Blog: December 2018 Archives

China's APT10

Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks.

I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept.

EDITED TO ADD (1/5): Another article on the same subject.

Posted on December 31, 2018 at 5:57 AM52 Comments

Friday Squid Blogging: Squid-Focused Menus in Croatia

This is almost over:

From 1 December 2018 -- 6 January 2019, Days of Adriatic squid will take place at restaurants all over north-west Istria. Restaurants will be offering affordable full-course menus based on Adriatic squid, combined with quality local olive oil and fine wines.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 28, 2018 at 4:04 PM107 Comments

Click Here to Kill Everybody Available as an Audiobook

Click Here to Kill Everybody is finally available on Audible.com. I have ten download codes. Not having anything better to do with them, here they are:

  1. HADQSSFC98WCQ
  2. LDLMC6AJLBDJY
  3. YWSY8CXYMQNJ6
  4. JWM7SGNUXX7DB
  5. UPKAJ6MHB2LEF
  6. M85YN36UR926H
  7. 9ULE4NFAH2SLF
  8. GU7A79GSDCXAT
  9. 9K8Q4RX6DKL84
  10. M92GB246XY7JN

Congratulations to the first ten people to try to use them.

EDITED TO ADD (12/30): All the codes are long gone.

Posted on December 28, 2018 at 12:11 PM6 Comments

Massive Ad Fraud Scheme Relied on BGP Hijacking

This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol:

Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves­ -- who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers' fraudulent page requests through millions of compromised IP addresses.

About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that's where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.

Lots of details in the article.

An aphorism I often use in my talks is "expertise flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacking tools." This is an example of that. BGP hacking -- known as "traffic shaping" inside the NSA -- has long been a tool of national intelligence agencies. Now it is being used by cybercriminals.

EDITED TO ADD (1/2): Classified NSA presentation on "network shaping." I don't know if there is a difference inside the NSA between the two terms.

Posted on December 28, 2018 at 6:43 AM20 Comments

Human Rights by Design

Good essay: "Advancing Human-Rights-By-Design In The Dual-Use Technology Industry," by Jonathon Penney, Sarah McKune, Lex Gill, and Ronald J. Deibert:

But businesses can do far more than these basic measures. They could adopt a "human-rights-by-design" principle whereby they commit to designing tools, technologies, and services to respect human rights by default, rather than permit abuse or exploitation as part of their business model. The "privacy-by-design" concept has gained currency today thanks in part to the European Union General Data Protection Regulation (GDPR), which requires it. The overarching principle is that companies must design products and services with the default assumption that they protect privacy, data, and information of data subjects. A similar human-rights-by-design paradigm, for example, would prevent filtering companies from designing their technology with features that enable large-scale, indiscriminate, or inherently disproportionate censorship capabilities­ -- like the Netsweeper feature that allows an ISP to block entire country top level domains (TLDs). DPI devices and systems could be configured to protect against the ability of operators to inject spyware in network traffic or redirect users to malicious code rather than facilitate it. And algorithms incorporated into the design of communications and storage platforms could account for human rights considerations in addition to business objectives. Companies could also join multi-stakeholder efforts like the Global Network Initiative (GNI), through which technology companies (including Google, Microsoft, and Yahoo) have taken the first step toward principles like transparency, privacy, and freedom of expression, as well as to self-reporting requirements and independent compliance assessments.

Posted on December 26, 2018 at 6:27 AM54 Comments

Glitter Bomb against Package Thieves

Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that's what might have happened. At least some of the video was faked, which puts the whole thing into question.

That's okay, though. Santa is faked, too. Happy whatever you're celebrating.

Posted on December 25, 2018 at 6:13 AM36 Comments

MD5 and SHA-1 Still Used in 2018

Last week, the Scientific Working Group on Digital Evidence published a draft document -- "SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics" -- where it accepts the use of MD5 and SHA-1 in digital forensics applications:

While SWGDE promotes the adoption of SHA2 and SHA3 by vendors and practitioners, the MD5 and SHA1 algorithms remain acceptable for integrity verification and file identification applications in digital forensics. Because of known limitations of the MD5 and SHA1 algorithms, only SHA2 and SHA3 are appropriate for digital signatures and other security applications.

This is technically correct: the current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it's really bad form to accept these algorithms for any purpose. I'm sure the group is dealing with legacy applications, but I would like it to really push those application vendors to update their hash functions.

