2016 Information of a general interest
This is 2016 General Information September to December 2016
2016 General Information January to August 2016
2016 Compromises affecting 10,000 or more
2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
Articles and items of note in chronological order
9/01/2016 D-Link NAS
Network Accessible Storage (NAS) is a network node with storage for members of the network to access. NAS does not require an attached computer, but you generally need one to configure the storage usually via a web interface. D-Link has a Cross-Site Scripting (XSS) vulnerability which can be executed when logging into the administration web interface. No clicking on links, this problem is built in. Once compromised attackers can access the devices and the contents. The XSS bug exists in at least 7 models. 3 have patches available. No word on the other 4. See HelpNetSecurity
9/01/2016 Eye In The Air
In early 2016 the City of Baltimore, Maryland deployed a persistent surveillance program intended to watch and record everything in an area. The city neither announced, nor subsequently acknowledged, the program. Neither did the citizens pay for it. Funding came from a “private source”. What makes this program different? The monitoring is designed to be running all time, not in response to a specific event. This way, when an event occurs the massive data pile can be accessed backwards in time to see before the event. That it has no warrant isn’t new. Police have been using cell phone interceptors (StingRays) without warrants and without reporting the real source of intelligence making defense examination not possible. More, including who is paying for it, at Bloomberg.
[ Think about being able to view the before and after of a hit and run with only the date/time/location of the hit as a starting point. Downsides start with it being a secret program. Leads from it are not disclosed as the source. That makes it invisible to the defense who can’t challenge the accuracy. Today the resolution shows people as single pixels, tracking a single one can be difficult. Worse is the future. At what might be an incredible cost the population could be under complete surveillance, all the time. Privacy? Fer-gedda-boud-it. -ed ]
9/01/2016 Air gap breached again
Want to keep your computer secure from hacked? Conventional wisdom says don’t connect it to the internet and maintain an “air gap”. Today, that is just a starting point, the air-gap has been breached again with “USBee”. Back in 2013 modified USB drives could be used to transmit data, but the modified drive had to be installed in the target machine. USBee is software. It requires no radio frequency transmissions, it just uses the USB’s internal data bus. More at Ars Technica.
[ So what do we have to do? Put the computer in multiple nested Faraday cages with Bach, Brahms and Devo playing at randomly changing volumes and speeds? -ed ]
9/01/2016 Death to USB devices! (literally)
Add killer USB drives to the list of threats. Connect it to your television, phone, television, even your USB-equipped refrigerator. Video showing the arcs of high power, a protector, and a sudden death of a laptop is included in the article.
9/02/2016 Another IOT security problem
A network of robots, botnets, can be assembled to perform massive tasks for good, or evil. In the old days (like decade ago) the ‘bots had to be computers. Then we started putting computer parts in everyday things like lightbulbs, thermostats, refrigerators and more. Then we connected them for communication and thus was born the Internet of Things and an opportunity for evil. Would you believe that a “smart” electrical socket could become a launching pad for crooks to read your email, or set your house on fire? It is already here. See Motherboard / Vice
[ There are Inherent Dangers on the Internet Of Things and just because we can connect great devices to the ‘net does not mean we should. -ed ]
9/06/2016 Just who is tracking you anyway?
An intrepid cyber security warrior spots an odd, slow moving van and takes a moment to investigate uncovering a private firm that roams around recording license plates and their location. Why? Sometimes to help people find their lost cars in massive airport parking structures. Sometimes for … other purposes. So who “owns” that tracking data? The rest at Krebs on Security
[ On the same day this article described how we achieved a modern Police State similar to those described by Orwell in 1984, Philip K. Dick’s The Minority Report and Paul Verhoeven’s Robocop but without such obvious signs as an increased police presence. The architect appears to be the UN World Plan for 2030. The agents include the US Department of Homeland Security. Who pays for it all? Why you do! Bless your heart! -ed ]
9/06/2016 Do you know who is watching you?
Law enforcement and intelligence agencies routinely request information about you from a number of companies and then forbid those companies to tell you they even asked. You may be under surveillance and never know about it.
Back in April 2016 Microsoft filed Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington at Seattle, No. 2:16-cv-00537 arguing that a law allowing the government to seize computer data located on third-party computers and often barring companies from telling their customers that they are targets is unconstitutional. Blocking: The Justice Department tried to argue Microsoft has no standing to bring the case and there is a “compelling interest in keeping criminal investigations confidential.” Counterpunch: Microsoft argues that the Fourth Amendment
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. (source)
protects people who have a reasonable expectation of privacy. Further, muzzling Microsoft is a violation of their First Amendment rights to free speech.
