Internet threat news

A couple of years ago thieves descended in large numbers on Chile to replace debit card readers in ATM machines with their own recording device to vacuum up stolen data. This type of crime is called skimming.

They also installed tiny cameras in the ATMs to record the pin as users typed those in.

That crime has fallen off there as banks have incorporated some hardening tactics. After bank hardening in one area, criminals then moved onto other markets where such protections were found to be weak. Such crime is still found, even in developed countries, but it is much less common than before.

Thieves also have another target: POS terminals.

This writer has been saying for years that security products do not work 100% of the time. So there is the need to use several different approaches to cybersecurity.

Even if intrusion detection tools worked 99.99% of the time then all it would take is 9,999 tries for the probability of someone penetrating your defense to equal certainty, i.e. 1 or 100%.

So given that security does not stop hackers, what good does it do to defend against those using the traditional approach of deploying perimeter defenses? It depends on who you ask.  Due diligence requires that you do that. But logic would suggest that you do something else too.

The New York Times says business has come to that conclusion as well. They write, “Most security start-ups seeking funding today have resigned themselves to the inevitability of a breach and are focused more on identifying an attack as it plays out and praying that they can respond before the perpetrator makes off with something important.”

Lots of people who follow cybersecurity news know that hackers stole data on 83 million customers at JP Morgan in 2014. But in a development that does not happen enough, now the hackers have been caught.

Lots of criminal hackers operate from places like Russian and Romanian where they are pretty much beyond the reach of American and Western European law enforcement. But the two hackers who were arrested in the JP Morgan heist are from Israel, a close ally of the USA and other Western nations.

Now the hackers find themselves before a judge in New York City. A US citizen who worked who worked with them is still at large say some press reports. Yet the Wall Street Journal said he was arrested in Russia. He should hope that Russia does not extradite him to the USA as he and his co-conspirators could face up to 20 years in prison.

There is a new exploit that has been found to attack the previously known security weakness in the Android Stagefright multimedia library. The exploit lets a hacker take over an Android device. Here we explain how it works, what versions of Android it affects, and when you can expect it to be fixed on your phone or tablet. It turns out getting the update on your phone can take a long time.

StageFright MPEG Buffer Overflow
The Israeli security firm NorthBit, wrote a new exploit of the Stagefright security weakness. The actual weakness was discovered last year. They named their hack the Metaphor exploit. Here is a video showing it attacking a phone.

In a paper by Hana Be’er of Northbit, the author writes that attacking Stagefright was “... a feat previously considered incredibly difficult to reliably perform.” Sounds like he is bragging.  

The weakness affects Android version 2.2-4.0 and 5.0-5.1

It’s too bad most people don’t use Ubuntu. While your mom would not understand it, maybe your sister would. Because Windows has too many security vulnerabilities. It also has more viruses, because it has more users, so it is a bigger target. Yet the weakest part of any system, Windows or not, remains people. People is how this exploit we describe here works.

Hackers Exploit Fear
Hackers have found a new way to prey on people. It’s mainly delivered via phishing attacks. And like most phishing attacks it’s based on fear, greed, lust, curiosity, and people’s lack of understanding of how computers really work.

Hackers have been planting malware that prompts people to call fake technical support sites. It does this by, for example, popping up fake messages that say their version of Windows is expired, such as 'Windows Activation Pro scam' or 'Your Software Copy is expired scam'. Different versions of this lock the screen too.

Oscar winning documentary filmmaker Laura Poitras has a new film. It’s about Julian Assange, the WikiLeaks founder. She was at the Cannes Film Festival previewing it this week.   

In case you do not know who Laura Poitras is, she is the documentary film maker who Edward Snowden first contacted when he was seeking a journalist to publish NSA secrets in 2013. Laura later was overshadowed by The Guardian newspaper reporter Glenn Greenwald who Snowden contacted after her. Greenwald, who initially ignored Edward Snowden, became more famous, no doubt because he works for that large newspaper and got a large audience for his articles. But both served equal roles in getting Snowden’s work published.  

Greenwald and Poitras flew to Hong Kong to meet Snowden. The rest is history, with which you are no doubt well aware.

Laura’s film about Edward Snowden is called “Citizenfour.” It is a minute-by-minute account of that meeting in Hong Kong and the successful effort by the journalists to get Snowden’s documents published and keep Snowden by being whisked away from the Americans and hauled off the jail. Although Snowden as a former CIA and NSA employee had more knowledge about how to avoid that than they did.

Hackers have for the second time stolen money from banks using the SWIFT payment system. Now we have some technical details about the first attack.

Usually when hacking news breaks the technical details are not given to the public. Often law enforcement tells the victim to keep those secret. Yet the security community operates in the opposite direction, believing by publishing the details of hacking that other people can protect against those methods. So we explain that here.

SWIFT
SWIFT is the decades old payment system that banks use to write transfer money to each other. It is several orders of magnitude larger than something for consumer use like PayPal. SWIFT is what companies use to move hundreds of millions of dollars around and governments use to make bond payments.  

In February hackers convinced the New York Federal Reserve Bank to wire $81 million to a bank in Bangladesh. The Feb was curious about that transaction so they contacted the bank who initiated the transaction to verify that. Hackers made it look like the bank gave its approval.

The Fed is part of the US government and not a private bank. The dominate the US federal financial system and is some regards the financial system for the whole world. So that they were tricked says a lot.

The US Military has their own cybersecurity organization. It’s called the US Cyber Command. There is one for the Navy, Army, and Air Force.  Their main goal is to protect military communications but they also have attack capabilities. They say they use the same techniques as other hackers to go after targets: phishing, denial of service, and malware. Here we look at one agency, The US Army Cyber Command.