Posted on December 24, 2018 at 6:25 AM22 Comments

Friday Squid Blogging: Illegal North Korean Squid Fishing

North Korea is engaged in even more illegal squid fishing than previously.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 21, 2018 at 4:14 PM96 Comments

Drone Denial-of-Service Attack against Gatwick Airport

Someone is flying a drone over Gatwick Airport in order to disrupt service:

Chris Woodroofe, Gatwick's chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen.

He told BBC News: "There are 110,000 passengers due to fly today, and the vast majority of those will see cancellations and disruption. We have had within the last hour another drone sighting so at this stage we are not open and I cannot tell you what time we will open.

"It was on the airport, seen by the police and corroborated. So having seen that drone that close to the runway it was unsafe to reopen."

The economics of this kind of thing isn't in our favor. A drone is cheap. Closing an airport for a day is very expensive.

I don't think we're going to solve this by jammers, or GPS-enabled drones that won't fly over restricted areas. I've seen some technologies that will safely disable drones in flight, but I'm not optimistic about those in the near term. The best defense is probably punitive penalties for anyone doing something like this -- enough to discourage others.

There are a lot of similar security situations, in which the cost to attack is vastly cheaper than 1) the damage caused by the attack, and 2) the cost to defend. I have long believed that this sort of thing represents an existential threat to our society.

EDITED TO ADD (12/23): The airport has deployed some anti-drone technology and reopened.

EDITED TO ADD (1/2): Maybe there was never a drone.

Posted on December 21, 2018 at 6:24 AM119 Comments

Fraudulent Tactics on Amazon Marketplace

Fascinating article about the many ways Amazon Marketplace sellers sabotage each other and defraud customers. The opening example: framing a seller for false advertising by buying fake five-star reviews for their products.

Defacement: Sellers armed with the accounts of Amazon distributors (sometimes legitimately, sometimes through the black market) can make all manner of changes to a rival's listings, from changing images to altering text to reclassifying a product into an irrelevant category, like "sex toys."

Phony fires: Sellers will buy their rival's product, light it on fire, and post a picture to the reviews, claiming it exploded. Amazon is quick to suspend sellers for safety claims.

[...]

Over the following days, Harris came to realize that someone had been targeting him for almost a year, preparing an intricate trap. While he had trademarked his watch and registered his brand, Dead End Survival, with Amazon, Harris hadn't trademarked the name of his Amazon seller account, SharpSurvival. So the interloper did just that, submitting to the patent office as evidence that he owned the goods a photo taken from Harris' Amazon listings, including one of Harris' own hands lighting a fire using the clasp of his survival watch. The hijacker then took that trademark to Amazon and registered it, giving him the power to kick Harris off his own listings and commandeer his name.

[...]

There are more subtle methods of sabotage as well. Sellers will sometimes buy Google ads for their competitors for unrelated products -- say, a dog food ad linking to a shampoo listing -- so that Amazon's algorithm sees the rate of clicks converting to sales drop and automatically demotes their product.

What's also interesting is how Amazon is basically its own government -- with its own rules that its suppliers have no choice but to follow. And, of course, increasingly there is no option but to sell your stuff on Amazon.

Posted on December 20, 2018 at 6:21 AM38 Comments

Congressional Report on the 2017 Equifax Data Breach

The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this.

Here is my testimony before before the House Subcommittee on Digital Commerce and Consumer Protection last November.

Posted on December 19, 2018 at 6:00 AM20 Comments

Teaching Cybersecurity Policy

Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer.

Posted on December 18, 2018 at 6:31 AM18 Comments

New Shamoon Variant

A new variant of the Shamoon malware has destroyed significant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem.

Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no idea if this new variant is also Iranian in origin, or if it is someone else entirely using the old Iranian code base.

Posted on December 17, 2018 at 6:30 AM9 Comments

Real-Time Attacks Against Two-Factor Authentication

Attackers are targeting two-factor authentication systems:

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

This isn't new. I wrote about this exact attack in 2005 and 2009.

Posted on December 14, 2018 at 10:02 AM40 Comments

Friday Squid Blogging: More Problems with the Squid Emoji

Piling on from last week's post, the squid emoji's siphon is in the wrong place.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 13, 2018 at 4:23 PM111 Comments

Marriott Hack Reported as Chinese State-Sponsored

The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.