So to trial the issue heads. Last Friday, 9/2/2016, was deadline for filing of friend-of-the-court briefs by nonparticipants in the case. In the conflict between the government and the governed over digital privacy and surveillance these agencies, and multiple others, filed non-participant amicus curiae (friend of the court) briefs in support of Microsoft’s position: National Association of Manufacturers, Delta Air Lines Inc, Eli Lilly and Co, BP America, the Washington Post, Fox News, the National Newspaper Association, Apple Inc, Alphabet Inc’s Google, Amazon.com Inc, and the Electronic Frontier Foundation. More from Reuters.
[ I can understand the law enforcement or intelligence objective in keeping the search quiet so as not to alarm a suspect. Yet, to keep that search quiet forever is an open invitation to abuse that will never see the disinfectant of sunshine. -ed ]
9/06/2016 Automatic update did WHAT??
Mid-August Microsoft released a Windows 10 update, but in addition to new features, bug fixes and the material we expect it also rendered webcams inoperable around the world. Skype users also lost video capability. There appears to be no setting the user can change via control panel. No emergency patch will be made available, but it should be fixed in the September regular patch. Want your webcam back? Go tweak the registry [ like that never causes problems! ] More at Hack Read.
[ We use computers as tools for our convenience. How would you like your screwdriver to irreversibly update its Phillips head into a Torx without you being warned? Automatically update your 16oz claw hammer to a 24oz ball-peen? The larger argument of why operating systems and applications can’t be right the first time notwithstanding how did any testing miss this? Or, was it a way to remove support from a whole class of webcams? -ed ]
9/06/2016 BTC users beware
The next version of the popular Bitcoin Core wallet might be a malicious version placed by government-backed hackers. The Hacker News
9/06/2016 This is the US. Sue your snoopers!
8/16/2016 the United States Court Of Appeals For The Sixth Circuit ruled (37 page PDF) that a man could sue a spyware company. The players: Javier Luis developed an online friendship with Catherine Zang, married to Joseph Zang, both of Ohio. Although Javier and Catherine never met, Joseph was suspicious and installed the WebWatcher spyware from Awareness Technologies.
WebWatcher’s own advertising touts its invisibility and it recorded emails, instant messages, and other communications between Luis and Catherine then provided them to Joseph who used the information to divorce Catherine. Luis sued Joseph and that case was settled. Luis is also suing Awareness contending that WebWatcher spyware violates the federal Wiretap Act, the Ohio Wiretap Act, and Ohio common law. This ruling allows that case to proceed. More at Naked Security / Sophos.
[ The legal argument of what “intercepted” means notwithstanding, who is responsible for the mis-use of a tool, the manufacturer or the user? In the case of automobiles and impaired drivers we have decades of law that the drivers are liable. What if the tool has no other purpose than a criminal one? This may be a pivotal case in the offering of surreptitious monitoring software. -ed ]
9/06/2016 Get Creds from LOCKED computer
TL;DR USB Ethernet + DHCP + Responder == Creds & 39-second YouTube video
Hack works on Win98 SE, Win2000 SP4, WinXP SP3, Win7 SP1, Win10 (Enterprise and Home), and OSX El Capitan / Mavericks. More at Room362
[ Passwords? We don’t need no steenkin passwords! First time I’ve ever seen an author put up the briefest summary at the top using the too long; didn’t read tag. -ed ]
9/08/2016 Update: Protecting Creds in LOCKED computer
Recommended pro-active action from RICIS: After a system administrator sets up the machine disable plug ’n play to lock down the USB hardware configuration such that no new devices can be installed. Start here.
9/08/2016 Taking/posting pictures? Mind the background!
Sometimes great humor can be found in the inadvertent capture of background elements. Back in February there was a picture posted of an engineer with a SCADA diagram for the plant in the background. That is a great boost for hackers. This time it was all the credentials needed to access a political web site. The picture was posted on Twitter and send to thousands of followers. It has since been changed.
9/08/2016 There are rules for police behavior, right?
UK cops found to have violated rules regarding snooping on journalists and their sources. Not many, only one was considered “reckless” and action was taken. More at Motherboard / Vice.
9/08/2016 NSA/NRO call RAF base home?
