Internet threat news

It is a cliché to say it, but you have to think like a criminal in order to defeat a criminal.

Some businesses and organization, from Samsung, to Google, to even the US Military, have come to the rational conclusion that if that you cannot defeat your enemies outright you can buy them off. So that is what they do.

When a hacker, hobbyist, or security researcher finds a security weakness they can either tell the software or hardware producer, out of the goodness of their heart or in exchange for some recognition, or they can keep this secret to themselves and seek to profit from that.

There are several ways to profit. One is to turn to the criminal element and use it for crime. The other is to sell the exploit to companies who gather up and resell those to crooks, governments, and corporations alike. Another is to turn to the bounty bug programs run by the software companies whose bugs they are trying to track down and repair.

Zerodium and other Private Brokers
One bug collector is Zerodium. It is unclear whether Zerodium, who sells flaws to governments and corporations, works for the good guys or the bad guys. Their standing offer is $1 million to anyone who can crack the iPhone. Their motto is “The premium acquisition program for zero-day exploits and advanced cybersecurity research."

Italy is not a country one usually thinks of when they think of hackers or even IT in general. With its perennially slow growing economy and focus on traditional businesses, like wine and sport cars, there are not a lot of startup tech companies there as compared to other places. Nor are there many startup criminal hacker enterprises either, such as one finds in nearby Romania. But Italy is home to one of the most important professional hacking companies used by governments, known simply as Hacking Team. They call their product Galileo.

The company makes no secret of who their target customers are. They headline their website with with “The Hacking Suite for Governmental Interception,” underlining that with, “We believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

Usually espionage firms keep a low profile. But The Hacking Team was shoved into the public limelight by one highly embarrassing data leak. In 2015, a hacker stole internal emails and their valuable source code and put it on bittorrent sites.

An article in The New York Times in March of 2016 explained that one of the 2015 Paris Terror Attackers was shown two things when he first met up with his ISIS handlers: how to fire an assault rifle and how to use TrueCrypt encryption software. The terrorist recruit was given a USB drive with TrueCrypt installed. He was instructed to download encrypted messages from a shared cloud drive in Turkey and then use TrueCrypt to decrypt those and use it again to upload replies. The terrorist understood those instructions since he was a computer technician.

The newspaper speculated that terrorist was told not to use email as that would make it easier for spies to track the terrorist group’s physical location by giving away the IP addresses of any emails they might intercept, which are listed clearly in the email headers.

As you probably have already heard, the FBI sued Apple because Apple refused its demand to unlock an iPhone 5C belonging to the San Bernardino terrorists. But what is new and shocking is that Apple withdrew its suit because they figured out how to unlock the phone themselves.  

In the past law enforcement and intelligence agencies around the world routinely sent captured phones to Apple and Google’s headquarters where the phones were unlocked. At that time Apple and Google kept a serial number that was shipped with the phone. This number together with the passcode created by the user created an unbreakable encrypted value. Calculate that and you could unlock a locked phone perhaps by plugging in a cable. But then Apple changed the iPhone, as did Google, where they no longer kept a copy of that value. They did that because customers and privacy activists demanded that after the Edward Snowden leaks. Then the manufacturers said they could not assist the police and spies anymore as it was technically impossible because they had got rid of that back door.

There are two items on the internet that you need to see if you follow security. First there is this film on Youtube that gives the history of Linux. And then there is story in The Washington Post that explains that some people are concerned that the people who maintain the Linux kernel are not fixing security problems there. The procedure to fix bugs in the Linux kernel is so slow that the newspaper calls it “evolutionary.”

To understand the controversy, and to decide for yourself whether there are security problems with Linux, you have to look at the history of how it was developed and who maintains it now.

There are two people behind the Linux operating system: Richard Stallman and Linus Torvalds.

What Richard Stallman did was start the project to write the GNU operating system, which we now call Linux. He is annoyed that people do not call it by its correct name, GNU/Linux.  But he is happy to have reached his overall goal, which to write something and give it away for free.   

Richard Stallman started the GNU organization with the idea that no one should have to pay for Microsoft Windows or any version of UNIX, like Solaris. (AT&T invented UNIX but did not give it away or turn it into a commercial product.) Now lots of software is distributed under what is called the GNU license, meaning it is free if when you change that you are willing to give those changes away for free as well so they can be added back into the product.

