Internet threat news

Oscar winning documentary filmmaker Laura Poitras has a new film. It’s about Julian Assange, the WikiLeaks founder. She was at the Cannes Film Festival previewing it this week.   

In case you do not know who Laura Poitras is, she is the documentary film maker who Edward Snowden first contacted when he was seeking a journalist to publish NSA secrets in 2013. Laura later was overshadowed by The Guardian newspaper reporter Glenn Greenwald who Snowden contacted after her. Greenwald, who initially ignored Edward Snowden, became more famous, no doubt because he works for that large newspaper and got a large audience for his articles. But both served equal roles in getting Snowden’s work published.  

Greenwald and Poitras flew to Hong Kong to meet Snowden. The rest is history, with which you are no doubt well aware.

Laura’s film about Edward Snowden is called “Citizenfour.” It is a minute-by-minute account of that meeting in Hong Kong and the successful effort by the journalists to get Snowden’s documents published and keep Snowden by being whisked away from the Americans and hauled off the jail. Although Snowden as a former CIA and NSA employee had more knowledge about how to avoid that than they did.

Hackers have for the second time stolen money from banks using the SWIFT payment system. Now we have some technical details about the first attack.

Usually when hacking news breaks the technical details are not given to the public. Often law enforcement tells the victim to keep those secret. Yet the security community operates in the opposite direction, believing by publishing the details of hacking that other people can protect against those methods. So we explain that here.

SWIFT
SWIFT is the decades old payment system that banks use to write transfer money to each other. It is several orders of magnitude larger than something for consumer use like PayPal. SWIFT is what companies use to move hundreds of millions of dollars around and governments use to make bond payments.  

In February hackers convinced the New York Federal Reserve Bank to wire $81 million to a bank in Bangladesh. The Feb was curious about that transaction so they contacted the bank who initiated the transaction to verify that. Hackers made it look like the bank gave its approval.

The Fed is part of the US government and not a private bank. The dominate the US federal financial system and is some regards the financial system for the whole world. So that they were tricked says a lot.

The US Military has their own cybersecurity organization. It’s called the US Cyber Command. There is one for the Navy, Army, and Air Force.  Their main goal is to protect military communications but they also have attack capabilities. They say they use the same techniques as other hackers to go after targets: phishing, denial of service, and malware. Here we look at one agency, The US Army Cyber Command.

Overlapping Agencies Jockeying for Position
The US Army Cyber Command says their mission is:

“United States Army Cyber Command and Second Army directs and conducts integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries.”

Well, someone who is familiar with how the United States government works and does not work would have doubts about their capabilities. How effective can the US Cyber Command be compared to the NSA, whose capabilities are well known? Both even operate out of the same building outside Washington, but the NSA is a much larger organization and attracts better talent.

You might not know this, but the US Military created much of the encryption technology that we use today, including TOR, the cloaking software used by Edward Snowden and others. They also created SSL and the RSA algorithm. The US Military even invented the internet, in 1969. It was called ARPANET then. And they had a hand in funding everything from the laser to UNIX.

This does not mean that programmers working for the military wrote all of these programs and made all of these devices. Instead the American Department of Defense awarded contracts to mathematicians, companies, and cryotograpers who developed all of this, except Navy programmers wrote TOR.

DES
The Data Encryption Standard was created in 1975 when the NSA solicited proposals for how to protect government data. The NSA is part of the Department of Defense. IBM responded with a proposal. The NSA published their algorithm and put it out for public comment. The best mathematical minds and cryptographers tried to find its weaknesses. A series of back and forth comments led to several revisions so that today we have the AES standard, yet DES remains in use. AES256, for example, is used in all kinds of encryption, like disk drive encryption.

It is a cliché to say it, but you have to think like a criminal in order to defeat a criminal.

Some businesses and organization, from Samsung, to Google, to even the US Military, have come to the rational conclusion that if that you cannot defeat your enemies outright you can buy them off. So that is what they do.

When a hacker, hobbyist, or security researcher finds a security weakness they can either tell the software or hardware producer, out of the goodness of their heart or in exchange for some recognition, or they can keep this secret to themselves and seek to profit from that.

