Tag Archives: hacking

Telecoms, data center infrastructure infiltrated, Bloomberg stories say, mystery deepens despite denials

by Steve Blum • , , , ,

Taken at face value, a pair of articles on Bloomberg by Jordan Robertson and Michael Riley details how Chinese government intelligence agencies snuck tiny chips into computer servers used by Amazon and Apple, and by at least one major U.S. telecoms company. The devices – as small as the tip of a pencil – could be used to listen to communications going in and out, or to dive deeper into those systems.

If true, Bloomberg’s reporting means that the Chinese government, and possibly other intelligence agencies and criminal groups, have a backdoor that leads deep into U.S. telecoms and data processing infrastructure. It is flatly denied by some U.S. government security officials, by Apple and Amazon, and, according to a story by Jason Koebler, Joseph Cox, and Lorenzo Franceschi-Bicchierai on Motherboard, by most major U.S. telecoms companies…

Motherboard has reached out to 10 major US telecom providers, and the four biggest telecoms in the US have denied to Motherboard that they were attacked: In an email, T-Mobile denied being the one mentioned in the Bloomberg story. Sprint said in an email that the company does not use SuperMicro equipment, and an AT&T spokesperson said in an email that “these devices are not a part of our network, and we are not affected.” A Verizon spokesperson said: “Verizon’s network is not affected.”

A CenturyLink spokesperson also denied that the company is the subject of Bloomberg’s new story. A Cox Communications spokesperson said in an email: ”The telecom company referenced in the story is NOT us." Comcast also said it’s not the company in the Bloomberg story.

Charter Communications and Frontier Communications, two of California’s biggest telecoms companies, aren’t on the not me list, but that might be the result of poor response by their press relations people or, less likely, because they weren’t contacted by Motherboard.

Although Bloomberg’s stories have been refuted by U.K. intelligence agencies, their U.S. counterparts have been silent, as is common practice. Which leaves the door open to uncomfortable speculation: they could have discovered the backdoors and be taking advantage of them too. And if they can, so can other national governments and criminal organisations. Unfortunately, U.S. government spy agencies put a higher priority on their own access to cracked systems, than on defending public cyberspace.

Until this mystery is solved, we’ll have to cope with the possibility that our data centers and telecoms networks are hopelessly compromised.

FBI’s plea for encryption back doors based on false information

by Steve Blum • , ,

The Federal Bureau of Investigation gave the U.S. congress and the public bad information about the problems it has cracking encrypted phones during investigations, many times over several months. According to a story by Devlin Barrett in the Washington Post, FBI director Christopher Wray repeatedly, and falsely, claimed that agents were locked out of almost 7,800 smart phones and other devices, because of advanced encryption.

He began using the 7,800 figure last year, when he urged congress to give law enforcement back door access to encrypted devices and content…

Wray has repeated the claim about 7,800 locked phones, including in a March speech. Those remarks were echoed earlier [in May] by Attorney General Jeff Sessions.

“Last year, the FBI was unable to access investigation-related content on more than 7,700 devices — even though they had the legal authority to do so. Each of those devices was tied to a threat to the American people,” Sessions said.

Officials now admit none of those statements are true.

The real number, according to the story, is somewhere between 1,000 and 2,000. The FBI used three different data bases to track phones, and “programming errors” led to the over count.

The FBI is actually providing the best arguments against trusting government agencies – even if well intentioned – secret keys to everyone’s encrypted content. In 2016, it warned about foreign governments “successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years”. Earlier this year, the FBI’s inspector general highlighted miscommunication within the agency over an ultimately successful attempt to crack an Apple iPhone owned by one of the shooters that murdered 14 people at a San Bernardino county employee party in 2015. The problem, according to multiple experts who reviewed the report, came down to the FBI just being lazy, raising the question “how much of the going dark debate is the FBI simply seeking easier ways to do investigations?”

Now, it turns out it can’t even keep a couple thousand records straight in its own data bases.