The US National Security Agency (NSA) has a base in the United Kingdom for gathering communications around the world. Not surprising, there have been such electronic ear stations all over for a long time. This one is huge, over 540 acres called the Menwith Hill Station (MHS) in North Yorkshire. The public label calls it a Royal Air Force (RAF) facility to provide “rapid radio relay and conduct communications research.” There is no public reference to intelligence, yet US NSA and National Reconnaissance Office (NRO) make up the majority of the over 2,000 residents.
So what goes on there? Simply there are ears pointing up in the form of antennae in large protective domes to gather satellite communication. The others monitor cell and WiFi communications at, or near, the ground. Yes, the US is listening in on the UK’s populace. There are at least 28 domes of multiple sizes. Details, including links to many of the source documents, at The Intercept and overview at Engadget.
9/08/2016 Password Strength Meters need a tune-up
We all should know that “123456” is a pretty weak password. It is on the list (near the top) of the 10,000 most common passwords. Any password you pick should not be on that last … anywhere. Why? Because people trying to crack passwords know to start with that list, all of that list, plus the entire dictionary. So is “iloveyou!” a good password? No. It is on the list at #8,778. So, do password strength meters in common use tell you that? Ah, not so much. See Naked Security / Sophos.
[ We stopped using passwords in favor of passphrases. We find YankeeDoodleDandy1776 easy to remember, is long, with mixed case and numbers. ThisBankHasMyMoney$AllOfIt! is a little harder to remember but also a little stronger. We’re not supposed to show you profane passwords, but if you use them, don’t use just a single one. String them together in a phrase you can remember like this one “T101:Chill_Out_Dickwad” -ed ]
9/08/2016 Government Bombed!
Not with explosives, alcohol or recreational chemicals, but with email subscription requests. So many that email systems were slowed and many people hours consumed simply deleting them. How did it happen? Well run list processing requires a confirmation step. These didn’t and taxpayers took a hit to the wallet. More at Krebs On Security.
9/08/2016 Tweets from suspended accounts – Zombies?
If you tweet a nasty, Twitter will suspend or even deactivate your account. Someone figured out how to reactivate them en-masse indicating a security problem and the potential for zombie-tweets. More at Naked Security / Sophos
9/08/2016 Just a reminder: Hacking traffic signs is a crime
Can be very funny, but also create confusion and accidents. Here is an Instagram video about a new zombie threat and remember, the Daleks are coming. More, including some cautionary words for the vandals, at Naked Security / Sophos.
[ My personal favorite is “Some a-hole got creamed while talking on cell phone” -ed ]
9/10/2016 Nation’s Largest Identity Thief is …
Would you believe Wells Fargo Bank? At almost two million accounts were opened for real people without their permission they may be the largest known identity thief. The largest might not be known yet.
9/10/2016 Update Jail Time for Nation’s Largest Identity Thief
None – Wells Fargo is not going to jail over over the institutional lack of controls that allowed the massive identity theft. Why? Because Wells Fargo got a plea deal. Apologize, pay a fine, and not admit any misconduct.
[ According to Citizens United decision corporations are people. So why didn’t the corporation get some jail time? -ed ]
9/10/2016 Nuke Monitoring Site Knocked Off Line
The website monitoring North Korea nuclear tests was knocked off line by a DDoS attack So, who benefits from this? More at Wired
9/14/2016 McAfee Threat Report for September 2016
Some sour tidbits: Companies with 5,000 or more employees on average have more than 31 to 50 data loss incidents per day. The malware zoo (collection of known malware and variants) exceeds 600 million. 7 million are ransomware. More including 10 slides with graphs at eWeek. Searching Forbes data for 2016 to date finds 158 privately held companies with 5,000 or more employees. That means between 4,898 to 7,900 incidents of data loss per day and that is just for the private companies.
9/15/2016 Microsoft patches TWO YEAR OLD zero-day flaw
Microsoft issued security updates is it has monthly for some time. Seven “critical” security flaws were addressed. One allowed a crook to take remote control of a Win10 system just by visiting a web site. The two year old flaw is CVE-2016-3351 and allows malvertising infections via Microsoft web browsers. A researcher reported the vulnerability has been observed in the wold since January 2014, but Microsoft didn’t address it until “larger” voices reiterated the warning. The recent research appears to support the idea that the crooks are not dummies. They are exploiting non-critical bugs that are longer lived than those in the headlines. See Data Breach Today.
