Internet threat news

The The New York Times, under the scary headline “Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say,” reported that Kryptowire security researchers reported that a Chinese firm Shanghai Adups Technology Co. Ltd has planted software on hundreds of thousands of Android devices and is siphoning off phone data. It did this at the request of an unnamed Chinese manufacturer, they said.

The NYT wrote, “Security contractors recently discovered pre installed software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.”

This is the worrying part: “... this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior …”

This news was broadcast on November 15. So far the US Department of Homeland Security has said it will post a bulletin, but it has not yet. Regarding Europe, it seems that this spyware might have been only intended for the Chinese market but ended up on BLU phones sold in the USA through Amazon and Best Buy by mistake. There is no news so far of this spyware being on phones in Europe or anywhere else besides China and the USA.

SHA-1 (Secure Hashing Algorithm 1) is an encryption algorithm used to encrypt traffic to and from SSL/HTTPS websites. It has some known security weaknesses. So it is being phased out and replaced with SHA-2 and SHA-3. Certificate authorities will quit issuing SHA-1 certificates in January 2017. Microsoft, Google, and Mozilla web browsers will quit supporting those then. That is all good, but the problem is 35% of websites still use these older certificates says research firm Venafi. Web browsers tell you exactly how strong the encryption in a website is when you go there by color coding the address bar. Green is good. Red is bad.

Lock means the site is safely encrypted and you can feel safe entering data there. Info means the site does not use encryption at all or in all places. And the red warning means the SSL certificate is expired, the site has been flagged by the Safe Browsing organization, or there is what Google calls “a weak security setup,” meaning SHA-1.

Should you panic? Is the internet going to stop working on January 2017? Doubtful.

First of all, the security weakness of SHA-1 is probably exaggerated where you consider practical details.

What are some of the new security features in Windows 2016?

Windows 2016 is the soon-to-be released version of Windows server software. The Server version of Windows is the software designed to power business, engineering, and other applications. It is not for desktop users. Prior to Windows 2016 there was Windows 2012 and Windows 2008. So it looks like Microsoft releases a new version about every 4 years.

Changes to Windows 2016 this time can be said to be incremental rather than wholesale. The basic architecture is the same.

One addition to Windows is containers. These have gained a wide following with Linux servers. A container lets a user download and start running application software in just a few minutes or seconds as opposed to hours, days, or weeks to install that by hand. It is like a virtual machine, but it is much smaller since it is not a full operating system.

Nano Server
The Nano Server is something in between the container and hypervisor.

Now you can install Windows as a Nano server. This is a small operating system that lacks, for example, a graphical interface. A Nano server would be used to run databases and other applications on the cloud. The idea is if it is small then there are less components to attack. For example there are less security updates to install. It is the minimum OS needed to run applications. The Nano server is stripped of many Windows features, thus making it suitable for doing just one task.

Some software companies invite security researchers to look for weaknesses in their software and then pay they for finding those. That is called a Bounty Bug program. Microsoft is one company that does that. Google has a bounty program for Android. Apple is late to the game, only launching its program this year. But they pay the highest bounty, up to $200,000 for zero day vulnerabilities. Many smaller companies offer bounty bug programs too.

Not only does Microsoft pay a reward for finding bugs in Windows—some of them are sizeable—they feature the researcher’s name in their bulletins and invite some of them to come to the Researcher Appreciation Party in Las Vegas.

Researchers have to be at least 14 years old and cannot come from countries against which the USA has sanctions. And they agree not to publish their exploit code.   

Microsoft discusses weaknesses and their fixes in their Microsoft Security Bulletins.

But Microsoft says researchers can write about the bug as well as show the exploit code, but only once the vulnerability is fixed. They say, “Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. And they say “This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.”

Last week we wrote about a massive DDoS attack on DYN.com that cut off access to Netflix, Amazon, and many other sites for users in large parts of the USA. Now we know that this was caused by IoT devices.

IoT (The Internet of Things) is a technology that is rolling out quickly. What this does is connect everything from smart home appliances to industrial machinery and even physical inventory to the cloud. The idea is to both monitor offices, homes, buildings, traffic, manufacturing, medical patients, and agriculture, but also control those devices.

IoT has taken off in recent years because of the plunging cost of technology and the growth of companies that have made it easier to connect many of these devices to their clouds. Companies exist to let manufacturers and other companies control hundreds or thousands of IoT devices from the cloud. Home IoT systems for the most part operate without a cloud central-control mechanism.

An IoT device is usually some kind of sensor, like humidity or motion, plus a computing card and controller. These computing cards are, for example, Raspberry Pi or Intel Edison computing cards that for the most part run some version of Linux. The cards are not much larger than a wallet.

Someone, no one is quite sure who, yet, has managed to take Twitter, SoundCloud, Spotify, Shopify, and other sites offline using a DDoS (distributed denial of service) attack this week. The outage affected much of the USA and parts of Europe.

These sites are all customers of Dyn.com. They are a company that operates a massive DNS system around the world that lets companies failover from one set of servers to another and provides redundancy. It also serves as a content distribution network (CDN) to reduce latency by locating data closer to users by locating that around the world.

The US government is responding to this attack by questioning whether this is a criminal DDoS attack, as Brian Krebs and others have speculated, or a state cyberattack. Congressmen on Capitol Hill have raised questions about that and the White House has gotten involved.