There are several ways to profit. One is to turn to the criminal element and use it for crime. The other is to sell the exploit to companies who gather up and resell those to crooks, governments, and corporations alike. Another is to turn to the bounty bug programs run by the software companies whose bugs they are trying to track down and repair.

Zerodium and other Private Brokers
One bug collector is Zerodium. It is unclear whether Zerodium, who sells flaws to governments and corporations, works for the good guys or the bad guys. Their standing offer is $1 million to anyone who can crack the iPhone. Their motto is “The premium acquisition program for zero-day exploits and advanced cybersecurity research."

Italy is not a country one usually thinks of when they think of hackers or even IT in general. With its perennially slow growing economy and focus on traditional businesses, like wine and sport cars, there are not a lot of startup tech companies there as compared to other places. Nor are there many startup criminal hacker enterprises either, such as one finds in nearby Romania. But Italy is home to one of the most important professional hacking companies used by governments, known simply as Hacking Team. They call their product Galileo.

The company makes no secret of who their target customers are. They headline their website with with “The Hacking Suite for Governmental Interception,” underlining that with, “We believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

Usually espionage firms keep a low profile. But The Hacking Team was shoved into the public limelight by one highly embarrassing data leak. In 2015, a hacker stole internal emails and their valuable source code and put it on bittorrent sites.

An article in The New York Times in March of 2016 explained that one of the 2015 Paris Terror Attackers was shown two things when he first met up with his ISIS handlers: how to fire an assault rifle and how to use TrueCrypt encryption software. The terrorist recruit was given a USB drive with TrueCrypt installed. He was instructed to download encrypted messages from a shared cloud drive in Turkey and then use TrueCrypt to decrypt those and use it again to upload replies. The terrorist understood those instructions since he was a computer technician.

The newspaper speculated that terrorist was told not to use email as that would make it easier for spies to track the terrorist group’s physical location by giving away the IP addresses of any emails they might intercept, which are listed clearly in the email headers.

As you probably have already heard, the FBI sued Apple because Apple refused its demand to unlock an iPhone 5C belonging to the San Bernardino terrorists. But what is new and shocking is that Apple withdrew its suit because they figured out how to unlock the phone themselves.  

In the past law enforcement and intelligence agencies around the world routinely sent captured phones to Apple and Google’s headquarters where the phones were unlocked. At that time Apple and Google kept a serial number that was shipped with the phone. This number together with the passcode created by the user created an unbreakable encrypted value. Calculate that and you could unlock a locked phone perhaps by plugging in a cable. But then Apple changed the iPhone, as did Google, where they no longer kept a copy of that value. They did that because customers and privacy activists demanded that after the Edward Snowden leaks. Then the manufacturers said they could not assist the police and spies anymore as it was technically impossible because they had got rid of that back door.

There are two items on the internet that you need to see if you follow security. First there is this film on Youtube that gives the history of Linux. And then there is story in The Washington Post that explains that some people are concerned that the people who maintain the Linux kernel are not fixing security problems there. The procedure to fix bugs in the Linux kernel is so slow that the newspaper calls it “evolutionary.”

To understand the controversy, and to decide for yourself whether there are security problems with Linux, you have to look at the history of how it was developed and who maintains it now.

There are two people behind the Linux operating system: Richard Stallman and Linus Torvalds.

What Richard Stallman did was start the project to write the GNU operating system, which we now call Linux. He is annoyed that people do not call it by its correct name, GNU/Linux.  But he is happy to have reached his overall goal, which to write something and give it away for free.   

Richard Stallman started the GNU organization with the idea that no one should have to pay for Microsoft Windows or any version of UNIX, like Solaris. (AT&T invented UNIX but did not give it away or turn it into a commercial product.) Now lots of software is distributed under what is called the GNU license, meaning it is free if when you change that you are willing to give those changes away for free as well so they can be added back into the product.

Ransomware is malware that encrypt data files that can only be decrypted when the data file owner pays a ransom. The only recovery method is to go to a backup. Guessing the password to unlock the file is for all practical purposes impossible because of the nature of cryptography. Regarding defenses the only good defense is to make lots of backups and to train users not to click on phishing emails. Antivirus software might help, but certainly will not work in all cases.

