Internet threat news

Ransomware is malware that encrypt data files that can only be decrypted when the data file owner pays a ransom. The only recovery method is to go to a backup. Guessing the password to unlock the file is for all practical purposes impossible because of the nature of cryptography. Regarding defenses the only good defense is to make lots of backups and to train users not to click on phishing emails. Antivirus software might help, but certainly will not work in all cases.

The way that ransomware works (for example TeslaCrypt, CryptoWall, Locky, Crypt0L0cker and Cerber) is it scans the user’s drive and encrypts each files using an encryption key that only the hacker knows. It also sets up some kind of communication channel so that is can alert the hacker that it has found a victim. It also adds software code to the encrypted file that causes a screen to pop up when a user opens it. This screen both tells the user that their data is locked and provides a screen where the user can enter the code to unlock it and where to go to pay the ransom.

If you were a Martian and landed on earth, somewhere in the USA, you would think there is some kind of war going on over there as there is violence and violent protests. There are Black Lives Matter protests because of police shooting black people. Armed men have taken over federal lands out west to protest restrictions on their ability to graze cattle where they want.  And then there are Donald Trump’s political rallies where violence has broken out too.

It does not matter to us what your politics are. We don’t care what you think about Donald Trump. What we do here is report the news and the new this week is that the hacker group Anonymous has targeted Donald Trump. You can see their declaration of war here on YouTube.

As IoT (The Internet of Things) grows, obviously security risks associated with that are going to grow too.  Let’s take a look at some of the wireless protocols that IoT use and see which of them might have security weaknesses. IoT applications transfer data from sensors to the IoT cloud application where that data can can be analyzed and processed. In some applications the IoT app sends instructions in the other way, back down to the IoT device, so that it can send instructions to the machine to which they are attached or do maintenance items like download and install software updates on the IoT computer card. Examples of this are industrial monitoring, vehicle fleet maintenance, and home automation. For example, a fleet monitoring system can monitor a truck’s brake temperature to alert the operator when it is time to replace brakes. As an other example, sensors can monitor a diesel generator for vibration. An increase in vibration would indicate an increased load on the motor thus indicating some kind of maintenance is need on whatever the engine is attached to. If the engine temperature rises too quickly, the IoT application can shutdown the machine directly. If an IoT device is close to an electrical source and thus cabling it can use an ethernet network for communications. But if it is attached to door or window or out in a field, far away from any facility, then it needs some type of wireless communication.

You can hire hackers; you can hire DDOS services too. Why you would want to hire a DDOS service? It is difficult to say as only the criminal mind or otherwise deranged person would know why they would want to inflict damage for sport. Except some hacking is political in nature, in which case the motive is obvious, or even cyberwar such as the ISIS army and its enemies. Some DDOS service providers charge $38 for their botnet rental services. A botnet is a network of thousands of hacked computers. The weak spot here is the vast majority of internet users are ordinary people who do not know that they have been hacked and are unwitting accomplices in this. The reason someone would need to use a third party to launch this type of attack is you need as an attack from one or only a few IP addresses would be easy to shut down by the victim. Incapsula’s “2015 DDoS Threat Landscape” report tells us that that some attacks can last weeks or months. One Idaho kid shut down his school system’s computers for weeks and caused all the kids who took an aptitude test to lose their scores.

There is much reporting in the news this week about the American government’s court order to force Apple to decrypt iPhone 5 belonging to the San Bernardino Islamic terrorists. The journalists report that Apple says that the iPhone is impossible to crack because Apple does not know the encryption key and that entering an incorrect passcode 11 times will cause the phone to wipe the data. But the journalists do not go into any detail why the device cannot be decrypted. So we do that here. In sum, the iPhone cannot be decrypted because iOS generates a random number used as the cryptographic key when the machine is first turned on and after it has been manufactured and the housing close up. Apple does not back the key up to iTunes of the Apple cloud. So Apple does not know that. So, what the FBI wants is that Apple writes and compiles a modified version of iOS onto the device to allow the FBI to brute force attack the code to unlock the phone without erasing the data.  But if you read the technical details, that would seem to be impossible as any tampering with the device, such a replacing the operating system with another or even removing the storage, would erase the encryption keys on the device thus defeating the ability to read the encrypted memory. (A smartphone like the iPhone has no magnetic storage. It’s all solid state storage also called flash storage. So you can think of the whole device as have no storage. It is all memory.)