FBI didn’t tell the whole truth about cracking encrypted iPhone

by Steve Blum • , ,

When a pair of shooters attacked an employee party at a San Bernardino County facility in 2015, killing 14 people before being shot by police themselves, one of the attackers left behind an encrypted iPhone that might or might have had information relevant to the subsequent investigation.

Publicly, the Federal Bureau of Investigation’s solution was to force Apple to rewrite its iOS operating system so law enforcement could crack not only the San Bernardino phone, but any iPhone thereafter. Privately, though, the FBI was well on the way to finding a technical solution to the problem, according to a report from the bureau’s inspector general. The report concluded that FBI director James Comey didn’t lie to a U.S. congressional panel when he said his investigators were locked out of the phone, but he also didn’t tell the whole story, apparently because he didn’t know it himself.

According to Politico’s Morning Tech newsletter, the FBI’s priority doesn’t appear to have been unlocking one particular iPhone…

The IG report “raises the question of how seriously the FBI has really been thwarted when devices are locked — and how much of the going dark debate is the FBI simply seeking easier ways to do investigations,” said Susan Landau, a Tufts University computer science professor. “The inspector general is clearly concerned that the whole of the FBI is not committed to finding technical solutions that do not involve the weakening of encryption,” added Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

So far, both the courts and congress have held the line against the FBI and other police agencies that want a back door into any data that attracts their interest. Although law enforcement officials have legitimate needs, the idea that a back door can remain safe in their hands is ridiculous. Even the supposedly ultra-secure National Security Agency has let exploits slip into criminal hands. Anyone, good or evil, can walk in through a back door. One congressional study concluded that “any measure that weakens encryption works against the national interest”. Just so.

Quickest way to defeat cyber security is to not engage it

by Steve Blum • , ,

Newsflash! Bad software development practices cause bad results. That’s the gist of a press release issued by Appthority, an IT security company specialising in the mobile enterprise sector.

What Appthority found isn’t a particular revelation. Developers will often hard code their own login credentials into apps while writing and debugging early versions, just to keep things simple. If they forget to remove that data before moving into beta testing and launch phases, it’s there for the taking. And exploiting.

And that’s what Appthority claims it found in hundreds of mobile applications, including “an app for secure communication for a federal law enforcement agency”.

The core problem is developer laziness. It’s tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later. Except later never comes. With apps often the work of a single person or a small team, quality control checks are sparse – a problem not confined to small shops, by the way. Right now, it’s up to the stores – Apple and Android, primarily – to do the final QC work. They’re effectively the last line of defence and I’d bet they’re taking a look at how they can better target this particular problem.

One measure they should consider is disbarring repeat offenders from their developer programs. It’s easy to make a mistake out of ignorance, but failing to learn from the experience is pure stupidity.

As far as high security applications go, it’s up to the end user to confirm that an app meets spec. A lack of IT talent and, even more importantly, work ethic is an increasingly worrisome problem at the federal level, at least judging by the most recent GAO report.

Appthority says that it notified the companies most involved, but there are still 170 affected apps “which are live in the official app stores today”. It didn’t release a list of the apps, though, so there’s no way of knowing whether any are sitting on your phone now.

Federal agencies ignore cyber security while breaches continue

by Steve Blum • , ,

Cyber security at federal agencies continues to be so bad that the Government Accountability Office is throwing up its hands and saying we’ve already told you what needs to be done, so just do it

While federal agencies are working to carry out their [Federal Information Security Modernization Act]-assigned responsibilities, they continue to experience information security program deficiencies and security control weaknesses in all areas including access, configuration management, and segregation of duties. In addition, the inspectors general evaluations of the information security program and practices at their agencies determined that most agencies did not have effective information security program functions. We are not making new recommendations to address these weaknesses because we and the inspectors general have previously made hundreds of recommendations. Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise.