Ransomware is malware that encrypt data files that can only be decrypted when the data file owner pays a ransom. The only recovery method is to go to a backup. Guessing the password to unlock the file is for all practical purposes impossible because of the nature of cryptography. Regarding defenses the only good defense is to make lots of backups and to train users not to click on phishing emails. Antivirus software might help, but certainly will not work in all cases.

The way that ransomware works (for example TeslaCrypt, CryptoWall, Locky, Crypt0L0cker and Cerber) is it scans the user’s drive and encrypts each files using an encryption key that only the hacker knows. It also sets up some kind of communication channel so that is can alert the hacker that it has found a victim. It also adds software code to the encrypted file that causes a screen to pop up when a user opens it. This screen both tells the user that their data is locked and provides a screen where the user can enter the code to unlock it and where to go to pay the ransom.

If you were a Martian and landed on earth, somewhere in the USA, you would think there is some kind of war going on over there as there is violence and violent protests. There are Black Lives Matter protests because of police shooting black people. Armed men have taken over federal lands out west to protest restrictions on their ability to graze cattle where they want.  And then there are Donald Trump’s political rallies where violence has broken out too.

It does not matter to us what your politics are. We don’t care what you think about Donald Trump. What we do here is report the news and the new this week is that the hacker group Anonymous has targeted Donald Trump. You can see their declaration of war here on YouTube.

As IoT (The Internet of Things) grows, obviously security risks associated with that are going to grow too.  Let’s take a look at some of the wireless protocols that IoT use and see which of them might have security weaknesses. IoT applications transfer data from sensors to the IoT cloud application where that data can can be analyzed and processed. In some applications the IoT app sends instructions in the other way, back down to the IoT device, so that it can send instructions to the machine to which they are attached or do maintenance items like download and install software updates on the IoT computer card. Examples of this are industrial monitoring, vehicle fleet maintenance, and home automation. For example, a fleet monitoring system can monitor a truck’s brake temperature to alert the operator when it is time to replace brakes. As an other example, sensors can monitor a diesel generator for vibration. An increase in vibration would indicate an increased load on the motor thus indicating some kind of maintenance is need on whatever the engine is attached to. If the engine temperature rises too quickly, the IoT application can shutdown the machine directly. If an IoT device is close to an electrical source and thus cabling it can use an ethernet network for communications. But if it is attached to door or window or out in a field, far away from any facility, then it needs some type of wireless communication.

You can hire hackers; you can hire DDOS services too. Why you would want to hire a DDOS service? It is difficult to say as only the criminal mind or otherwise deranged person would know why they would want to inflict damage for sport. Except some hacking is political in nature, in which case the motive is obvious, or even cyberwar such as the ISIS army and its enemies. Some DDOS service providers charge $38 for their botnet rental services. A botnet is a network of thousands of hacked computers. The weak spot here is the vast majority of internet users are ordinary people who do not know that they have been hacked and are unwitting accomplices in this. The reason someone would need to use a third party to launch this type of attack is you need as an attack from one or only a few IP addresses would be easy to shut down by the victim. Incapsula’s “2015 DDoS Threat Landscape” report tells us that that some attacks can last weeks or months. One Idaho kid shut down his school system’s computers for weeks and caused all the kids who took an aptitude test to lose their scores.

There is much reporting in the news this week about the American government’s court order to force Apple to decrypt iPhone 5 belonging to the San Bernardino Islamic terrorists. The journalists report that Apple says that the iPhone is impossible to crack because Apple does not know the encryption key and that entering an incorrect passcode 11 times will cause the phone to wipe the data. But the journalists do not go into any detail why the device cannot be decrypted. So we do that here. In sum, the iPhone cannot be decrypted because iOS generates a random number used as the cryptographic key when the machine is first turned on and after it has been manufactured and the housing close up. Apple does not back the key up to iTunes of the Apple cloud. So Apple does not know that. So, what the FBI wants is that Apple writes and compiles a modified version of iOS onto the device to allow the FBI to brute force attack the code to unlock the phone without erasing the data.  But if you read the technical details, that would seem to be impossible as any tampering with the device, such a replacing the operating system with another or even removing the storage, would erase the encryption keys on the device thus defeating the ability to read the encrypted memory. (A smartphone like the iPhone has no magnetic storage. It’s all solid state storage also called flash storage. So you can think of the whole device as have no storage. It is all memory.)

