Archive for the Commentary Category

Middle Eastern Arline Appears To Troll US Government On Twitter

Posted in Commentary with tags on March 24, 2017 by itnerd

I’m not sure that this is such a good idea given the current political climate. But Royal Jordanian Airlines is using Twitter to take a unique spin on the electronics ban. First they gave flyers the info that they needed to know:

Then they took an “interesting” look at what to do when you don’t have your laptop or tablet on a very long flight:

Some of this is humor, but number 12 could be seen as a bit of a dig at the electronics ban that may not go over too well with those in Washington. But it underscores the fact that some people, including yours truly and possibly this airline, have wondered about the logic of this ban. After all, are you any safer if a laptop with a bomb in it is in a cargo hold versus a cabin? Plus there’s the fact the optics of this are not that good as this electronic ban only targets airlines from Muslim majority countries. So perhaps Royal Jordanian Airlines has decided that because of all of that, they are going to use to express their displeasure in a way that has some degree of plausible deniability to it. Whatever the logic behind this, if they are trolling the US Government, it is kind of funny.

Advertisements

Turkish Crime Family iCloud Data Provided To ZDNet Proven To Be Valid

Posted in Commentary with tags on March 24, 2017 by itnerd

It may be a bit too early to blow of the so called Turkish Crime Family and their threat to cause digital harm to millions of iCloud users. I say that because ZDNet posted a story saying that it had received a set of 54 account credentials from the hacker group for “verification” and subsequently reported that all of the accounts were valid, based on a check using Apple’s online password reset function. What’s interesting is that ZDNet also contact each account holder via iMessage to confirm their password, and found that many of the accounts are no longer registered with Apple’s messaging platform. However, of those that could be contacted, 10 people who were all based in the U.K. confirmed that the passwords were accurate, and they have changed them as a result.

Now these passwords could have been acquired in a number of ways. For example, Yahoo gets hacked and because people tend to use the same password for everything, the rest of their digital lives is under threat. It doesn’t prove that the so called Turkish Crime Family have pwned Apple at all. Which would be consistent with what Apple said yesterday. Also, it is entirely possible that this is all that they have. I say that because of this:

A person representing the group, who is allegedly no longer a member, told me that the data is “handled in groups”, but would not explain how or why. The hackers refused to hand over a US-based sample of accounts

My $0.02 worth? There is a strong likelihood that this is bogus. If someone had some sort of epic exploit on a company like Apple, they’d be asking for way more than $75,000 and they would have provided far more proof that Apple had been pwned. That isn’t the case here. But it doesn’t mean that you shouldn’t take precautions. You should look at your iCloud account in terms of how secure it is. Consider using a strong password that is distinct from other passwords that you have and enabling two factor authentication to ensure that you are as secure as possible. After all, you should do everything possible to avoid getting pwned by this group or any other group of hackers.

Guest Post: Eight cyber-threats legacy tools are missing

Posted in Commentary with tags on March 24, 2017 by itnerd

By: David Masson, Canada Country Manager, Darktrace

Some of the most sophisticated cyber-attacks have a common trait – they go unnoticed for weeks, months, or even years until they have caused irreparable monetary and reputational damage. More often than not, the evidence of infiltration was present – but perimeter defenses proved insufficient in detecting them until it was too late.

To give a sense of the kinds of threats that legacy tools miss, I’ve compiled a list of real-world incidents that our AI-powered technology caught but went undetected by a traditional security system. There are a near-infinite number of ways that modern attackers can compromise a network, but here are eight of the more glaring vulnerabilities we’ve detected:

  1. Insider threat: An employee with system administrator privileges decided to leave for a new job. His company had explicit restrictions on cloud usage, but as an administrator, the employee could change the rules about who could access the cloud and from where. The employee attempted to exfiltrate data from the cloud before departing, but because Darktrace provided complete visibility across the entire network infrastructure, including the cloud, the suspicious behavior was spotted. As a result, the company was able to better manage the employee’s departure.
  2. Ransomware: An attacker sent an email containing a fake invoice, supposedly coming from a trusted stationary supplier. An administrative assistant opened the attachment, and JavaScript within the document connected the computer to a server in Ukraine. Within minutes, the downloaded malware began to encrypt company files. Darktrace found the attack by identifying both the connection and download as major deviations from the user and device’s normal ‘pattern of life’, allowing the company to quarantine the infected device before damage could be done.
  3. Compromised video equipment: After a video conferencing unit started to behave strangely, it was determined that a remote attacker had compromised the camera and was sending data outside the network. The attacker moved laterally through the network and attempted to locate Point of Sale (PoS) devices, and they could have been exfiltrating sensitive audio and video. Darktrace detected the compromise after the device initiated a large upload to rare external IPs and began communicating with internal computers that it rarely connected to. Once this behavior was identified, the company immediately disconnected the camera.
  4. Penetration Testing Vulnerability: Darktrace detected a company device updating a penetration testing tool used for attacks on web services. This particular device had never used the pen testing software in the past. Over the next few days, several anomalous behaviors were detected inside the network, including two corporate devices that tried and failed to log in using administrative credentials and an SQL injection attack. The attacks were not associated with any known threat signatures, so they went unnoticed by legacy tools, but Darktrace identified the failed login attempts and the SQL injection attack as highly anomalous behavior for the network.
  5. Credential theft: A healthcare company became infected with a strain of malware built to steal user credentials. Once on the network, the malware spread by copying programs into sensitive folders on other devices and guessing login details. Every infected device was sending programs to sensitive folders on other devices at speeds faster than users could possibly have been acting. The devices were also trying to communicate with a suspicious third-party infrastructure. This particular malware used advanced stealth techniques that allowed it to avoid traditional network defenses, but Darktrace recognized the copied programs and the forced access of password managers as abnormal compared to normal network activity.
  6. Self-modifying malware: Many sophisticated attacks contain ‘active defense mechanisms’ that allow them to avoid detection by traditional cyber security monitoring. In this case, the attacker used the ‘Smoke Malware Loader’ tool, a password grabber that protects itself from detection by evolving its threat signature in real-time and generating fake, redundant traffic. By combining various anomalous factors, including the initial incoming file and beaconing to an external device, Darktrace built a detailed understanding of this highly evolved operation, and quickly determined it was threatening behavior.
  7. BitTorrent risks: Certain types of malware can break themselves up into pieces and attach to bits of torrented files, essentially distributing themselves amongst millions of data packets. In this example, a device contacted a BitTorrent network via SSH – a powerful administrative protocol which an attacker exploited to remotely control the infected device and use it as an entry point into the network. Without quick action, this infection could have developed into a serious security breach. Darktrace identified the BitTorrent behavior and the beaconing activity as highly unusual compared to normal network activity.
  8. Biometric scanner vulnerability: To restrict access to their machinery and industrial plants, a manufacturer had a biometric scanner connected to the corporate network. When Darktrace was installed, it flagged unusual Telnet connections to and from the biometric scanner. Once investigated, it was determined that an external party had compromised the scanner and had started to change its data. No signature existed for that threat type, so it would have gone unchecked by legacy controls. Darktrace’s AI defenses identified the breach in time to avoid a physical intrusion and potentially catastrophic damage.

 

 

 

 

Apple Comments On Latest Wikileaks Info Dump

Posted in Commentary with tags on March 24, 2017 by itnerd

Yesterday, Wikileaks did a second info dump which centered around exploits used by the CIA to get into OS X and the fact that the CIA got into the supply chain of iPhone shipments to slip their software onto them. Apple has since come out with a statement that is kind of interesting:

We have preliminarily assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.

We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.

Well….what is in this statement is what I was I was expecting Apple to say as when I read the documents in the dump, it seemed like this was stuff that Apple had already fixed. But one thing to keep in mind is that based on the way the statement is written, they are still looking at this. Thus you can expect that anything that they haven’t already addressed will be fixed very quickly. Another thing to point out is that Apple took the opportunity to take a shot at Wikileaks about their disclosure of the exploits themselves. That’s interesting. I will be interested to see how Wikileaks responds to that.

Wikileaks Does Another CIA Related Info Dump

Posted in Commentary on March 23, 2017 by itnerd

Today, Wikileaks has released “Dark Matter” which is the second information dump meant to highlight the hacking techniques of the CIA. This dump will be of particular interest to Mac users as the documents dumped today claim that the CIA has tools to break into MacBooks and will also survive OS reinstalls. Which implies that they’re firmware based:

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

This sounds like an offshoot of the Thunderstrike 2 exploit from a couple of years ago. If so, it should have been patched in OS X 10.10.2. But we’ll have to wait for details to see if that’s true or not.