The report is a good primer on cyber security threats and best practices. It includes some telling examples. The Internet Revenue Service’s website allowed access to private data, using personally identifiable information about taxpayers that’s available elsewhere. In another breach, thousands of treasury department documents walked out the door with a former employee…

Concurrent with a new policy that restricted employees’ use of removable media devices to prevent users from downloading information onto the devices without approval and review, the agency began reviewing employee downloads to removable media devices. During the review, it identified a significant change in download patterns for a former employee in the weeks before the employee’s separation from the agency. The former employee had downloaded approximately 28,000 files that may have contained controlled unclassified information onto two encrypted external thumb-drive devices. As of October 2016, the agency had been unable to recover the devices storing the files.

The next time a federal agency demands a back door into private sector platforms or encryption systems, this report accompanied by a simple no should be all the answer that’s required.

NSA shares blame with criminals for massive ransomware attack

by Steve Blum • , , , ,

Cybercriminals successfully penetrated more than 200,000 computer systems in 150 countries in a continuing attack that began late last week. The initial assault was unwittingly blocked by a security blogger who triggered an off switch while trying to figure out what was going on. But that didn’t help systems that were already infected – it will can still spread from computer to computer within a network – and a new version, without the kill switch, is reported to be already out and running wild.

The ransomware encrypts data on infected networks, and demands a bitcoin payment of $300 to free it up.

It did not have to happen. The ransomware exploited a flaw in Microsoft’s Windows operating system that was 1. known to the U.S. National Security Agency and 2. leaked into the public domain earlier this year. It gives the lie to the claims of the NSA, FBI and other national security and law enforcement agencies that they can be trusted to safeguard and wisely use software and encryption backdoors, as the Washington Post’s Brian Fung explains

The NSA leak in April showed that even those vulnerabilities thought to be under control by responsible state actors can find themselves on the black market. The story of Wanna Decryptor, ultimately, is the story of nearly all weapons technology: Eventually, it will get out. And it will fall into the wrong hands.

“These attacks show that we can no longer say that vulnerabilities will only be used by the ‘good guys,’ ” said Simon Crosby, the co-founder of Bromium, a California-based computer security firm. Crosby likened the unauthorized leak of the NSA’s hacking tools to “giving nuclear weapons to common criminals.”

The NSA’s conduct was irresponsible. When it discovered the Windows exploit, it should have notified Microsoft so that the vulnerability could be fixed immediately. Instead, it kept a backdoor open to millions upon millions of computers and networks, that would have eventually been found and used by criminals, even if it hadn’t managed its own security so incompetently.

Wikileaks’ CIA dump plugs massive Cisco security hole

by Steve Blum • , , , ,

If you look into the core of the Internet or just in a typical corporate or institutional data center, you’ll see rack after rack loaded with switches, routers and other gear made by Cisco. A vulnerability in even one of their products can leave a lot of networks and data open to attack. So you might come to the conclusion that spotting that kind of flaw and fixing it as quickly as possible is matter of national security.

You’d be wrong.

It turns out that more than three hundred Cisco devices can be breached via a cracking technique used by the Central Intelligence Agency and revealed in a massive document dump by Wikileaks. Company researchers have concluded that

  • Malware exists that seems to target different types and families of Cisco devices, including multiple router and switches families.
  • The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.
  • The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself.
  • It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

There’s a quick way to block it – disable telnet, an ancient and insecure communications protocol – but a permanent fix has yet to be released.

Generally, there are two ways the CIA could have obtained this exploit: either it was developed internally or it was purchased on the black market. If the former, it could have been duplicated by anyone with sufficient skill. If the latter, it means the CIA knew that broad swathes of the world’s IT infrastructure was exposed to anyone with deep enough pockets. In either case, its first duty should have been to plug the hole, and not sit on it until its own firewall was breached.

Wikileaks shows there’s no such thing as a top secret hack

by Steve Blum • , , ,

Not the latest version.

The Central Intelligence Agency’s guide to cracking is getting bad reviews from the tech community. Published earlier this week on Wikileaks, the thousands of files of internal documentation maintained by the CIA’s engineering development group are mostly openly available cook books and mundane advice on how not to get caught.