Mark Twain used to write for the 150 year old The Atlantic magazine. So did lots of other well-known writers. Now the staid old publication has written some cybersecurity news. The Atlantic is known, or was known, for publishing what is called the long-form-narrative article. That means long articles written for people who actually like to read. These are typically 2,000 to 30,000 words long. Now everyone wants all their news in a Tweet and few people read long articles. I met The Atlantic publisher John Sullivan at an event a few years ago where he talked about the future of his magazine, which was and is losing money, as do most publications these days. Someone in the audience said he was one of those Tweeter-type readers who said there was no future in the long form narrative. Mr Sullivan agreed and said that he was going to focus less on the magazine in the future and more on the web site. I challenged both Mr Sullivan and the audience member on that and was very much surprised when Mr Sullivan backed away from his position. I reminded him that the people still do read the long form narrative and cited the famous cases of long form narratives of John Hersey’s “Hiroshima” and Truman Capote’s “In Cold Blood” that made a lasting impact on our culture. I felt pretty good having made this rich, genteel aristocrat recant what he just said.

The EU and USA have reached an agreement on rules that the US government and US business must follow when “requesting or handling the data” of EU citizens. The agreement is agreed in principle while the regulations have yet to be written. The old agreement, called Safe Harbor, was ruled unconstitutional last year by the European Court of Justice. The new agreement is called the Privacy Shield. The new law gives the U.S. Department of Commerce and American Federal Trade Commission the responsibility to make sure that American companies comply with European privacy laws. Obviously the American agencies are going to be more effective than Europeans ones at bringing sanctions against American companies since the regulators and regulated are in the same country. As for what to do when the US government does not follow the rules, of course no one can punish them for doing that. The understanding is that will simply not continue with indiscriminate spying as hey have in the past. They will obtain a warrant and otherwise following the rules set down in both countries when the target is a European person. In addition, the agreement says that Europeans will be given “redress” for violations. That means the EU citizens whose privacy has been violated can appeal to the FTC or Department of Commerce who can levy fines against the offending business. “Violating privacy” here means not following the rules, which are not all written down yet. The outline simply says, “U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”

What is missing in the news coverage of major security hacks is how they work. This is because most newspaper readers and writers are not programmers. But a journalist should be able to explain such things in an easy-to-understand manner so that the ordinary person can understand how high-profile hacking works. We will do that here for one example, and then explain how researchers earned a prize for fixing that. Interestingly the security bug, which was in Google Chrome and Firefox, was found by a different group of researchers who also won a prize for finding that. Typecasting for an actor in Hollywood is the worst thing that can happen. If you saw “Get Shorty” then you know that Danny DeVito said in the film “I almost got typecast.” in reference to a movie in which he played.

That would have turned him into someone like Jeff Goldblum who played a nerdy genius in Jurassic Park  and Independence Day and has been playing a nerdy genius ever since. Once you get typecast like that you would find it hard or impossible to play a role that calls for a different personality thus limiting your career. But typecasting in programming languages means converting an object from one type to another.  For example, a ball can be a volleyball or a tennis ball. So a programmer can create a volleyball and then upcast it to a ball, like this.

FireEye has bought the cyberintelligence firm iSight for $200 million. They had previously bought the cybersecurity research and forensics firm Mandiant to built up their offering. The Wall Street Journal says one reason for the iSight acquisition is to try to prop up its sagging stock price which has slumped 76% this year in light of slowing sales. A cyberintelligence firm is much different that a traditional cybersecurity firm. What they do is use former law enforcement and intelligence agents to tap into their vast network of sources and public and private data feeds to uncovered current and future threats. They even employee hackers, plus they are hackers themselves. Police who have worked for Interpol, the FBI, GCHQ, NSA, or retired CIA officers and military presumably have access to databases of information and contacts inside the intelligence and law enforcement communities that would be useful for flushing out security threats. They would also know which hackers have even been caught and can be coerced or have come over to the the white hat hacking community to work for the good guys. What else do they do?

Brian Krebs is where we turn our attention today. This former Washington Post investigative reporter is not very technical, but he is plugged into cybercriminal news and is usually one of the first to uncover data breaches like the Target retailer attack that companies try to keep secret. This week he reports the fascinating news that criminal gangs in Russia have outsourced translation and extortion services to call centers. Ransomware, for example, attacks people all over the world who speak hundreds of languages.  Russians cannot negotiate payment for all of that in Arabic, Turkish, German, etc.  So they have hired call centers to help shake down their victims. One normally thinks of overseas call centers as providing PC support for harried customers or explaining to someone how to use her new 50 inch LED TV. But companies like CallMeBaby extort hacking victims by charging $10 and more to negotiate the terms or unlocking their locked data files.