Mark Twain used to write for the 150 year old The Atlantic magazine. So did lots of other well-known writers. Now the staid old publication has written some cybersecurity news. The Atlantic is known, or was known, for publishing what is called the long-form-narrative article. That means long articles written for people who actually like to read. These are typically 2,000 to 30,000 words long. Now everyone wants all their news in a Tweet and few people read long articles. I met The Atlantic publisher John Sullivan at an event a few years ago where he talked about the future of his magazine, which was and is losing money, as do most publications these days. Someone in the audience said he was one of those Tweeter-type readers who said there was no future in the long form narrative. Mr Sullivan agreed and said that he was going to focus less on the magazine in the future and more on the web site. I challenged both Mr Sullivan and the audience member on that and was very much surprised when Mr Sullivan backed away from his position. I reminded him that the people still do read the long form narrative and cited the famous cases of long form narratives of John Hersey’s “Hiroshima” and Truman Capote’s “In Cold Blood” that made a lasting impact on our culture. I felt pretty good having made this rich, genteel aristocrat recant what he just said.

The EU and USA have reached an agreement on rules that the US government and US business must follow when “requesting or handling the data” of EU citizens. The agreement is agreed in principle while the regulations have yet to be written. The old agreement, called Safe Harbor, was ruled unconstitutional last year by the European Court of Justice. The new agreement is called the Privacy Shield. The new law gives the U.S. Department of Commerce and American Federal Trade Commission the responsibility to make sure that American companies comply with European privacy laws. Obviously the American agencies are going to be more effective than Europeans ones at bringing sanctions against American companies since the regulators and regulated are in the same country. As for what to do when the US government does not follow the rules, of course no one can punish them for doing that. The understanding is that will simply not continue with indiscriminate spying as hey have in the past. They will obtain a warrant and otherwise following the rules set down in both countries when the target is a European person. In addition, the agreement says that Europeans will be given “redress” for violations. That means the EU citizens whose privacy has been violated can appeal to the FTC or Department of Commerce who can levy fines against the offending business. “Violating privacy” here means not following the rules, which are not all written down yet. The outline simply says, “U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”

What is missing in the news coverage of major security hacks is how they work. This is because most newspaper readers and writers are not programmers. But a journalist should be able to explain such things in an easy-to-understand manner so that the ordinary person can understand how high-profile hacking works. We will do that here for one example, and then explain how researchers earned a prize for fixing that. Interestingly the security bug, which was in Google Chrome and Firefox, was found by a different group of researchers who also won a prize for finding that. Typecasting for an actor in Hollywood is the worst thing that can happen. If you saw “Get Shorty” then you know that Danny DeVito said in the film “I almost got typecast.” in reference to a movie in which he played.

That would have turned him into someone like Jeff Goldblum who played a nerdy genius in Jurassic Park  and Independence Day and has been playing a nerdy genius ever since. Once you get typecast like that you would find it hard or impossible to play a role that calls for a different personality thus limiting your career. But typecasting in programming languages means converting an object from one type to another.  For example, a ball can be a volleyball or a tennis ball. So a programmer can create a volleyball and then upcast it to a ball, like this.

FireEye has bought the cyberintelligence firm iSight for $200 million. They had previously bought the cybersecurity research and forensics firm Mandiant to built up their offering. The Wall Street Journal says one reason for the iSight acquisition is to try to prop up its sagging stock price which has slumped 76% this year in light of slowing sales. A cyberintelligence firm is much different that a traditional cybersecurity firm. What they do is use former law enforcement and intelligence agents to tap into their vast network of sources and public and private data feeds to uncovered current and future threats. They even employee hackers, plus they are hackers themselves. Police who have worked for Interpol, the FBI, GCHQ, NSA, or retired CIA officers and military presumably have access to databases of information and contacts inside the intelligence and law enforcement communities that would be useful for flushing out security threats. They would also know which hackers have even been caught and can be coerced or have come over to the the white hat hacking community to work for the good guys. What else do they do?