Internet threat news

The newspapers have finally reported what thinking people have already figured out for themselves. What we have been told for decades about setting password policies is based on illogical thinking.

The Fallacy of the Complicated Password
If you have set up Active Directory, LDAP, or any application with its own user store then you probably have seen that you can write password rules. Typically those rules require that passwords have a certain number of uppercase letters, numbers, and non-alphabet letters .  They also require a certain length.  Some even require that the password contain no words from the dictionary.

The result is instead of having passwords like “password123” or “name_of_pet.” They have something like “$%Lxxhh3.”

But that is only difficult for a human being to remember. Punctuation symbols and odd characters are not complicated for a computer.

Ransomware is based on the idea that the victim cannot decrypt their encrypted files with a key because it would be impossible to guess the value of the key. The hacker who has encrypted a file like this will sell the victim this key.

So you could say that they have held their file hostage and are demanding ransom, which is why they call it ransomware.

Ransomware Cryptography Explained
It might seem counterintuitive that the output of an encrypted file is text even if the input is not. That is because the bits in the file are what is encrypted, and bits are just numbers.

Hackers this week stole 800,000 user tokens from Epic Games. Much of that was Facebook data.  

When you go to a website that lets you login with your Google or Facebook credentials, that site exchanges data with Google or Facebook. Those social media sites issues some kind of token, which you can think of as a session ticket. That is what lets you log in.

Obviously that data exchange point is a good spot for hackers to lurk as those tokens can be used to spoof user credentials. In other words, they can pretend to be that user if they have those session tickets.

This is not usually a concern with, for example, SSL web session tokens. That is because those are set to timeout. Also because of the certificate chain-of-authority, those cannot be used by a third party. This is because the hacker cannot fake being a valid person at the end of the chain.

In what is a truly embarrassing event for America’s signal intelligence service, hackers got their hands on a massive set of hacking tools belonging to of the NSA. The hacking group, called the Shadow Brokers, put part of this online for free to show that it was genuine. Now they are selling the rest.

These files are the kind of industrial-strength hacking tools that espionage firms would have sold to the NSA, those that the NSA bought on the black market, and those that the NSA might have developed themselves and with contractors.

Cisco Firewall Exposed
The set of tools include rather common tools for everything from sniffing TCP traffic to far more advanced tools that exploit zero-day defects. To recall, “zero-day defect” means software vulnerabilities that the software or hardware vendor does not yet know about. So they can be exploited by hackers.

If computers get hacked because of weaknesses in the operating system then why not remove the operating system to make them more secure?

That’s the simple principle behind ChromeOS, the open source operating system sponsored by Google.

There is only one program on ChromeOS: that is the Chrome browser. Everything else, like the ssh plugin, is a browser extension that you can get from the Chrome marketplace here. (You can see which extensions you have in Chrome by typing chrome://extensions/.)

Naked ChromeOS
Of course ChromeOS is an operating system too, since the Chrome browser cannot run by itself. There needs to be some software in place to respond when the power is turned on and to interact with the screen and storage and where someone plugs in a USB device.

There have been some high profile incidents of cell phone hacking some years ago. For example, the former Speaker of the House of Congress in the USA Newt Gingrich was hacked when an older married couple used a simple radio scanner to listen in on his calls.  But you do not hear about such hacking much anymore, even though the GSM cellular standard still has the known weakness in its encryption algorithm.

Hacking the speaker was made easier because the American cell phone technology is a mix of technologies. That market is different from the rest of the world. There are three cell phone standards there: CDMA, GSM, and IDEN. The USA is where cellular technology was invented—at AT&T Bell Laboratories, which made so many important inventions, like UNIX, C, C++, the laser, microwaves, and the transmitter—so it makes sense that there would have been more than one standard vying to become the dominant standard.

The US has levelled the charge that the Russian government has hacked into the headquarters of the Democrat Party in the USA. They say the Russian goal was to steal political campaign data and give it to presidential candidate Donald Trump to help him against Hillary Clinton.

The assertion is that Russia wanted to help the campaign of Donald Trump. This might be because Donald Trump and Russian president Putin have both said flattering things about each other. Or it might be because the Russians have calculated that Trump is who they want as the American president for reasons having to do with global politics. Whatever their goal, this action certainly has worked in Trump’s favor.

Whoever stole the emails gave them to WikiLeaks where they are now online where anyone can search them. WikiLeaks founder Julian Assange said that Russia was not involved. Obviously it would have been Assange who would have negotiated handing this data over from whoever took it. So he should know or perhaps could know.

