Internet threat news

The drama, some might say circus, keeps unfolding around the Russian spying on the US election. What is remarkable is that President-elect Trump is at odds with the security apparatus he will soon inherit. He is saying he does not agree that the Russian government did the hacking. The US intelligence agencies say they have proof they did. Trump is also at odds with members of his own Republican Party. And the former head of the CIA under Bill Clinton, who had become a security advisor to Trump, quit, saying that he was not even invited to meetings where this subject was discussed.

The NSA says they have definitive proof of where the spying came from. Last week we wrote about the technical analysis the NSA provided on our website here. But what is less clear is whether this spying was directed by top Russian officials or President Putin himself.

Obama has already seen and Trump will see this week classified information that the NSA will not show the public. That information, it is said, reveals two items. First, Russians sent communications back to their country celebrating Trump’s win.  Second, they say they have proof that Russian officials provided the stolen documents to Wikileaks, a charge Julian Assange denies. They even know their names.  It is not clear what proof those documents contain that could show that President Putin or the people around him directed the spying.

The Department of Homeland Security and FBI Have released technical details of the hacking of the Democrat Party and Clinton Campaign that they first described in this document in October. As President Obama promised, the government has released proof that this hacking came from Russian intelligence agencies. Now he has punished them by expelling 35 spies and putting banking and travel sanctions on certain Russians. Americans have a unique ability to effectively punish people around the world that way, since most international commerce uses American dollars and some part of the US banking infrastructure.

Obama also promised that any technical analysis would not reveal all the details of how they uncovered what the Russians did, saying that would give away secret techniques. Instead the document includes a list of malware, exploit kits, viruses, domains, techniques, and IP addresses used by the Russians. The document also gives advice how system administrators can help secure their network against these attacks.

It seems hackers also go after people who are supposed to be educated about the dangers of phishing: tech professionals.

Last week I updated the DNS records for my personal email domain. So I was easily tricked when a few hours later I got this email that looks very much like it came from Google support. Luckily this was a harmless ad rotator and not malware. Or it could be that this switched to an ad rotator when it queried my browser and OS and found no match for whatever attack they had planned.

In what one could characterize as the worst banking hacker attack this year - and the only one to have ever caused a bank to shut down its site - Tesco Bank shut off online banking for all of its accounts after 40,000 of them were attacked. Hackers stole £2.5 million from 9,000 accounts. The bank stopped all online activity, but the site is back up now. The bank has not said specifically what steps they have taken to harden their site.

An employee who spoke to the media says the problem most likely could be blamed on Tesco grocery. Tesco also operates an online and brick and mortar grocery business. The employee said the bank’s employees are carefully vetted and its security is good. But the bank’s system is connected to the grocery system which has unpatched servers and poor security in general, the employee said.

It could be that the banking regulator shut down the online bank. The regulator issued a statement scolding the bank for lax security. Now the bank faces fines that could run into the millions of pounds.

The The New York Times, under the scary headline “Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say,” reported that Kryptowire security researchers reported that a Chinese firm Shanghai Adups Technology Co. Ltd has planted software on hundreds of thousands of Android devices and is siphoning off phone data. It did this at the request of an unnamed Chinese manufacturer, they said.

The NYT wrote, “Security contractors recently discovered pre installed software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.”

This is the worrying part: “... this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior …”

This news was broadcast on November 15. So far the US Department of Homeland Security has said it will post a bulletin, but it has not yet. Regarding Europe, it seems that this spyware might have been only intended for the Chinese market but ended up on BLU phones sold in the USA through Amazon and Best Buy by mistake. There is no news so far of this spyware being on phones in Europe or anywhere else besides China and the USA.

SHA-1 (Secure Hashing Algorithm 1) is an encryption algorithm used to encrypt traffic to and from SSL/HTTPS websites. It has some known security weaknesses. So it is being phased out and replaced with SHA-2 and SHA-3. Certificate authorities will quit issuing SHA-1 certificates in January 2017. Microsoft, Google, and Mozilla web browsers will quit supporting those then. That is all good, but the problem is 35% of websites still use these older certificates says research firm Venafi. Web browsers tell you exactly how strong the encryption in a website is when you go there by color coding the address bar. Green is good. Red is bad.

Lock means the site is safely encrypted and you can feel safe entering data there. Info means the site does not use encryption at all or in all places. And the red warning means the SSL certificate is expired, the site has been flagged by the Safe Browsing organization, or there is what Google calls “a weak security setup,” meaning SHA-1.

Should you panic? Is the internet going to stop working on January 2017? Doubtful.

First of all, the security weakness of SHA-1 is probably exaggerated where you consider practical details.

What are some of the new security features in Windows 2016?

Windows 2016 is the soon-to-be released version of Windows server software. The Server version of Windows is the software designed to power business, engineering, and other applications. It is not for desktop users. Prior to Windows 2016 there was Windows 2012 and Windows 2008. So it looks like Microsoft releases a new version about every 4 years.

Changes to Windows 2016 this time can be said to be incremental rather than wholesale. The basic architecture is the same.

One addition to Windows is containers. These have gained a wide following with Linux servers. A container lets a user download and start running application software in just a few minutes or seconds as opposed to hours, days, or weeks to install that by hand. It is like a virtual machine, but it is much smaller since it is not a full operating system.

Nano Server
The Nano Server is something in between the container and hypervisor.

Now you can install Windows as a Nano server. This is a small operating system that lacks, for example, a graphical interface. A Nano server would be used to run databases and other applications on the cloud. The idea is if it is small then there are less components to attack. For example there are less security updates to install. It is the minimum OS needed to run applications. The Nano server is stripped of many Windows features, thus making it suitable for doing just one task.

