Internet threat news

Last week we wrote about a massive DDoS attack on DYN.com that cut off access to Netflix, Amazon, and many other sites for users in large parts of the USA. Now we know that this was caused by IoT devices.

IoT (The Internet of Things) is a technology that is rolling out quickly. What this does is connect everything from smart home appliances to industrial machinery and even physical inventory to the cloud. The idea is to both monitor offices, homes, buildings, traffic, manufacturing, medical patients, and agriculture, but also control those devices.

IoT has taken off in recent years because of the plunging cost of technology and the growth of companies that have made it easier to connect many of these devices to their clouds. Companies exist to let manufacturers and other companies control hundreds or thousands of IoT devices from the cloud. Home IoT systems for the most part operate without a cloud central-control mechanism.

An IoT device is usually some kind of sensor, like humidity or motion, plus a computing card and controller. These computing cards are, for example, Raspberry Pi or Intel Edison computing cards that for the most part run some version of Linux. The cards are not much larger than a wallet.

Someone, no one is quite sure who, yet, has managed to take Twitter, SoundCloud, Spotify, Shopify, and other sites offline using a DDoS (distributed denial of service) attack this week. The outage affected much of the USA and parts of Europe.

These sites are all customers of Dyn.com. They are a company that operates a massive DNS system around the world that lets companies failover from one set of servers to another and provides redundancy. It also serves as a content distribution network (CDN) to reduce latency by locating data closer to users by locating that around the world.

The US government is responding to this attack by questioning whether this is a criminal DDoS attack, as Brian Krebs and others have speculated, or a state cyberattack. Congressmen on Capitol Hill have raised questions about that and the White House has gotten involved.

This comes on the heels of allegations, and apparently proof as well, that the Russian government has been hacking into the computer systems at Hillary Clinton’s presidential campaign and the Democratic Party headquarters. Pundits on TV, in the news, and the Clinton campaign say Russian President Putin’s goal is to embarrass Secretary Clinton, thus favoring Donald Trump.

An activist in the Middle East in August of this year noticed odd text messages coming to his phone. It turns out that those were instructions coming from the command and control center for Pegasus Spyware telling the Spyware what actions to take.

The activist alerted Citizen Lab who contacted the Lookout security firm. What they found was spyware. Lookout wrote this technical analysis giving details of how the spyware works.

State-level Hackers for Hire
NSO Group is an Israeli firm that wrote Pegasus. It affects iOS up to version 9.3.5. Pegasus lets whoever is using it bypass iOS security and gain access to virtually all data on the phone including audio, video, contacts, GPS location, passwords, Wi-Fi router password, text messages, and messages and email from from Gmail, Facebook, Skype, WhatsApp, and other programs.

NSA employee Harold T. Martin III has been taken to jail for allegedly stealing documents, files, and maybe devices from the NSA intelligence agency. While there has been some speculation that he might have been the source who leaked a vast amount of NSA tools on the internet recently, including the NSA’s best hacking tools, current reports say he might have just been collecting this information with no particular intention of selling it. So he might have just been curious and a collector of such things.

That Mr Martin worked for Booz Allen Hamilton brings new scrutiny to that government contractor, because Edward Snowden worked there too.

So let’s take a look at Booz Allen Hamilton (BAH) and the government contracting business in Washington and you will get an understanding of why the NSA, FBI, and Pentagon probably do not operate as efficiently as shown in the movies.

Recently the American government issued guidelines for driverless vehicles. This creates national standards so that car manufacturers do not have to figure out how to follow 50 different laws in 50 different states. Analysts have said these rules seek to make this market grow without imposing a heavy regulatory burden. Many of the details are left up to the manufacturers to design and implement.

Google has long been operating self-driving cars. Uber has self-driving taxis operating in Pittsburgh, Pennsylvania.  And Tesla has self-driving electric cars. All of these let the driver take control when needed. Ford announced it is building Fusion Hybrid driverless vehicles that do not even have a steering wheel. So there will be no way that passengers can take control of the vehicle.

The fear is that a hacker can take control of a car and drive it into a wall.

Cambridge University researcher Sergei Skorobogatov demonstrated that he can brute force attack the passcode screen lock feature on the iPhone 5c. He did this by physically opening up the iPhone and then making a copy of the memory chip which he then connected to the phone using wires. Then he said you could enter every 4 digit passcode from 0001 to 1111 manually until you unlocked the phone. He did not actually do that as it would take 20 hours. Instead he proved it would work. The goal was to use copies of the memory chip, because if the security feature is enabled the iPhone erases the memory after 6 failed attempts.

The paper he wrote explaining the process is here. And a YouTube video of him demonstrating the procedure is here.

The FBI wanted to try this type of attack against iPhone owned the San Bernardino terrorists. The FBI director said, “It did not work.” Then they paid a security firm $1.3 million for their secret technique.

You might have noticed that so many security updates pushed out to Windows include updates to Adobe Flash.

