Internet threat news

As IoT (The Internet of Things) grows, obviously security risks associated with that are going to grow too.  Let’s take a look at some of the wireless protocols that IoT use and see which of them might have security weaknesses. IoT applications transfer data from sensors to the IoT cloud application where that data can can be analyzed and processed. In some applications the IoT app sends instructions in the other way, back down to the IoT device, so that it can send instructions to the machine to which they are attached or do maintenance items like download and install software updates on the IoT computer card. Examples of this are industrial monitoring, vehicle fleet maintenance, and home automation. For example, a fleet monitoring system can monitor a truck’s brake temperature to alert the operator when it is time to replace brakes. As an other example, sensors can monitor a diesel generator for vibration. An increase in vibration would indicate an increased load on the motor thus indicating some kind of maintenance is need on whatever the engine is attached to. If the engine temperature rises too quickly, the IoT application can shutdown the machine directly. If an IoT device is close to an electrical source and thus cabling it can use an ethernet network for communications. But if it is attached to door or window or out in a field, far away from any facility, then it needs some type of wireless communication.

You can hire hackers; you can hire DDOS services too. Why you would want to hire a DDOS service? It is difficult to say as only the criminal mind or otherwise deranged person would know why they would want to inflict damage for sport. Except some hacking is political in nature, in which case the motive is obvious, or even cyberwar such as the ISIS army and its enemies. Some DDOS service providers charge $38 for their botnet rental services. A botnet is a network of thousands of hacked computers. The weak spot here is the vast majority of internet users are ordinary people who do not know that they have been hacked and are unwitting accomplices in this. The reason someone would need to use a third party to launch this type of attack is you need as an attack from one or only a few IP addresses would be easy to shut down by the victim. Incapsula’s “2015 DDoS Threat Landscape” report tells us that that some attacks can last weeks or months. One Idaho kid shut down his school system’s computers for weeks and caused all the kids who took an aptitude test to lose their scores.

There is much reporting in the news this week about the American government’s court order to force Apple to decrypt iPhone 5 belonging to the San Bernardino Islamic terrorists. The journalists report that Apple says that the iPhone is impossible to crack because Apple does not know the encryption key and that entering an incorrect passcode 11 times will cause the phone to wipe the data. But the journalists do not go into any detail why the device cannot be decrypted. So we do that here. In sum, the iPhone cannot be decrypted because iOS generates a random number used as the cryptographic key when the machine is first turned on and after it has been manufactured and the housing close up. Apple does not back the key up to iTunes of the Apple cloud. So Apple does not know that. So, what the FBI wants is that Apple writes and compiles a modified version of iOS onto the device to allow the FBI to brute force attack the code to unlock the phone without erasing the data.  But if you read the technical details, that would seem to be impossible as any tampering with the device, such a replacing the operating system with another or even removing the storage, would erase the encryption keys on the device thus defeating the ability to read the encrypted memory. (A smartphone like the iPhone has no magnetic storage. It’s all solid state storage also called flash storage. So you can think of the whole device as have no storage. It is all memory.)

Mark Twain used to write for the 150 year old The Atlantic magazine. So did lots of other well-known writers. Now the staid old publication has written some cybersecurity news. The Atlantic is known, or was known, for publishing what is called the long-form-narrative article. That means long articles written for people who actually like to read. These are typically 2,000 to 30,000 words long. Now everyone wants all their news in a Tweet and few people read long articles. I met The Atlantic publisher John Sullivan at an event a few years ago where he talked about the future of his magazine, which was and is losing money, as do most publications these days. Someone in the audience said he was one of those Tweeter-type readers who said there was no future in the long form narrative. Mr Sullivan agreed and said that he was going to focus less on the magazine in the future and more on the web site. I challenged both Mr Sullivan and the audience member on that and was very much surprised when Mr Sullivan backed away from his position. I reminded him that the people still do read the long form narrative and cited the famous cases of long form narratives of John Hersey’s “Hiroshima” and Truman Capote’s “In Cold Blood” that made a lasting impact on our culture. I felt pretty good having made this rich, genteel aristocrat recant what he just said.