This week Microsoft was given a firm slap across the backside by the European Union for vacuuming up personal data with Windows 10 and showing ads on that platform. The company has 3 months to change their software to stop recording user data.

But one wonders why the EU singled out Microsoft when Google and Facebook have built entire businesses around doing that.

The Internet Advertising Business
Google and Facebook record user data in order to pitch targeted advertising. But Google and Facebook do not sell their data to other companies. They use it for themselves. Twitter allows companies to access general trends, but not specific user data. And some companies can access certain Facebook APIs, with permission from Facebook.

Most other websites, especially media ones like newspapers, sell private data. So do ecommerce companies. So do cell phone companies and even brick and mortar retailers. And companies called data brokers make selling private data their entire business.

WhatsApp, like Facebook, uses OpenSignal opensource to encrypt messages. It encrypts all chat messages and does not need to be turned on.

Here we explain how that works. And we explain how it might be possible to compromise that security by copying a phone’s private key, although reasoning through that it does not seem likely.

WhatsApp Encryption
WhatsApp uses three keys to encrypt messages as they explain in their technical specs.

They say they do not keep a copy of the private keys on their servers. WhatsApp generates the private key on your phone and leaves it there. But they store the public keys on their server.  There is no risk in that, as giving away your public keys is how encryption has always worked.

To understand what that means, imagine you are chatting with someone, say, Fred. You send Fred your public key when you start to chat with him. He uses that key to encrypt messages that only you can read with your private key. Since WhatsApp does not have your private key, they could not read those.

Facebook has rolled out encrypted chat now, shortly after WhatsApp having done the same. They call it Secret Conversations (SC). It is based on the opensource Signal protocol developed by Open Whisper Systems (OWS).

OWS has their own encrypted chat app too, called Signal. It has some notable differences with the Facebook one, a major one being that Signal supports multiple people chatting all at the same time while SC only allows two. When you read below you will see that is a technical limitation imposed by FB. SC also does not allow for encrypted audio, but images sent over SC will be encrypted. Here we take a look at SC and at the Signal protocol.

Bart Ransomware is a new ransomware reported in the media only a few days ago. Proofpoint wrote a detailed technical analysis of it here.

Like other ransomware, this sets the wallpaper to show the ransom message, then directs the user where they can pay the ransom to obtain the passcode to their files. It does not lock the computer screen.
This ransom, at $2,000, is a lot higher than others we have seen.
The name of the ransomware “Bart Doh!” might give a clue as to who wrote it, or at least how old they are.

A couple of years ago thieves descended in large numbers on Chile to replace debit card readers in ATM machines with their own recording device to vacuum up stolen data. This type of crime is called skimming.

They also installed tiny cameras in the ATMs to record the pin as users typed those in.

That crime has fallen off there as banks have incorporated some hardening tactics. After bank hardening in one area, criminals then moved onto other markets where such protections were found to be weak. Such crime is still found, even in developed countries, but it is much less common than before.

Thieves also have another target: POS terminals.

This writer has been saying for years that security products do not work 100% of the time. So there is the need to use several different approaches to cybersecurity.

Even if intrusion detection tools worked 99.99% of the time then all it would take is 9,999 tries for the probability of someone penetrating your defense to equal certainty, i.e. 1 or 100%.

So given that security does not stop hackers, what good does it do to defend against those using the traditional approach of deploying perimeter defenses? It depends on who you ask.  Due diligence requires that you do that. But logic would suggest that you do something else too.

The New York Times says business has come to that conclusion as well. They write, “Most security start-ups seeking funding today have resigned themselves to the inevitability of a breach and are focused more on identifying an attack as it plays out and praying that they can respond before the perpetrator makes off with something important.”

Lots of people who follow cybersecurity news know that hackers stole data on 83 million customers at JP Morgan in 2014. But in a development that does not happen enough, now the hackers have been caught.

Lots of criminal hackers operate from places like Russian and Romanian where they are pretty much beyond the reach of American and Western European law enforcement. But the two hackers who were arrested in the JP Morgan heist are from Israel, a close ally of the USA and other Western nations.

Now the hackers find themselves before a judge in New York City. A US citizen who worked who worked with them is still at large say some press reports. Yet the Wall Street Journal said he was arrested in Russia. He should hope that Russia does not extradite him to the USA as he and his co-conspirators could face up to 20 years in prison.