Adobe Flash is a security risk that will not go away. Steve Jobs famously fought this web video player, because he did not want the Safari browser dependent on a third-party product. He even wrote an essay in 2010, that you can read here, explaining why Flash would never run on iOS or Mac OS. (Although Adobe wrote instructions for how to enable it there, since otherwise lots of media content would not work.)

Jobs and others pushed for an upgrade to the HTML standard to HTML5 to support video without Flash. That took some years to roll out. HTML5 supports the <VIDEO> and <AUDIO> HTML tags. That causes a browser to play a video or audio using its own native ability to do that. But many websites still use <EMBED> and <OBJECT> HTML which launches the Adobe Flash or Adobe Shockwave plugins.

The newspapers have finally reported what thinking people have already figured out for themselves. What we have been told for decades about setting password policies is based on illogical thinking.

The Fallacy of the Complicated Password
If you have set up Active Directory, LDAP, or any application with its own user store then you probably have seen that you can write password rules. Typically those rules require that passwords have a certain number of uppercase letters, numbers, and non-alphabet letters .  They also require a certain length.  Some even require that the password contain no words from the dictionary.

The result is instead of having passwords like “password123” or “name_of_pet.” They have something like “$%Lxxhh3.”

But that is only difficult for a human being to remember. Punctuation symbols and odd characters are not complicated for a computer.

Ransomware is based on the idea that the victim cannot decrypt their encrypted files with a key because it would be impossible to guess the value of the key. The hacker who has encrypted a file like this will sell the victim this key.

So you could say that they have held their file hostage and are demanding ransom, which is why they call it ransomware.

Ransomware Cryptography Explained
It might seem counterintuitive that the output of an encrypted file is text even if the input is not. That is because the bits in the file are what is encrypted, and bits are just numbers.

Hackers this week stole 800,000 user tokens from Epic Games. Much of that was Facebook data.  

When you go to a website that lets you login with your Google or Facebook credentials, that site exchanges data with Google or Facebook. Those social media sites issues some kind of token, which you can think of as a session ticket. That is what lets you log in.

Obviously that data exchange point is a good spot for hackers to lurk as those tokens can be used to spoof user credentials. In other words, they can pretend to be that user if they have those session tickets.

This is not usually a concern with, for example, SSL web session tokens. That is because those are set to timeout. Also because of the certificate chain-of-authority, those cannot be used by a third party. This is because the hacker cannot fake being a valid person at the end of the chain.

In what is a truly embarrassing event for America’s signal intelligence service, hackers got their hands on a massive set of hacking tools belonging to of the NSA. The hacking group, called the Shadow Brokers, put part of this online for free to show that it was genuine. Now they are selling the rest.

These files are the kind of industrial-strength hacking tools that espionage firms would have sold to the NSA, those that the NSA bought on the black market, and those that the NSA might have developed themselves and with contractors.

Cisco Firewall Exposed
The set of tools include rather common tools for everything from sniffing TCP traffic to far more advanced tools that exploit zero-day defects. To recall, “zero-day defect” means software vulnerabilities that the software or hardware vendor does not yet know about. So they can be exploited by hackers.

If computers get hacked because of weaknesses in the operating system then why not remove the operating system to make them more secure?

That’s the simple principle behind ChromeOS, the open source operating system sponsored by Google.

There is only one program on ChromeOS: that is the Chrome browser. Everything else, like the ssh plugin, is a browser extension that you can get from the Chrome marketplace here. (You can see which extensions you have in Chrome by typing chrome://extensions/.)

Naked ChromeOS
Of course ChromeOS is an operating system too, since the Chrome browser cannot run by itself. There needs to be some software in place to respond when the power is turned on and to interact with the screen and storage and where someone plugs in a USB device.

There have been some high profile incidents of cell phone hacking some years ago. For example, the former Speaker of the House of Congress in the USA Newt Gingrich was hacked when an older married couple used a simple radio scanner to listen in on his calls.  But you do not hear about such hacking much anymore, even though the GSM cellular standard still has the known weakness in its encryption algorithm.

Hacking the speaker was made easier because the American cell phone technology is a mix of technologies. That market is different from the rest of the world. There are three cell phone standards there: CDMA, GSM, and IDEN. The USA is where cellular technology was invented—at AT&T Bell Laboratories, which made so many important inventions, like UNIX, C, C++, the laser, microwaves, and the transmitter—so it makes sense that there would have been more than one standard vying to become the dominant standard.

The US has levelled the charge that the Russian government has hacked into the headquarters of the Democrat Party in the USA. They say the Russian goal was to steal political campaign data and give it to presidential candidate Donald Trump to help him against Hillary Clinton.

The assertion is that Russia wanted to help the campaign of Donald Trump. This might be because Donald Trump and Russian president Putin have both said flattering things about each other. Or it might be because the Russians have calculated that Trump is who they want as the American president for reasons having to do with global politics. Whatever their goal, this action certainly has worked in Trump’s favor.

Whoever stole the emails gave them to WikiLeaks where they are now online where anyone can search them. WikiLeaks founder Julian Assange said that Russia was not involved. Obviously it would have been Assange who would have negotiated handing this data over from whoever took it. So he should know or perhaps could know.