machine has more security than most voting machines. When faced with a perplexing question it can help to ask “Cui Bono?” To whom the good? Who benefits from such a lack of security in voting? It could be one major party, but the situation has existed when both parties have been in power. It is the local governments? Who? -ed ]

8/04/2016  Major Bitcoin exchange robbed

Hong Kong’s BitFinEx lost just under 120,000 btc valued at about $72 million. Because the value of bitcoins fell, about 20% the value of the theft also dropped. The value of everyone’s holding denominated in bitcoin also fell. More at NY Times  Reuters and Naked Security / Sophos

[ Who provides insurance against loss or is that risk on the depositors? Will the depositors get anything back? Shades of MtGox in 2014. See this Reddit thread -ed ]

8/05/2016 Update  Bitcoin – Robber Hood?

In this Reddit post the robber of BitFinEx is promising to give away 1,000 bitcoins, about $60,000 USD. Some of the coins have already been given away as proof that the poster actually has them. More at Naked Security / Sophos

[ Robin Hood stole from the rich and Evil Prince John to give to the poor. The depositors of BitFinEx might not qualify and this robber isn’t giving away the whole $70 million, at least not yet. -ed ]

8/07/2016 Update  BitFinEx takes 36%

Even if your bitcoin account wasn’t hacked BitFinEx is taking 36% of it to “spread the loss”. More at CNN

8/04/2016  Predatory Debit Card Fees

Prisoners released from the Federal Bureau of Prisons get the balance of their commissary account, any remaining earned money, gifts from friends and family, etc. on a debit card when they leave the prison. In a no-bid contract the provider of those debit cards got to charge fees far beyond those charged the general population. According to one former inmate cited in the complaint: of the $120 balance some $50 (41%) was consumed by fees. The good news is that the card provider is refunding over $400,000 in fees to thousands of affected persons. The bad news, for many of those affected the money would have been more helpful when it was theirs in the first place, as far back as 2008. More at Bloomberg.

8/04/2016  Nigerian Scammer

Has anyone who has email not received a Nigerian-themed scam of one variety or another? INTERPOL and the Nigerian Economic and Financial Crime Commission (EFCC) busted “Mike” for operating two of them. More at Naked Security / Sophos

[ Best of luck to the cops in eradicating this from our email boxes forever! -ed ]

8/06/2016; Apple ups Bug Bounty

In an attempt to attract the best hacker talent to work for them, instead of against them, Apple Computer has announced the largest Bug Bounty program to date with a top prize of $200,000. Considering the number of bugs found over the years that could be expensive, but it could also be much cheaper than having millions of users get bricked or hacked … again. Reuters

8/06/2016   Windows not secure since 1995

A design in NetBIOS, dating back to Windows95 and affecting every version since allowed redirection of communications sessions to a port that uses non-random naming and abuse that to redirect traffic. Patches came out in June 2016, more than twenty years after the flaw. More at Tom’s Hardware Guide

8/07/2016   A whole new problem

What you get may not be what you see.

We make decisions every day from what appears on our computer screens. If the underlying information or computations are wrong the decisions may be wrong. This is known and an accepted problem in using computers. What happens when the information and computations are correct, but what we see has been altered? Welcome to a whole new problem.

Two researchers at the DEF CON security conference demonstrated how a computer display can be manipulated via the internal display controller. What is generated by the computer may not be what is presented on the screen. The vulnerability is often on the software inside the monitor that has no secure method for updating. The exploit requires one-time access via the monitor port. Existing anti virus software generally does not scan the software internal to the monitor. More at PC World.

[ So you look up a movie showtime, the computer says 7pm but the monitor shows 8pm. You arrive an hour late. How can we tell there was a change? Missing a show time is an annoyance, that we depend on computers to protect lives is reflected in our cinema. In Die Hard 2 ground level was electronically re-defined so a plane literally flies into the ground.

In the 1979 movie China Syndrome coolant levels of a nuclear power plant are shown to be high and rising, so coolant is drained. The engineer focused on one indicator showing the coolant at a high level. The indicator was stuck and a finger tap allowed it to sink past acceptable to a dangerous level where the core is almost completely deprived of coolant. That would allow it to overheat, melt through the containment, reach groundwater, and flash-boil it creating a huge steam explosion. There were many contributing factors but the one indicator giving a faulty reading was the start.