A story by Sean Gallagher at Ars Technica steps through some of it and concludes it amounts to an outdated “Malware 101” textbook…

It’s not clear how closely tool developers at the CIA followed the tradecraft advice in the leaked document—in part because they realized how dated some of the advice was. Back in 2013, two users of the system said so in the comments area: “A lot of the basic tradecraft suggestions on that page seem flawed,” wrote one. Another followed, “Honestly, that stuff is probably already dated…”

Four years later, some of the recommendations have become even more stale. That’s largely because of the advances made in malware detection and security tools, including those built into many operating systems. But it’s also because the tradecraft used by everyday malware authors without the benefit of state sponsorship have surpassed these sorts of tradecraft suggestions.

One of the takeaways from the Wikileaks dump should come as no surprise: the CIA is an avid collector of zero day exploits, which are bugs in applications, operating systems and hardware that the rightful owners don’t know about yet. But plenty of others will. Apparently, the CIA buys at least some of these backdoors from the grey and black marketeers that openly sell them. Even a flaw discovered by the CIA’s team isn’t exactly a secret – it’s there for the taking by anyone else with the necessary, and far from rare, skills.

Spying is the CIA’s job. But the reason for doing it is to protect the U.S. Feeding the market for malware and hoarding it instead of fixing it makes us all less secure.

A known cyber threat is no threat to those who know it

by Steve Blum • , , ,


Vermont municipal electric utility employees read the cyber security alert jointly published by the FBI and the federal homeland security department, and did what it suggested: check their computers for the specific type of malware detailed in the report. According to a press release from the City of Burlington’s Electric Department

U.S. utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks. We acted quickly to scan all computers in our system for the malware signature. We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding.

There are three important take aways here. First, don’t trust the first thing you hear about such events from general news outlets. The Washington Post broke the story and made it sound like the nation’s electric grid was about to come crashing down around us. Not so. It was a single, properly isolated, if perhaps improperly used, laptop. Nothing to see here. Move along.

Second, when malware or bugs are reported running around loose, check to see if your system has been compromised. No one is going to do it for you.

Third, and most importantly, this kind of information has to be released quickly and fully by law enforcement and security agencies as soon as they discover it. They can’t wait until it turns into a international controversy, as Russia’s cracking of democratic party computers did. Or until they themselves have no more use for the exploit. And they certainly can’t continue to demand that technology companies deliberately weaken products in order to make their lives easier and, in doing so, our lives less secure.

The only way to fight clandestine cyber attacks – state sponsored or not, good guys or bad – is to expose the attackers and their weapons to the full light of day.

FBI wants network administrators to tighten security, up to a point

by Steve Blum • , , ,

Crackers working for the Russian government broke into the computer system of “a U.S. political party” during the last election cycle. That’s the unsurprising top line conclusion of a joint report issued by the federal homeland security department and the FBI. Two separate teams working for Russian intelligence agencies phished more than a thousand party functionaries and eventually gained access to administrator level privileges on the target system.

Beneath that top line, though, lurks a fascinating, and ironic, description of how state-sanctioned crackers can penetrate workaday IT networks maintained by corporations and government agencies, and what can be done to stop them.

It’s worth reading, although number one of the top seven list of good security practices in the report seems like a no brainer: keep your software up to date…

Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.

The irony lies in the fact that the FBI and other law enforcement and national security agencies not only routinely exploit such software vulnerabilities instead of quickly and publicly squashing such bugs, but also want technology companies to build back doors and weaken encryption to make that job easier.

You can’t have it both ways, as a recent congressional report pointed out (albeit with much handwringing over the need to try). Either the FBI and its fellow travellers are working 24/7 to plug security holes for everyone, or they’re playing on the same team as the Russian, Chinese and other state sponsored cyber spies who are routinely, and correctly, accused of subverting democratic processes and stomping out personal liberty at every opportunity.