This comes on the heels of allegations, and apparently proof as well, that the Russian government has been hacking into the computer systems at Hillary Clinton’s presidential campaign and the Democratic Party headquarters. Pundits on TV, in the news, and the Clinton campaign say Russian President Putin’s goal is to embarrass Secretary Clinton, thus favoring Donald Trump.

An activist in the Middle East in August of this year noticed odd text messages coming to his phone. It turns out that those were instructions coming from the command and control center for Pegasus Spyware telling the Spyware what actions to take.

The activist alerted Citizen Lab who contacted the Lookout security firm. What they found was spyware. Lookout wrote this technical analysis giving details of how the spyware works.

State-level Hackers for Hire
NSO Group is an Israeli firm that wrote Pegasus. It affects iOS up to version 9.3.5. Pegasus lets whoever is using it bypass iOS security and gain access to virtually all data on the phone including audio, video, contacts, GPS location, passwords, Wi-Fi router password, text messages, and messages and email from from Gmail, Facebook, Skype, WhatsApp, and other programs.

NSA employee Harold T. Martin III has been taken to jail for allegedly stealing documents, files, and maybe devices from the NSA intelligence agency. While there has been some speculation that he might have been the source who leaked a vast amount of NSA tools on the internet recently, including the NSA’s best hacking tools, current reports say he might have just been collecting this information with no particular intention of selling it. So he might have just been curious and a collector of such things.

That Mr Martin worked for Booz Allen Hamilton brings new scrutiny to that government contractor, because Edward Snowden worked there too.

So let’s take a look at Booz Allen Hamilton (BAH) and the government contracting business in Washington and you will get an understanding of why the NSA, FBI, and Pentagon probably do not operate as efficiently as shown in the movies.

Recently the American government issued guidelines for driverless vehicles. This creates national standards so that car manufacturers do not have to figure out how to follow 50 different laws in 50 different states. Analysts have said these rules seek to make this market grow without imposing a heavy regulatory burden. Many of the details are left up to the manufacturers to design and implement.

Google has long been operating self-driving cars. Uber has self-driving taxis operating in Pittsburgh, Pennsylvania.  And Tesla has self-driving electric cars. All of these let the driver take control when needed. Ford announced it is building Fusion Hybrid driverless vehicles that do not even have a steering wheel. So there will be no way that passengers can take control of the vehicle.

The fear is that a hacker can take control of a car and drive it into a wall.

Cambridge University researcher Sergei Skorobogatov demonstrated that he can brute force attack the passcode screen lock feature on the iPhone 5c. He did this by physically opening up the iPhone and then making a copy of the memory chip which he then connected to the phone using wires. Then he said you could enter every 4 digit passcode from 0001 to 1111 manually until you unlocked the phone. He did not actually do that as it would take 20 hours. Instead he proved it would work. The goal was to use copies of the memory chip, because if the security feature is enabled the iPhone erases the memory after 6 failed attempts.

The paper he wrote explaining the process is here. And a YouTube video of him demonstrating the procedure is here.

The FBI wanted to try this type of attack against iPhone owned the San Bernardino terrorists. The FBI director said, “It did not work.” Then they paid a security firm $1.3 million for their secret technique.

You might have noticed that so many security updates pushed out to Windows include updates to Adobe Flash.

Adobe Flash is a security risk that will not go away. Steve Jobs famously fought this web video player, because he did not want the Safari browser dependent on a third-party product. He even wrote an essay in 2010, that you can read here, explaining why Flash would never run on iOS or Mac OS. (Although Adobe wrote instructions for how to enable it there, since otherwise lots of media content would not work.)

Jobs and others pushed for an upgrade to the HTML standard to HTML5 to support video without Flash. That took some years to roll out. HTML5 supports the

The newspapers have finally reported what thinking people have already figured out for themselves. What we have been told for decades about setting password policies is based on illogical thinking.

The Fallacy of the Complicated Password
If you have set up Active Directory, LDAP, or any application with its own user store then you probably have seen that you can write password rules. Typically those rules require that passwords have a certain number of uppercase letters, numbers, and non-alphabet letters .  They also require a certain length.  Some even require that the password contain no words from the dictionary.

The result is instead of having passwords like “password123” or “name_of_pet.” They have something like “$%Lxxhh3.”

But that is only difficult for a human being to remember. Punctuation symbols and odd characters are not complicated for a computer.

Ransomware is based on the idea that the victim cannot decrypt their encrypted files with a key because it would be impossible to guess the value of the key. The hacker who has encrypted a file like this will sell the victim this key.

So you could say that they have held their file hostage and are demanding ransom, which is why they call it ransomware.

Ransomware Cryptography Explained
It might seem counterintuitive that the output of an encrypted file is text even if the input is not. That is because the bits in the file are what is encrypted, and bits are just numbers.

Hackers this week stole 800,000 user tokens from Epic Games. Much of that was Facebook data.  

When you go to a website that lets you login with your Google or Facebook credentials, that site exchanges data with Google or Facebook. Those social media sites issues some kind of token, which you can think of as a session ticket. That is what lets you log in.

Obviously that data exchange point is a good spot for hackers to lurk as those tokens can be used to spoof user credentials. In other words, they can pretend to be that user if they have those session tickets.

This is not usually a concern with, for example, SSL web session tokens. That is because those are set to timeout. Also because of the certificate chain-of-authority, those cannot be used by a third party. This is because the hacker cannot fake being a valid person at the end of the chain.