The more complex the environment the more we depend on computers as a system. The monitor is our most frequent system access point and is now demonstrated vulnerable to manipulation. -ed ]

8/07/2016   Ready, fire, fire, fire, and … and

Scammers infect themselves with their own malware

Business email spoofing (BES) has been around for a while. Think of all those emails from “the boss” saying they are on a “secret mission” and to email all the employee W2 data without telling anyone. Taking that a step further is “Wire-Wire” were scammers deploy a huge number of phishing emails with malware links and attachments. Anyone who falls for it gets infected with keyloggers and spyware which are used to compromise real email accounts which are used to command fund transfers.

So what happened? One group infected themselves with their own keyloggers. Keystrokes were captured and files were uploaded to a place where researchers monitored the activities and methods. More at Boing Boing

8/07/2016   Samsung Pay Weakness

Samsung Pay works by translating charge card information into tokens. This protects the underlying charge card number and related information. Those tokens can be used to make charges secured by those charge cards. Problem? Tokens can be transplanted into other phones and used.

How do you snag a token? Intercept the magnetic secure transmission (MST) by simply holding a phone. The interception system is simply worn on a forearm, snags, then emails the token. Later that token is built into another phone. Or, the interception system can be placed inside, or near, a card reader. Samsung: “… we will act promptly to investigate and resolve the issue …” More at ZDNet and a video demonstration, 5m 15s with English subtitles.

8/09/2016   Thermostat Ransomware

It is 99-degrees in the house. You go to the wonderful internet connected thermostat and see it is set for … 99-degrees. You try to change it and get a message “1 bitcoin please”. Today a single Bitcoin is worth about $587. A NEST thermostat costs about $250. An Emerson thermostat costs about $50. Solution: Rip The Infected Thermostat Out and get a simpler one.

There is some good news. The ransomware exists, but not in the wild. At least not as of yet. See PenTestPartners describe how to turn on the heat and the air conditioning at the same time, override the tone alarm to a a sub-human audible that will make your companion animals very unhappy and more.

[ Back in September 2014 we told you about this possibility. Remember, just because we can connect things to the internet does not mean we should. Remember, there are Inherent Dangers to the Internet of Things (IDIOT) -ed ]

8/09/2016   Just because it came from a computer…

does not make it truthful. In our increasingly interconnected age computers (including the small, but powerful ones in many cell phones) are everywhere. If you travel by air how would you like to get access to all the luxury accommodations for super-double-platinum club members without the hassle of paying for it? One traveler did which demonstrates that security at airports is less than the soothing headlines.

8/09/2016   Vertically Integrated Hack

You can hack a point of sale (POS) terminal. You can move upstream and hack the whole network of them for a chain of stores. Move a step higher and hack the company that sells them to those chains along with support services. When MICROS was purchased by Oracle in 2014 their POS were in service at over 300,000 facilities and more than 30,000 hotels. By any count that is a huge access capability. Can the compromised customer help system remotely access POS on customer facilities? More at Krebs On Security including a graphic showing a few of the highly recognizable MICROS customers.

8/09/2016   Common Android Chipset vulnerable

Quadrooter is another vulnerability arriving with your new-in-the-box phone. It allows privilege escalation so a miscreant can take over your Android phone if it is running Marshmallow (Android version 6.0 released May 28, 2015) or earlier (that is most of them) and has not received the August patch which still leaves one vulnerability to be addressed in the expected September patch. Any single vulnerability can be exploited. Not all phones will receive the over-the-air (OTA) patch immediately. Distribution is up to the manufacturers which highlights a weakness in the security model. More on Quadrooter from CheckPoint. More at Android Authority. More including links to the vulnerabilities at The Hacker News.

8/09/2016   Are safes safe? Less so

You know that locks can be picked. Computer controlled locks can get hacked. Did you know that monitoring power and time between operational states can determine the combination for UL-certified Type-1 High Security locks? No direct access to the lock makes this a powerful (no pun intended) side channel attack that makes that low tech hidey hole more attractive and less expensive. More at Wired.