Some software companies invite security researchers to look for weaknesses in their software and then pay they for finding those. That is called a Bounty Bug program. Microsoft is one company that does that. Google has a bounty program for Android. Apple is late to the game, only launching its program this year. But they pay the highest bounty, up to $200,000 for zero day vulnerabilities. Many smaller companies offer bounty bug programs too.

Not only does Microsoft pay a reward for finding bugs in Windows—some of them are sizeable—they feature the researcher’s name in their bulletins and invite some of them to come to the Researcher Appreciation Party in Las Vegas.

Researchers have to be at least 14 years old and cannot come from countries against which the USA has sanctions. And they agree not to publish their exploit code.   

Microsoft discusses weaknesses and their fixes in their Microsoft Security Bulletins.

But Microsoft says researchers can write about the bug as well as show the exploit code, but only once the vulnerability is fixed. They say, “Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. And they say “This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.”

Last week we wrote about a massive DDoS attack on DYN.com that cut off access to Netflix, Amazon, and many other sites for users in large parts of the USA. Now we know that this was caused by IoT devices.

IoT (The Internet of Things) is a technology that is rolling out quickly. What this does is connect everything from smart home appliances to industrial machinery and even physical inventory to the cloud. The idea is to both monitor offices, homes, buildings, traffic, manufacturing, medical patients, and agriculture, but also control those devices.

IoT has taken off in recent years because of the plunging cost of technology and the growth of companies that have made it easier to connect many of these devices to their clouds. Companies exist to let manufacturers and other companies control hundreds or thousands of IoT devices from the cloud. Home IoT systems for the most part operate without a cloud central-control mechanism.

An IoT device is usually some kind of sensor, like humidity or motion, plus a computing card and controller. These computing cards are, for example, Raspberry Pi or Intel Edison computing cards that for the most part run some version of Linux. The cards are not much larger than a wallet.

Someone, no one is quite sure who, yet, has managed to take Twitter, SoundCloud, Spotify, Shopify, and other sites offline using a DDoS (distributed denial of service) attack this week. The outage affected much of the USA and parts of Europe.

These sites are all customers of Dyn.com. They are a company that operates a massive DNS system around the world that lets companies failover from one set of servers to another and provides redundancy. It also serves as a content distribution network (CDN) to reduce latency by locating data closer to users by locating that around the world.

The US government is responding to this attack by questioning whether this is a criminal DDoS attack, as Brian Krebs and others have speculated, or a state cyberattack. Congressmen on Capitol Hill have raised questions about that and the White House has gotten involved.

This comes on the heels of allegations, and apparently proof as well, that the Russian government has been hacking into the computer systems at Hillary Clinton’s presidential campaign and the Democratic Party headquarters. Pundits on TV, in the news, and the Clinton campaign say Russian President Putin’s goal is to embarrass Secretary Clinton, thus favoring Donald Trump.

An activist in the Middle East in August of this year noticed odd text messages coming to his phone. It turns out that those were instructions coming from the command and control center for Pegasus Spyware telling the Spyware what actions to take.

The activist alerted Citizen Lab who contacted the Lookout security firm. What they found was spyware. Lookout wrote this technical analysis giving details of how the spyware works.

State-level Hackers for Hire
NSO Group is an Israeli firm that wrote Pegasus. It affects iOS up to version 9.3.5. Pegasus lets whoever is using it bypass iOS security and gain access to virtually all data on the phone including audio, video, contacts, GPS location, passwords, Wi-Fi router password, text messages, and messages and email from from Gmail, Facebook, Skype, WhatsApp, and other programs.

NSA employee Harold T. Martin III has been taken to jail for allegedly stealing documents, files, and maybe devices from the NSA intelligence agency. While there has been some speculation that he might have been the source who leaked a vast amount of NSA tools on the internet recently, including the NSA’s best hacking tools, current reports say he might have just been collecting this information with no particular intention of selling it. So he might have just been curious and a collector of such things.

That Mr Martin worked for Booz Allen Hamilton brings new scrutiny to that government contractor, because Edward Snowden worked there too.

So let’s take a look at Booz Allen Hamilton (BAH) and the government contracting business in Washington and you will get an understanding of why the NSA, FBI, and Pentagon probably do not operate as efficiently as shown in the movies.

Recently the American government issued guidelines for driverless vehicles. This creates national standards so that car manufacturers do not have to figure out how to follow 50 different laws in 50 different states. Analysts have said these rules seek to make this market grow without imposing a heavy regulatory burden. Many of the details are left up to the manufacturers to design and implement.

Google has long been operating self-driving cars. Uber has self-driving taxis operating in Pittsburgh, Pennsylvania.  And Tesla has self-driving electric cars. All of these let the driver take control when needed. Ford announced it is building Fusion Hybrid driverless vehicles that do not even have a steering wheel. So there will be no way that passengers can take control of the vehicle.

The fear is that a hacker can take control of a car and drive it into a wall.

Cambridge University researcher Sergei Skorobogatov demonstrated that he can brute force attack the passcode screen lock feature on the iPhone 5c. He did this by physically opening up the iPhone and then making a copy of the memory chip which he then connected to the phone using wires. Then he said you could enter every 4 digit passcode from 0001 to 1111 manually until you unlocked the phone. He did not actually do that as it would take 20 hours. Instead he proved it would work. The goal was to use copies of the memory chip, because if the security feature is enabled the iPhone erases the memory after 6 failed attempts.

The paper he wrote explaining the process is here. And a YouTube video of him demonstrating the procedure is here.

The FBI wanted to try this type of attack against iPhone owned the San Bernardino terrorists. The FBI director said, “It did not work.” Then they paid a security firm $1.3 million for their secret technique.