The way that ransomware works (for example TeslaCrypt, CryptoWall, Locky, Crypt0L0cker and Cerber) is it scans the user’s drive and encrypts each files using an encryption key that only the hacker knows. It also sets up some kind of communication channel so that is can alert the hacker that it has found a victim. It also adds software code to the encrypted file that causes a screen to pop up when a user opens it. This screen both tells the user that their data is locked and provides a screen where the user can enter the code to unlock it and where to go to pay the ransom.

If you were a Martian and landed on earth, somewhere in the USA, you would think there is some kind of war going on over there as there is violence and violent protests. There are Black Lives Matter protests because of police shooting black people. Armed men have taken over federal lands out west to protest restrictions on their ability to graze cattle where they want.  And then there are Donald Trump’s political rallies where violence has broken out too.

It does not matter to us what your politics are. We don’t care what you think about Donald Trump. What we do here is report the news and the new this week is that the hacker group Anonymous has targeted Donald Trump. You can see their declaration of war here on YouTube.

As IoT (The Internet of Things) grows, obviously security risks associated with that are going to grow too.  Let’s take a look at some of the wireless protocols that IoT use and see which of them might have security weaknesses. IoT applications transfer data from sensors to the IoT cloud application where that data can can be analyzed and processed. In some applications the IoT app sends instructions in the other way, back down to the IoT device, so that it can send instructions to the machine to which they are attached or do maintenance items like download and install software updates on the IoT computer card. Examples of this are industrial monitoring, vehicle fleet maintenance, and home automation. For example, a fleet monitoring system can monitor a truck’s brake temperature to alert the operator when it is time to replace brakes. As an other example, sensors can monitor a diesel generator for vibration. An increase in vibration would indicate an increased load on the motor thus indicating some kind of maintenance is need on whatever the engine is attached to. If the engine temperature rises too quickly, the IoT application can shutdown the machine directly. If an IoT device is close to an electrical source and thus cabling it can use an ethernet network for communications. But if it is attached to door or window or out in a field, far away from any facility, then it needs some type of wireless communication.

You can hire hackers; you can hire DDOS services too. Why you would want to hire a DDOS service? It is difficult to say as only the criminal mind or otherwise deranged person would know why they would want to inflict damage for sport. Except some hacking is political in nature, in which case the motive is obvious, or even cyberwar such as the ISIS army and its enemies. Some DDOS service providers charge $38 for their botnet rental services. A botnet is a network of thousands of hacked computers. The weak spot here is the vast majority of internet users are ordinary people who do not know that they have been hacked and are unwitting accomplices in this. The reason someone would need to use a third party to launch this type of attack is you need as an attack from one or only a few IP addresses would be easy to shut down by the victim. Incapsula’s “2015 DDoS Threat Landscape” report tells us that that some attacks can last weeks or months. One Idaho kid shut down his school system’s computers for weeks and caused all the kids who took an aptitude test to lose their scores.

There is much reporting in the news this week about the American government’s court order to force Apple to decrypt iPhone 5 belonging to the San Bernardino Islamic terrorists. The journalists report that Apple says that the iPhone is impossible to crack because Apple does not know the encryption key and that entering an incorrect passcode 11 times will cause the phone to wipe the data. But the journalists do not go into any detail why the device cannot be decrypted. So we do that here. In sum, the iPhone cannot be decrypted because iOS generates a random number used as the cryptographic key when the machine is first turned on and after it has been manufactured and the housing close up. Apple does not back the key up to iTunes of the Apple cloud. So Apple does not know that. So, what the FBI wants is that Apple writes and compiles a modified version of iOS onto the device to allow the FBI to brute force attack the code to unlock the phone without erasing the data.  But if you read the technical details, that would seem to be impossible as any tampering with the device, such a replacing the operating system with another or even removing the storage, would erase the encryption keys on the device thus defeating the ability to read the encrypted memory. (A smartphone like the iPhone has no magnetic storage. It’s all solid state storage also called flash storage. So you can think of the whole device as have no storage. It is all memory.)