8/10/2016   BlackHat Security Conference attacked

These conferences are attended by security aware people. More than one was using only a burner cell phone, connecting via a virtual private network (VPN) and using a borrowed laptop. So they were a little surprised when Pwnie Express reported a Karma WiFi attack.

Most WiFi controls remember your previous connections. When you try to reconnect those connections are tried. When you are in Las Vegas your New York office network is unlikely to respond, but a Karma attack will “hear” your request and reply “I’m here!” and reconnect you, not to the real network, but to one that can monitor your traffic and worse. Some users get no notice of the re-connection. Pwnie reported 35,000+ unique devices connected this way to 1,000+ different faux-networks. So what is really sending out these bad-Karma signals? It could be almost anything including wireless connected printers. That “Open Laser Printer” could be a trap.

Pwnie also detected a suspicious cell tower. What made it suspicious? It wasn’t operating in 3G or LTE, but at 2G, the fall back standard whose encryption was cracked. StingRay snooper devices used by law enforcement or intelligence agencies start by jamming 3G and better to force a fall back. This one wasn’t jamming, but why would AT&T put up a 2G facility these days? More at PC Magazine

[ About that borrowed laptop, I hope they clean it before returning it. – ed]

8/10/2016   Hack Governments

DefCon security conference has widely diverse presentations. This year that included How to Overthrow a Government. Nothing trivial here. Different ways of accomplishing the goal were examined. Hack banks, not to steal, but to move funds around to make current leaders appear crooked. Using social media to raise protesters then hire fake police to attack them. Catch it all on video and when the current government denies it release the video. How to plant a story in several locations so that search engines find it. Why isn’t that story in the mainstream press? Clearly the current government had it suppressed! How to “Reverse Engineer” media to create buzz about events that never actually occurred. How to easily control communication? Use a drone with twin circular saw blades to cut open air power lines. More at Engadget

8/10/2016   Social Engineering Detection

A while ago I almost fell for a fake US Marshal who wanted to arrest me for missing jury service. It was a scam, a form of social engineering to get you to do something without even thinking about the reality of what is happening. How can you be prepared? A linguistic forensic researcher moved past the pablum suggestions and provided some solid guidance on securing humans, often the weakest point in security systems. One point made is the high frequency of “polar questions” in scam calls. These are questions where you can’t really say “no”. The example used is when being screened at the airport and told to “extend your arms out from the side, ok?”. That “ok” is phrased as a question, but you don’t think it is. In a non-scam conversation polar questions are rare. Simply being aware of them allows you to think about how many there are. The more there are the more likely a fake call. Two more tells are topic control and question deferral. Then the one that almost got me moving the “discussion” toward your emotional brain and away from your rational brain so you accept the premise of the discussion. Did I really miss jury service? Nope. Learn more at PCMag.

8/11/2016   Privacy in Recreation, not

Reiterating: Just because we can connect things to the internet does not mean we should. Would you like your sex toys to report duration, frequency, settings etc to the manufacturer? More at DefCon and Fusion Remember that the Inherent Dangers on the Internet of Things includes someone else taking control of your toys.

8/22/2016   NSA pwns Cisco VPN for 11 years

The U.S. National Security Agency (NSA) can decrypt any traffic sent using a Cisco PIX device built from at least 2002 to 2008. More than 15,000 of these remain in use and remain vulnerable. See DataBreachToday.

8/23/2016   Journalist jailed for computer files

If you ever wondered why to bother with cybersecurity for your computer remember that Someone hacked the computer of Turkish investigative journalist Barış Pehlivan, planted “terrorism” files that landed him in jail for 19 months. More at Motherboard/Vice

8/23/2016   AdWare with Malware

Perhaps the largest ad-server was infected with a banking trojan targeted at Android users. Google AdSense served up malware so that just visiting a web site infects your computer. No special clicks needed. The Svpeng malware intercepts SMS messages and slurps private information. More at The Register / UK

[ This is why adblockers are critical. I don’t mind advertising as support for the site, but when it can harm me it isn’t advertising, it is a hacking vehicle. The “silent install” is a known capability. See this CSO article. -ed ]

8/23/2016   Double Whammy

So you got advertising malware, annoying, but generally removable. Surprise, and not a pleasant one, that is just a cover for encrypting your files and demanding ransom. Meet double-barrel Nemucod. We Live Security

8/28/2016   SS7 call to action … months later

At the RSA security conference in March they reported on a weakness in cell phone handling using the SS7 protocol that allowed call interception and record without knowledge of the caller or the receiver and more. More than four months later Representative Lieu urged FCC Chairman Tom Wheeler to “expedite investigation of the SS7 flaw”. More at Ars Technica.