Reuters:

Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company's private probe into the attack.

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing's espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood's computer networks since 2014, said one of the sources.

I used to have opinions about whether these attributions are true or not. These days, I tend to wait and see.

Posted on December 13, 2018 at 6:37 AM21 Comments

New Australian Backdoor Law

Last week, Australia passed a law giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it's really bad.

Note: Many people e-mailed me to ask why I haven't blogged this yet. One, I was busy with other things. And two, there's nothing I can say that I haven't said many times before.

If there are more good links or commentary, please post them in the comments.

EDITED TO ADD (12/13): The Australian government response is kind of embarrassing.

Posted on December 12, 2018 at 9:18 AM88 Comments

2018 Annual Report from AI Now

The research group AI Now just published its annual report. It's an excellent summary of today's AI security challenges, as well as a policy agenda to address them.

This is related, and also worth reading.

Posted on December 10, 2018 at 9:27 AM29 Comments

Friday Squid Blogging: Problems with the Squid Emoji

The Monterey Bay Aquarium has some problems with the squid emoji.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 7, 2018 at 4:00 PM76 Comments

Back Issues of the NSA's Cryptolog

Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course.

What's new is a nice user interface for the issues, noting highlights and levels of redaction.

Posted on December 7, 2018 at 12:06 PM5 Comments

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization's building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals' abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

Posted on December 7, 2018 at 10:50 AM12 Comments

Your Personal Data is Already Stolen

In an excellent blog post, Brian Krebs makes clear something I have been saying for a while:

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren't, including your credit card information, Social Security number, mother's maiden name, date of birth, address, previous addresses, phone number, and yes ­ even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold ­ usually through no fault of your own. And if you're an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

[...]

Once you've owned both of these realities, you realize that expecting another company to safeguard your security is a fool's errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne'er-do-wells from abusing access to said data.

His advice is good.

Posted on December 6, 2018 at 7:33 AM46 Comments

Bad Consumer Security Advice

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice:

1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack into a VPN.

I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice? I think twice about accessing my online bank account from a pubic Wi-Fi network, and I do use a VPN regularly. But I can't imagine offering this as advice to the general public.

2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today! Go to www.SSA.gov.

This is actually good advice. Brian Krebs calls it planting a flag, and it's basically claiming your own identity before some fraudster does it for you. But why limit it to the Social Security Administration? Do it for the IRS and the USPS. And while you're at it, do it for your mobile phone provider and your Internet service provider.

3. Add multifactor verifications to ALL online accounts offering this additional layer of protection, including mobile and cable accounts. (Note: Have the codes sent to your email, as SIM card "swapping" is becoming a huge, and thus far unstoppable, security problem.)

Yes. Two-factor authentication is important, and I use it on some of my more important online accounts. But I don't have it installed on everything. And I'm not sure why having the codes sent to your e-mail helps defend against SIM-card swapping; I'm sure you get your e-mail on your phone like everyone else. (Here's some better advice about that.)

4. Create hard-to-crack 12-character passwords. NOT your mother's maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a "pass-phrase" as your answer to account security questions ­ such as "Youllneverguessmybrotherinlawsmiddlename."

I'm a big fan of random impossible-to-remember passwords, and nonsense answers to secret questions. It would be great if she suggested a password manager to remember them all.

5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.

Yes to the first part. No, no no -- a thousand times no -- to the second.

6. To prevent "new account fraud" (i.e., someone trying to open an account using your date of birth and Social Security number), place a security freeze on all three national credit bureaus (Equifax, Experian and TransUnion). There is no charge for this service.

I am a fan of security freezes.

7. Never plug your devices (mobile phone, tablet and/or laptop) into an electrical outlet in an airport. Doing so will make you more susceptible to being hacked. Instead, travel with an external battery charger to keep your devices charged.

Seriously? Yes, I've read the articles about hacked charging stations, but I wouldn't think twice about using a wall jack at an airport. If you're really worried, buy a USB condom.

Posted on December 4, 2018 at 6:28 AM82 Comments

The DoJ's Secret Legal Arguments to Break Cryptography

Earlier this year, the US Department of Justice made a series of legal arguments as to why Facebook should be forced to help the government wiretap Facebook Messenger. Those arguments are still sealed. The ACLU is suing to make them public.

Posted on December 3, 2018 at 6:37 AM68 Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.