9/18/2016 Left Hand – Right Hand and you’re paying for both
When a single organization is performing two opposed functions we often describe this as the left hand is not knowing what the right hand is doing. In this case the right hand may have been clueless, but the left hand probably knew very well, and did it anyway.
The right hand is the United States – Computer Emergency Readiness Team (US-CERT). They strive for a safer, stronger Internet by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world. Earlier this month they issued an alert informing people and companies that major vulnerabilities had been found in core networking equipment yet had been there for years. So who is the “sophisticated hacker” exploiting those weaknesses?
The left hand is the National Security Agency (NSA) who appears to be connected to the Equation Group. The Shadow Brokers, another hacking group, dumped some EG exploits on line. Those included PIXPOCKET, targeting Cisco private internet exchange devices. Support stopped for those years ago, but equipment lives longer than that. EGREGIOUSBLUNDER targets Fortinet devices, ESCALATEPLOWMAN for WatchGuard, and ELIGIBLEBOMBSHELL for Topsec Technology devices. Lastly, EXTRABACON hacks any Cisco adaptive security appliance (ASA) device up to the latest patch. More at Data Breach Today.
[ So, instead of protecting us, a part of the US government denied information essential to our security and explored it for their own purposes? Aside from breach of trust, is there another word to describe that activity? Clearly these exploits, especially ExtraBacon, are not Kosher -ed ]
9/19/2016 Dial 9-1-1 and get nothing?
With 6,000 compromised cell phones the emergency response system for a city or a region the size of half a state could be subjected to a denial of service attack making it impossible for those needing help to get it. 200,000 compromised phones could compromise services for the majority of the population.
Who figured this out? The Ben-Gurion University of the Negev Cyber-Security Research Center (15 page PDF) and it was confirmed by the director of government affairs for the National Emergency Number Association. How hard is it to get that many compromised phones? A year ago over 600,000 Chinese smartphones had been infected with malware and used in a DDoS attack. This vulnerability isn’t a programming flaw, it is a design consideration. See Washington Times.
9/22/2016 Smart House? Maybe not.
Marcus wanted a smart home. He went full bore spending thousands for smart light bulbs, smart thermostats and more based on the Apple HomeKit which uses a proprietary communications protocol “more secure” than the X10 standard. The last purchase? A smart lock that recognizes your mobile phone and unlocks the door for you. It also unlocked the door for his neighbor who shouted “Hey Siri, unlock the front door” loud enough for Marcus’ phone to hear him. Yep, apparently Siri can unlock the front door too. Apple’s response? Ignore our advertising, use a PIN. More at Naked Security / Sophos.
[ Remember: There are Inherent Dangers on the Internet Of Things -ed ]
9/23/2016 How were NSA hacking tools exposed?
There are many theories including penetration of the NSA itself at Fort Meade, Maryland or a Snowden-class leaker. Occam’s Razor: The simplest solution tends to be the right one. About three years ago a NSA employee (or a contractor) left the tools on a remote computer where Russian hackers found them. That person acknowledged the error “shortly afterward”. The possibility still exists the person made the “error” deliberately.
The NSA did not inform any of the companies whose products were targets of those tools because they did not detect those tools being used and did “not feel obligated to immediately warn the U.S. Manufacturers”. The judgment was that keeping the flaws secret had less risk than benefit of continuing to use those tools. More at Reuters.
[ For almost three years the best tools our government had were in the hands of crooks. By not telling the companies about the exposure We The People who are supposed to be protected by our government were not. That they could not detect the tools being used does not mean that they were not used. The judgment runs in the face of our Constitution, right in beginning, the Preamble, where it says provide for the common defense. -ed ]
9/24/2016 Street crime with tech twist
It used to be a victim would be mugged and the cash and charge cards taken. Then crooks took their victims to ATMs to make withdrawals. Now, crooks use a portable scanner to scan the cards right at the crime scene and run transactions. More at Krebs On Security
9/24/2016 What does it take to crash 911?
Not much. 6,000 compromised smartphones can take a state off line. The Hacker News
9/25/2016 Is your sex toy tattling on you?
These devices communicate when you used it, duration, intensities and a whole bunch of other parameters you might not want to become public. Did you opt in for that? Ah … maybe not. Naked Security / Sophos
9/25/2016 Win10 flaw allows faster cracking
Windows 10 security flaw allows passwords to be cracked 2,500 times faster than before. IBT
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended as are The Identity Theft Resource Center (ITRC).
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.