8/28/2016   Sub secrets blown into view

Submarines are stealthy strategic assets. Designs of hull form, propellers, power plants and operational characteristics are among the best kept of secrets. Quite a shock then, when over twenty thousand pages of current design documentation appears on line. Worse, the designer is a French company, the builder Indian and the leak appeared in Australia.

The designer company has a 380 year history building naval vessels. In 2015 it employed 13,000+ people in 10 countries. While still a “private” company DCNS is 64% owned by France. The acronym is derived from “Direction des Constructions et Armes Navales” (DCAN). In 1991 it changed to “Direction des Constructions Navales” (DCN) then DCNS in 2007, still an industrial group in naval defense and energy.

More from Reuters and the International Business Times. The original report from The Australian (subscription required)

8/29/2016  Apple “Touch Disease” can be fatal

iPhone 6 and 6+ users beware! There are two chips which loosen over time as the touch screen is used. The symptom is a flickering gray bar at the top and eventual total non-response. Good news: if the phone is under warranty Apple will fix it. Bad news: If not, it will cost you a new logic board which might be more than a new phone. More, including pictures of the gray bar, at CBS News.

8/29/2016 Update  Apple “Touch Disease”

This is America so Davidson et al v. Apple Inc was filed as a proposed class action in U.S. District Court, Northern District of California, No. 16-04942 filed on Saturday 8/27/2016. Details at Reuters.

8/29/2016  Apple ZeroDay vulnerabilities x3!

Three previously unknown (zero-day) security vulnerabilities in Apple products were exploited by the NSO Group of Israel in their software to invisibly track a phone. The same software can read text messages, emails, track calls, record contacts, activate the microphone and track location via GPS. The software impersonated the Red Cross, Facebook, Federal Express, CNN, Al Jazeera, Google and more to get the future victim’s trust. The weakness was discovered by a cyber-aware journalist who was tempted with tantalizing bait, but took the phone in for forensic analysis which in turn generated a new revision of Apple software. More at NY Times.

[ After years of increased cyber security consciousness this level of vulnerability still exists and unknown to the company? Choose your own expletive. -ed ]

9/02/2016 Update  NSO Group

Want to completely control some iPhones remotely and invisibly? These people can make it happen, for a steep fee. Is what they do illegal? Maybe, but with governments for clients … See NY Times

8/29/2016   People prefer: Passwords over Biometrics

As of mid-2016 people seem to prefer the older password concept that biometrics and maybe that is a good thing. Google filed a patent for “liveness checks” even after it was demonstrated that holding up a 2D picture could fool it. More at our Biometrics page and Naked Security / Sophos

8/29/2016   Video jacking

Many portable computers can support an external monitor either as a second screen, a replacement of the primary screen, or a duplicate of the primary screen. Smart phones are gaining these capacities. Unfortunately with new features come new vulnerabilities. Say you’re in a hotel and plug into a USB charging station. The USB connection can siphon off your video and record everything you do. How can it determine passwords if they don’t echo to the screen? Each key you press generates a shadow or some other activation indicator to provide feedback. More including a video at Krebs on Security

[ Protection – your phone may have come with a charging-only USB cable. It should have only two connectors. You can modify an existing USB connector to disable all but the power connectors or purchase a little gadget called a USB Condom -ed ]

8/29/2016   1 crook $170 million dollars

The US Secret Service arrested Roman Seleznyov in Maldives, flown to Guam for an initial court appearance, then to Seattle. Unfortunately Selezyov’s laptop was mis-handled and that may have compromised evidence. Roman’s father is Valery Seleznev, a member of Russia’s lower parliament house called The Duma. More at eHacking News.

 
 

In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended as are The Identity Theft Resource Center (ITRC).
 
2016 Compromises affecting 10,000 or more
2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
 

Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.