The EU and USA have reached an agreement on rules that the US government and US business must follow when “requesting or handling the data” of EU citizens. The agreement is agreed in principle while the regulations have yet to be written. The old agreement, called Safe Harbor, was ruled unconstitutional last year by the European Court of Justice. The new agreement is called the Privacy Shield. The new law gives the U.S. Department of Commerce and American Federal Trade Commission the responsibility to make sure that American companies comply with European privacy laws. Obviously the American agencies are going to be more effective than Europeans ones at bringing sanctions against American companies since the regulators and regulated are in the same country. As for what to do when the US government does not follow the rules, of course no one can punish them for doing that. The understanding is that will simply not continue with indiscriminate spying as hey have in the past. They will obtain a warrant and otherwise following the rules set down in both countries when the target is a European person. In addition, the agreement says that Europeans will be given “redress” for violations. That means the EU citizens whose privacy has been violated can appeal to the FTC or Department of Commerce who can levy fines against the offending business. “Violating privacy” here means not following the rules, which are not all written down yet. The outline simply says, “U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”

What is missing in the news coverage of major security hacks is how they work. This is because most newspaper readers and writers are not programmers. But a journalist should be able to explain such things in an easy-to-understand manner so that the ordinary person can understand how high-profile hacking works. We will do that here for one example, and then explain how researchers earned a prize for fixing that. Interestingly the security bug, which was in Google Chrome and Firefox, was found by a different group of researchers who also won a prize for finding that. Typecasting for an actor in Hollywood is the worst thing that can happen. If you saw “Get Shorty” then you know that Danny DeVito said in the film “I almost got typecast.” in reference to a movie in which he played.

That would have turned him into someone like Jeff Goldblum who played a nerdy genius in Jurassic Park  and Independence Day and has been playing a nerdy genius ever since. Once you get typecast like that you would find it hard or impossible to play a role that calls for a different personality thus limiting your career. But typecasting in programming languages means converting an object from one type to another.  For example, a ball can be a volleyball or a tennis ball. So a programmer can create a volleyball and then upcast it to a ball, like this.

FireEye has bought the cyberintelligence firm iSight for $200 million. They had previously bought the cybersecurity research and forensics firm Mandiant to built up their offering. The Wall Street Journal says one reason for the iSight acquisition is to try to prop up its sagging stock price which has slumped 76% this year in light of slowing sales. A cyberintelligence firm is much different that a traditional cybersecurity firm. What they do is use former law enforcement and intelligence agents to tap into their vast network of sources and public and private data feeds to uncovered current and future threats. They even employee hackers, plus they are hackers themselves. Police who have worked for Interpol, the FBI, GCHQ, NSA, or retired CIA officers and military presumably have access to databases of information and contacts inside the intelligence and law enforcement communities that would be useful for flushing out security threats. They would also know which hackers have even been caught and can be coerced or have come over to the the white hat hacking community to work for the good guys. What else do they do?

Brian Krebs is where we turn our attention today. This former Washington Post investigative reporter is not very technical, but he is plugged into cybercriminal news and is usually one of the first to uncover data breaches like the Target retailer attack that companies try to keep secret. This week he reports the fascinating news that criminal gangs in Russia have outsourced translation and extortion services to call centers. Ransomware, for example, attacks people all over the world who speak hundreds of languages.  Russians cannot negotiate payment for all of that in Arabic, Turkish, German, etc.  So they have hired call centers to help shake down their victims. One normally thinks of overseas call centers as providing PC support for harried customers or explaining to someone how to use her new 50 inch LED TV. But companies like CallMeBaby extort hacking victims by charging $10 and more to negotiate the terms or unlocking their locked data files.

Stagefright is an Android vulnerability that some have called the worst Android security problem ever.  A hacker can use this to gain root access to an Android device simply by calling a phone and sending it a specially constructed MP4 media file in an MMS (multimedia message).  MMS messages are processed by WhatsApp, Google Hangouts, or the ordinary Android messenger app. The exploit works by causing an error in the media player which a hacker can use to gain access to memory. This bug impacts Android versions between 2.2 and 5.1.  There are patches available. Plus users can turn off the automatic downloading of videos in those apps.  But not all Android devices are patched yet even though the bug was discovered some months ago in 2015.  This is because patches are pushed out at different schedules by the phone manufacturers and cellular carriers.

France, the country, and Anonymous, the hacktivists, have declared war on ISIS.  President Obama has reluctantly done the same: in his Oval Office address on December 7th, the 74th anniversary of the Japanese attack on Pearl Harbor, Obama used the word “war” for the first time in reference to current events. Of course, Anonymous does not have any aircraft carriers like France, but they are adept at hacking, so could be quite useful in helping cutting off ISIS’s access to the internet and countering some of their propaganda.  Mainly they do this by outing ISIS accounts on social media and hacking their email. That Anonymous, the virtual group, has joined with the USA, France, UK, and Germany, who have actual armies, is something new. Anonymous is usually on the side of anarchists and others who oppose government.  But in a startling piece of largely underreported news, The Independent and other media reported that an Anonymous sect stopped terror attacks in New York and Tunisia by uncovering and reporting those plans to the authorities.