Stagefright is an Android vulnerability that some have called the worst Android security problem ever.  A hacker can use this to gain root access to an Android device simply by calling a phone and sending it a specially constructed MP4 media file in an MMS (multimedia message).  MMS messages are processed by WhatsApp, Google Hangouts, or the ordinary Android messenger app. The exploit works by causing an error in the media player which a hacker can use to gain access to memory. This bug impacts Android versions between 2.2 and 5.1.  There are patches available. Plus users can turn off the automatic downloading of videos in those apps.  But not all Android devices are patched yet even though the bug was discovered some months ago in 2015.  This is because patches are pushed out at different schedules by the phone manufacturers and cellular carriers.

France, the country, and Anonymous, the hacktivists, have declared war on ISIS.  President Obama has reluctantly done the same: in his Oval Office address on December 7th, the 74th anniversary of the Japanese attack on Pearl Harbor, Obama used the word “war” for the first time in reference to current events. Of course, Anonymous does not have any aircraft carriers like France, but they are adept at hacking, so could be quite useful in helping cutting off ISIS’s access to the internet and countering some of their propaganda.  Mainly they do this by outing ISIS accounts on social media and hacking their email. That Anonymous, the virtual group, has joined with the USA, France, UK, and Germany, who have actual armies, is something new. Anonymous is usually on the side of anarchists and others who oppose government.  But in a startling piece of largely underreported news, The Independent and other media reported that an Anonymous sect stopped terror attacks in New York and Tunisia by uncovering and reporting those plans to the authorities.

One of the more common types of malware to threaten PC users over the last several years has been ransomware. Covered extensively on this blog, ransomware is malicious code that secretly encrypts the files and folders of an infected computer using state-of-the-art encryption techniques. Once encryption of all files and folders has been completed, the victim is presented with a message that demands a ransom (typically paid in Bitcoin) be paid to receive the key required to unlock these files. In some of the most extreme ransomware variants, there was absolutely no way to retrieve these files without paying the ransom and often, victims were “punished” for not paying up right away because the amount of ransom due in exchange for the decryption key would increase after a set period of time had elapsed. While these types of malware are still a serious threat to PC users around the world, most antivirus software programs have become adept at detecting and blocking the installation of these programs before any damage can be done. As is usually the case when one malware variant is neutralized, hackers have recently devised a new way to leverage the power of ransomware: targeting websites. Rather than hold a single PC for ransom, hackers have created a way to hold the files, pages, and images of a website for ransom – essentially making that website inaccessible until the ransom is paid. The latest threat, originally discovered by the Russian security firm Dr. Web, has been dubbed Linux.Encoder.1. This malware variant specifically targets websites that are powered by the Linux operating system (a common platform used by websites around the world). Popular Web hosting platforms based on Linux include Apache and Nginx and both of these platforms are vulnerable to infection by Linux.Encoder.1. This malware variant is especially dangerous because it is almost impossible to detect using standard antivirus tools.

MySQL database servers, which millions of organizations worldwide rely on for backend database services, could soon be leveraged in massive DDoS attacks because of a dangerous malware variant known as Chikdos. Chikdos was first discovered by Polish cybersecurity experts over two years ago. Chikdos, an extremely dangerous Trojan originally developed to target the Linux operating system, is typically installed through an SSH dictionary attack. By downloading and executing a simple .bot file upon logging into a compromised server, Chikdos is installed primarily as a means to launch DDoS attacks using DNS amplification. Although the original version of Chikdos specifically targeted Linux systems, a more recent version has also been discovered that is capable of infecting the Windows operating system as well. MySQL database servers can be run on either the Linux or the Windows platform. This makes Chikdos especially dangerous as it is capable of affecting practically every MySQL server connected to the Internet (either directly or through an intermediary machine that has already been compromised). When originally analyzed by security researchers, it was determined that Chikdos was created solely for the purpose of launching DDoS attacks against a variety of Web targets. Although DNS amplification is the malware’s attack vector of choice, there are three other attacks possible after a Chikdos infection has occurred. For those unfamiliar with the term, a DNS amplification attack spawns from a request containing 256 random or previously defined queries to the backend database is transmitted to a DNS server.