Internet threat news

This week Microsoft was given a firm slap across the backside by the European Union for vacuuming up personal data with Windows 10 and showing ads on that platform. The company has 3 months to change their software to stop recording user data.

But one wonders why the EU singled out Microsoft when Google and Facebook have built entire businesses around doing that.

The Internet Advertising Business
Google and Facebook record user data in order to pitch targeted advertising. But Google and Facebook do not sell their data to other companies. They use it for themselves. Twitter allows companies to access general trends, but not specific user data. And some companies can access certain Facebook APIs, with permission from Facebook.

Most other websites, especially media ones like newspapers, sell private data. So do ecommerce companies. So do cell phone companies and even brick and mortar retailers. And companies called data brokers make selling private data their entire business.

WhatsApp, like Facebook, uses OpenSignal opensource to encrypt messages. It encrypts all chat messages and does not need to be turned on.

Here we explain how that works. And we explain how it might be possible to compromise that security by copying a phone’s private key, although reasoning through that it does not seem likely.

WhatsApp Encryption
WhatsApp uses three keys to encrypt messages as they explain in their technical specs.

They say they do not keep a copy of the private keys on their servers. WhatsApp generates the private key on your phone and leaves it there. But they store the public keys on their server.  There is no risk in that, as giving away your public keys is how encryption has always worked.

To understand what that means, imagine you are chatting with someone, say, Fred. You send Fred your public key when you start to chat with him. He uses that key to encrypt messages that only you can read with your private key. Since WhatsApp does not have your private key, they could not read those.

Facebook has rolled out encrypted chat now, shortly after WhatsApp having done the same. They call it Secret Conversations (SC). It is based on the opensource Signal protocol developed by Open Whisper Systems (OWS).

OWS has their own encrypted chat app too, called Signal. It has some notable differences with the Facebook one, a major one being that Signal supports multiple people chatting all at the same time while SC only allows two. When you read below you will see that is a technical limitation imposed by FB. SC also does not allow for encrypted audio, but images sent over SC will be encrypted. Here we take a look at SC and at the Signal protocol.

Bart Ransomware is a new ransomware reported in the media only a few days ago. Proofpoint wrote a detailed technical analysis of it here.

Like other ransomware, this sets the wallpaper to show the ransom message, then directs the user where they can pay the ransom to obtain the passcode to their files. It does not lock the computer screen.
This ransom, at $2,000, is a lot higher than others we have seen.
The name of the ransomware “Bart Doh!” might give a clue as to who wrote it, or at least how old they are.

A couple of years ago thieves descended in large numbers on Chile to replace debit card readers in ATM machines with their own recording device to vacuum up stolen data. This type of crime is called skimming.

They also installed tiny cameras in the ATMs to record the pin as users typed those in.

That crime has fallen off there as banks have incorporated some hardening tactics. After bank hardening in one area, criminals then moved onto other markets where such protections were found to be weak. Such crime is still found, even in developed countries, but it is much less common than before.

Thieves also have another target: POS terminals.

This writer has been saying for years that security products do not work 100% of the time. So there is the need to use several different approaches to cybersecurity.

Even if intrusion detection tools worked 99.99% of the time then all it would take is 9,999 tries for the probability of someone penetrating your defense to equal certainty, i.e. 1 or 100%.

So given that security does not stop hackers, what good does it do to defend against those using the traditional approach of deploying perimeter defenses? It depends on who you ask.  Due diligence requires that you do that. But logic would suggest that you do something else too.

The New York Times says business has come to that conclusion as well. They write, “Most security start-ups seeking funding today have resigned themselves to the inevitability of a breach and are focused more on identifying an attack as it plays out and praying that they can respond before the perpetrator makes off with something important.”

Lots of people who follow cybersecurity news know that hackers stole data on 83 million customers at JP Morgan in 2014. But in a development that does not happen enough, now the hackers have been caught.

Lots of criminal hackers operate from places like Russian and Romanian where they are pretty much beyond the reach of American and Western European law enforcement. But the two hackers who were arrested in the JP Morgan heist are from Israel, a close ally of the USA and other Western nations.

Now the hackers find themselves before a judge in New York City. A US citizen who worked who worked with them is still at large say some press reports. Yet the Wall Street Journal said he was arrested in Russia. He should hope that Russia does not extradite him to the USA as he and his co-conspirators could face up to 20 years in prison.

There is a new exploit that has been found to attack the previously known security weakness in the Android Stagefright multimedia library. The exploit lets a hacker take over an Android device. Here we explain how it works, what versions of Android it affects, and when you can expect it to be fixed on your phone or tablet. It turns out getting the update on your phone can take a long time.

StageFright MPEG Buffer Overflow
The Israeli security firm NorthBit, wrote a new exploit of the Stagefright security weakness. The actual weakness was discovered last year. They named their hack the Metaphor exploit. Here is a video showing it attacking a phone.

In a paper by Hana Be’er of Northbit, the author writes that attacking Stagefright was “... a feat previously considered incredibly difficult to reliably perform.” Sounds like he is bragging.  

The weakness affects Android version 2.2-4.0 and 5.0-5.1

It’s too bad most people don’t use Ubuntu. While your mom would not understand it, maybe your sister would. Because Windows has too many security vulnerabilities. It also has more viruses, because it has more users, so it is a bigger target. Yet the weakest part of any system, Windows or not, remains people. People is how this exploit we describe here works.