Overlapping Agencies Jockeying for Position
The US Army Cyber Command says their mission is:

“United States Army Cyber Command and Second Army directs and conducts integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries.”

Well, someone who is familiar with how the United States government works and does not work would have doubts about their capabilities. How effective can the US Cyber Command be compared to the NSA, whose capabilities are well known? Both even operate out of the same building outside Washington, but the NSA is a much larger organization and attracts better talent.

You might not know this, but the US Military created much of the encryption technology that we use today, including TOR, the cloaking software used by Edward Snowden and others. They also created SSL and the RSA algorithm. The US Military even invented the internet, in 1969. It was called ARPANET then. And they had a hand in funding everything from the laser to UNIX.

This does not mean that programmers working for the military wrote all of these programs and made all of these devices. Instead the American Department of Defense awarded contracts to mathematicians, companies, and cryotograpers who developed all of this, except Navy programmers wrote TOR.

DES
The Data Encryption Standard was created in 1975 when the NSA solicited proposals for how to protect government data. The NSA is part of the Department of Defense. IBM responded with a proposal. The NSA published their algorithm and put it out for public comment. The best mathematical minds and cryptographers tried to find its weaknesses. A series of back and forth comments led to several revisions so that today we have the AES standard, yet DES remains in use. AES256, for example, is used in all kinds of encryption, like disk drive encryption.

It is a cliché to say it, but you have to think like a criminal in order to defeat a criminal.

Some businesses and organization, from Samsung, to Google, to even the US Military, have come to the rational conclusion that if that you cannot defeat your enemies outright you can buy them off. So that is what they do.

When a hacker, hobbyist, or security researcher finds a security weakness they can either tell the software or hardware producer, out of the goodness of their heart or in exchange for some recognition, or they can keep this secret to themselves and seek to profit from that.

There are several ways to profit. One is to turn to the criminal element and use it for crime. The other is to sell the exploit to companies who gather up and resell those to crooks, governments, and corporations alike. Another is to turn to the bounty bug programs run by the software companies whose bugs they are trying to track down and repair.

Zerodium and other Private Brokers
One bug collector is Zerodium. It is unclear whether Zerodium, who sells flaws to governments and corporations, works for the good guys or the bad guys. Their standing offer is $1 million to anyone who can crack the iPhone. Their motto is “The premium acquisition program for zero-day exploits and advanced cybersecurity research."

Italy is not a country one usually thinks of when they think of hackers or even IT in general. With its perennially slow growing economy and focus on traditional businesses, like wine and sport cars, there are not a lot of startup tech companies there as compared to other places. Nor are there many startup criminal hacker enterprises either, such as one finds in nearby Romania. But Italy is home to one of the most important professional hacking companies used by governments, known simply as Hacking Team. They call their product Galileo.

The company makes no secret of who their target customers are. They headline their website with with “The Hacking Suite for Governmental Interception,” underlining that with, “We believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

Usually espionage firms keep a low profile. But The Hacking Team was shoved into the public limelight by one highly embarrassing data leak. In 2015, a hacker stole internal emails and their valuable source code and put it on bittorrent sites.

An article in The New York Times in March of 2016 explained that one of the 2015 Paris Terror Attackers was shown two things when he first met up with his ISIS handlers: how to fire an assault rifle and how to use TrueCrypt encryption software. The terrorist recruit was given a USB drive with TrueCrypt installed. He was instructed to download encrypted messages from a shared cloud drive in Turkey and then use TrueCrypt to decrypt those and use it again to upload replies. The terrorist understood those instructions since he was a computer technician.

The newspaper speculated that terrorist was told not to use email as that would make it easier for spies to track the terrorist group’s physical location by giving away the IP addresses of any emails they might intercept, which are listed clearly in the email headers.

As you probably have already heard, the FBI sued Apple because Apple refused its demand to unlock an iPhone 5C belonging to the San Bernardino terrorists. But what is new and shocking is that Apple withdrew its suit because they figured out how to unlock the phone themselves.  

In the past law enforcement and intelligence agencies around the world routinely sent captured phones to Apple and Google’s headquarters where the phones were unlocked. At that time Apple and Google kept a serial number that was shipped with the phone. This number together with the passcode created by the user created an unbreakable encrypted value. Calculate that and you could unlock a locked phone perhaps by plugging in a cable. But then Apple changed the iPhone, as did Google, where they no longer kept a copy of that value. They did that because customers and privacy activists demanded that after the Edward Snowden leaks. Then the manufacturers said they could not assist the police and spies anymore as it was technically impossible because they had got rid of that back door.

There are two items on the internet that you need to see if you follow security. First there is this film on Youtube that gives the history of Linux. And then there is story in The Washington Post that explains that some people are concerned that the people who maintain the Linux kernel are not fixing security problems there. The procedure to fix bugs in the Linux kernel is so slow that the newspaper calls it “evolutionary.”

To understand the controversy, and to decide for yourself whether there are security problems with Linux, you have to look at the history of how it was developed and who maintains it now.

There are two people behind the Linux operating system: Richard Stallman and Linus Torvalds.

What Richard Stallman did was start the project to write the GNU operating system, which we now call Linux. He is annoyed that people do not call it by its correct name, GNU/Linux.  But he is happy to have reached his overall goal, which to write something and give it away for free.   

Richard Stallman started the GNU organization with the idea that no one should have to pay for Microsoft Windows or any version of UNIX, like Solaris. (AT&T invented UNIX but did not give it away or turn it into a commercial product.) Now lots of software is distributed under what is called the GNU license, meaning it is free if when you change that you are willing to give those changes away for free as well so they can be added back into the product.