One of the more common types of malware to threaten PC users over the last several years has been ransomware. Covered extensively on this blog, ransomware is malicious code that secretly encrypts the files and folders of an infected computer using state-of-the-art encryption techniques. Once encryption of all files and folders has been completed, the victim is presented with a message that demands a ransom (typically paid in Bitcoin) be paid to receive the key required to unlock these files. In some of the most extreme ransomware variants, there was absolutely no way to retrieve these files without paying the ransom and often, victims were “punished” for not paying up right away because the amount of ransom due in exchange for the decryption key would increase after a set period of time had elapsed. While these types of malware are still a serious threat to PC users around the world, most antivirus software programs have become adept at detecting and blocking the installation of these programs before any damage can be done. As is usually the case when one malware variant is neutralized, hackers have recently devised a new way to leverage the power of ransomware: targeting websites. Rather than hold a single PC for ransom, hackers have created a way to hold the files, pages, and images of a website for ransom – essentially making that website inaccessible until the ransom is paid. The latest threat, originally discovered by the Russian security firm Dr. Web, has been dubbed Linux.Encoder.1. This malware variant specifically targets websites that are powered by the Linux operating system (a common platform used by websites around the world). Popular Web hosting platforms based on Linux include Apache and Nginx and both of these platforms are vulnerable to infection by Linux.Encoder.1. This malware variant is especially dangerous because it is almost impossible to detect using standard antivirus tools.

MySQL database servers, which millions of organizations worldwide rely on for backend database services, could soon be leveraged in massive DDoS attacks because of a dangerous malware variant known as Chikdos. Chikdos was first discovered by Polish cybersecurity experts over two years ago. Chikdos, an extremely dangerous Trojan originally developed to target the Linux operating system, is typically installed through an SSH dictionary attack. By downloading and executing a simple .bot file upon logging into a compromised server, Chikdos is installed primarily as a means to launch DDoS attacks using DNS amplification. Although the original version of Chikdos specifically targeted Linux systems, a more recent version has also been discovered that is capable of infecting the Windows operating system as well. MySQL database servers can be run on either the Linux or the Windows platform. This makes Chikdos especially dangerous as it is capable of affecting practically every MySQL server connected to the Internet (either directly or through an intermediary machine that has already been compromised). When originally analyzed by security researchers, it was determined that Chikdos was created solely for the purpose of launching DDoS attacks against a variety of Web targets. Although DNS amplification is the malware’s attack vector of choice, there are three other attacks possible after a Chikdos infection has occurred. For those unfamiliar with the term, a DNS amplification attack spawns from a request containing 256 random or previously defined queries to the backend database is transmitted to a DNS server.

Over the last several years, malware has been evolving. From the ‘simple’ viruses of just a decade ago to the complex banking Trojan botnets of today - sometimes capable of stealing millions of dollars while evading modern detection methods - malware has become a constantly changing threat. Security researchers scramble to react to new threats while malicious actors work on ways to circumvent the latest security measures. This game never ends and new ways to infiltrate Windows systems appear all the time. Sometimes hackers fall back on old techniques (such as the use of infected macros to exploit vulnerabilities in the Microsoft Office suite). In other instances, hackers are forced to find entirely new methods of distribution and infection in an effort to avoid improved system security and increased consumer awareness about the dangers of malware. Although some of the most popular malware infection vectors right now include malvertising (distributing malware through legitimate advertising networks by embedding malicious code into digital ads) and spam campaigns relying on malicious attachments to spread malicious code, the program or service targeted by the malware changes all the time depending on the vulnerabilities present and the exact goal of the malware campaign. For instance, hackers have started focusing more attacks on Internet of Things (IoT) devices over the last several months. These gadgets (everything from automated thermostats to smart refrigerators) do not offer the same level of security as a PC but can unleash devastating attacks when harnessed by rogue software.

Over the last few years, malware creators have been moving away from traditional malware attacks that target the Windows OS; instead relying on malware specifically designed to infiltrate popular Web browsers. In most cases, the browsers are exploited via known vulnerabilities in common Web browser plugins including Adobe Flash Player, Microsoft Silverlight, and Java. Once a browser has been infected with malicious software, the cybercriminals behind these campaigns have almost limitless access to the PC and any future browsing sessions performed in the affected browser. In response to the increased threat presented by browser-specific malware, browser developers have had to change (radically in some cases) the way security within the browser application is handled. As hackers get better at hiding their malicious applications by using legitimate-sounding file names that have been carefully hidden in obscure directories, browser developers have discovered new ways to locate and quarantine infected code as quickly as possible. Active detection technology and providing a way for browser users to easily disable browser plugins that could put the PC at risk when not needed have made it increasingly difficult for cybercriminals to profit from these “traditional” browser-specific attack vectors. In response to the improved security of popular Web browsers, one group of hackers recently devised a new technique that specifically targets the Chrome Web browser.