The other thing that that’s in this info dump is this tidbit that will be of interest to iPhone users:

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

This sounds far fetched. Except that it isn’t. Upon reading this, I remembered an Ars Technica article that spoke about this exact scenario. In that case the intelligence agency was the NSA and they were loading software that sounds a lot like what’s being described here onto Cisco gear. Thus it makes what’s being described here plausible.

Expect Apple to come out with a statement on this shortly as this for sure will get their attention and generate a lot of questions that they’ll have to answer.

Guest Post: NordVPN Discusses A Swedish ISP Who Is Being Forced To Hand Over 5,300 IP Address Holders

Posted in Commentary with tags on March 23, 2017 by itnerd

Identities of people behind 5,300 IP addresses will be handed over to a known copyright troll, Patent and Market Court of Sweden has ruled. Their crime? Allegedly downloading and sharing movies, such as London Has Fallen, Criminal and September of Shiraz.

Thousands of households will be affected in this new development, where ISPs are forced by a court order to hand over personal identities of thousands of their subscribers.

Swedish ISP Telia will be the first ISP to give away subscriber names to a legal firm representing film producers, but other ISPs, such as Tele2 and Bredbansbolaget are also being targeted to reveal their user personal information.

In a similar development in Australia a couple of years ago, Dallas Buyers Club movie producers went to court demanding the names of thousands of Australians who supposedly downloaded the movie illegally. While the federal judge first ruled in favour of copyright holders, the ruling was later  overturned due to “excessive demands, unsupported by evidence.”

In Sweden last month, this fight led to the first significant victory for copyright holders, as the Court ruled: “There is probable cause of infringement of copyright in the films in that they were made unlawfully made available to the public via file sharing networks.”

“Online privacy is a very fragile thing,” says Marty P. Kamden, CMO of NordVPN (Virtual Private Network). “When your Internet provider can take your data and give it to court for criminal prosecution, you become identified as a potential criminal. From that moment on, you have no control over your private data, and you don’t know in whose hands it might end up.”

ISPs that give away their subscribers’ data are only one example in the growing trend of online privacy invasion. Governments also require ISPs to give away user data, people are being surveilled online by secret services and tracked by advertisers.

The problem with copyright issues is that they are often abused by copyright trolls, who threaten file sharers with lawsuits. Copyright holders happen to misuse the system and issue demands that are not based on law, for example, by utilizing a legal loophole and requiring settlement fees. For example, one of the most infamous cases of copyright trolling in the U.S. has recently ended when one of Prenda Law attorneys pleaded guilty to federal charges of fraud and money laundering. John Steele and his co-defendant Paul Hansmeier had defrauded Internet users of over $6 million by threatening them with copyright lawsuits.

How Can Internet Users Protect Their Privacy from Copyright Trolling?

If a person uses personal privacy protection tools, such as VPNs, they can no longer be identified as a specific person behind their IP address.

While NordVPN does not support illegal downloading and file sharing, it strongly believes in every person’s right to stay private online.

A VPN service links user ’s computer to a server in a country of their choice via encrypted tunnel – for example, a person can appear to be in the U.S., while they actually are in Sweden, and vice versa, simply by choosing a different VPN server location. NordVPN helps anonymize browsing the Internet with its modern security protocols and no logs policy.

Nest Cameras Vulnerable To Pwnage That Allows Thefts Of Homes

Posted in Commentary with tags on March 23, 2017 by itnerd

If you rely on a Google Nest camera to keep your home safe when you are out and about, you might want to read this story. The cameras have a vulnerability that involves using Bluetooth LE to crash the cameras for anywhere from 60 to 90 seconds. This is due to a problem firmware version 5.2.1. Security Researcher Jason Doyle spotted the problems last year and alerted Nest. However, nothing was done to fix the issue and so Doyle has decided to go public with a proof of concept on GitHub. Meaning that it is now possible for tech savvy thieves to pwn the cameras and then rob you. And if 60 to 90 seconds doesn’t sound like a lot, it is certainly enough time for a smash and grab job.

At the moment there is no fix for this. And there’s no real way to protect yourself. But there is apparently a firmware update on the way that will address this, which I hope comes very quickly before this becomes a real problem.