Hackers Exploit Fear
Hackers have found a new way to prey on people. It’s mainly delivered via phishing attacks. And like most phishing attacks it’s based on fear, greed, lust, curiosity, and people’s lack of understanding of how computers really work.

Hackers have been planting malware that prompts people to call fake technical support sites. It does this by, for example, popping up fake messages that say their version of Windows is expired, such as 'Windows Activation Pro scam' or 'Your Software Copy is expired scam'. Different versions of this lock the screen too.

Oscar winning documentary filmmaker Laura Poitras has a new film. It’s about Julian Assange, the WikiLeaks founder. She was at the Cannes Film Festival previewing it this week.   

In case you do not know who Laura Poitras is, she is the documentary film maker who Edward Snowden first contacted when he was seeking a journalist to publish NSA secrets in 2013. Laura later was overshadowed by The Guardian newspaper reporter Glenn Greenwald who Snowden contacted after her. Greenwald, who initially ignored Edward Snowden, became more famous, no doubt because he works for that large newspaper and got a large audience for his articles. But both served equal roles in getting Snowden’s work published.  

Greenwald and Poitras flew to Hong Kong to meet Snowden. The rest is history, with which you are no doubt well aware.

Laura’s film about Edward Snowden is called “Citizenfour.” It is a minute-by-minute account of that meeting in Hong Kong and the successful effort by the journalists to get Snowden’s documents published and keep Snowden by being whisked away from the Americans and hauled off the jail. Although Snowden as a former CIA and NSA employee had more knowledge about how to avoid that than they did.

Hackers have for the second time stolen money from banks using the SWIFT payment system. Now we have some technical details about the first attack.

Usually when hacking news breaks the technical details are not given to the public. Often law enforcement tells the victim to keep those secret. Yet the security community operates in the opposite direction, believing by publishing the details of hacking that other people can protect against those methods. So we explain that here.

SWIFT
SWIFT is the decades old payment system that banks use to write transfer money to each other. It is several orders of magnitude larger than something for consumer use like PayPal. SWIFT is what companies use to move hundreds of millions of dollars around and governments use to make bond payments.  

In February hackers convinced the New York Federal Reserve Bank to wire $81 million to a bank in Bangladesh. The Feb was curious about that transaction so they contacted the bank who initiated the transaction to verify that. Hackers made it look like the bank gave its approval.

The Fed is part of the US government and not a private bank. The dominate the US federal financial system and is some regards the financial system for the whole world. So that they were tricked says a lot.

The US Military has their own cybersecurity organization. It’s called the US Cyber Command. There is one for the Navy, Army, and Air Force.  Their main goal is to protect military communications but they also have attack capabilities. They say they use the same techniques as other hackers to go after targets: phishing, denial of service, and malware. Here we look at one agency, The US Army Cyber Command.

Overlapping Agencies Jockeying for Position
The US Army Cyber Command says their mission is:

“United States Army Cyber Command and Second Army directs and conducts integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries.”

Well, someone who is familiar with how the United States government works and does not work would have doubts about their capabilities. How effective can the US Cyber Command be compared to the NSA, whose capabilities are well known? Both even operate out of the same building outside Washington, but the NSA is a much larger organization and attracts better talent.

You might not know this, but the US Military created much of the encryption technology that we use today, including TOR, the cloaking software used by Edward Snowden and others. They also created SSL and the RSA algorithm. The US Military even invented the internet, in 1969. It was called ARPANET then. And they had a hand in funding everything from the laser to UNIX.

This does not mean that programmers working for the military wrote all of these programs and made all of these devices. Instead the American Department of Defense awarded contracts to mathematicians, companies, and cryotograpers who developed all of this, except Navy programmers wrote TOR.

DES
The Data Encryption Standard was created in 1975 when the NSA solicited proposals for how to protect government data. The NSA is part of the Department of Defense. IBM responded with a proposal. The NSA published their algorithm and put it out for public comment. The best mathematical minds and cryptographers tried to find its weaknesses. A series of back and forth comments led to several revisions so that today we have the AES standard, yet DES remains in use. AES256, for example, is used in all kinds of encryption, like disk drive encryption.

It is a cliché to say it, but you have to think like a criminal in order to defeat a criminal.

Some businesses and organization, from Samsung, to Google, to even the US Military, have come to the rational conclusion that if that you cannot defeat your enemies outright you can buy them off. So that is what they do.

When a hacker, hobbyist, or security researcher finds a security weakness they can either tell the software or hardware producer, out of the goodness of their heart or in exchange for some recognition, or they can keep this secret to themselves and seek to profit from that.

There are several ways to profit. One is to turn to the criminal element and use it for crime. The other is to sell the exploit to companies who gather up and resell those to crooks, governments, and corporations alike. Another is to turn to the bounty bug programs run by the software companies whose bugs they are trying to track down and repair.

Zerodium and other Private Brokers
One bug collector is Zerodium. It is unclear whether Zerodium, who sells flaws to governments and corporations, works for the good guys or the bad guys. Their standing offer is $1 million to anyone who can crack the iPhone. Their motto is “The premium acquisition program for zero-day exploits and advanced cybersecurity research."