IEEE Cipher --- Items from security-related news (E138)

News Bits

NewsBits, IEEE Cipher E138, E138.Jun-2017

  • 9 Minutes and Hacked
    Identity thieves used stolen data 9 minutes after it was posted online
    CNN Money
    By Selena Larson
    May 26, 2017

    In a controlled study by the FTC, cybertheives were able to utilize personal data shared online very quickly after it was posted and noticed by a Twitter bot. In another test, it took 10 times as long. Nonetheless, the mean time to exploit is significantly longer than organizational response times. Significantly, two-factor authentication was a full deterrent to account access.

  • Hack of the Month Club
    The hacking group that leaked NSA secrets claims it has data on foreign nuclear programs
    The Washington Post
    By Brian Fung
    May 16, 2017

    A group that released information and software from NSA digital hacking tools has threatened to release some kind of data about nuclear or missile programs in China, Iran, North Korea, and Russia. They indicated that this and further information might be disseminated through a subscription service.

    More Windows 10 vulnerability exploits might be in the works. The hacker group seems to be searching for a way to capitalize on its expertise in digital weaponry acquisition.

  • Ooh La La, Russkies Try Hacking the French Election
    Emmanuel Macron's campaign hacked on eve of French election
    The Guardian
    By Kim Willsher and Jon Henley
    May 12, 2017

    Although Emmanuel Macron prevailed in the French presidential election, his campaign was subjected to an 11th hour disinformation/hacking attack by a group that TrendMicro identified as probably being part of the Russian KGB.

    A large number of documents from Macron's campaign computers were anonymously posted online just before the election. The volume was huge, but an initial assessment indicated that the documents were a mix of mundane campaign files and bogus inflammatory messages.

  • NSA and the Great Ransomware Attack
    Ransom reportedly demanded in cyberattack on England's health-care system
    The Washington Post
    By Craig Timberg, Griff Witte and Ellen Nakashima
    May 12, 2017

    The WannaCry crypto ransomware attack hit the British National Healthcare System and other businesses around the world. The software was based on part of a digital arsenal developed by NSA and disclosed by a group called Shadow Brokers. Although Microsoft immediately released a patch to disable the core vulnerability exploited by the ransomware, older computers and many others remained unpatched and unprotected.

    Although the attack spread around the world, the perpetrators may not have profited proportionately. Backups of files and restoration procedures may have saved some victims, and others may have abandoneed their data.

    Related Stories:
    NSA Bean Spill
    Hackers have just dumped a treasure trove of NSA data. Here's what it means
    The Washington Post
    By Henry Farrell
    Apr 15, 2017

    The first announcement that the NSA cyber hacking tools had been released to a public website was troubling for multiple reasons. Technology companies were dismayed that the vulnerabilities had not been made available to the software providers in the first place; this practice, called "equities", depends on trust between technology providers and the government. However, subsequent statements from Microsoft showed that they had issued patches for Windows systems a month before the disclosure. Whether they were warned by the hackers or by the government remains unknown.

    Another troubling aspect concerned extracting information from the international banking communications network, SWIFT. That undermined trust in the agreement between the EU and the US that information would be shared under formal safeguards.

    The hacking software may be viewed by European court as evidence that the US cannot be trusted to uphold European privacy rules, and that makes it difficult for US technology services to operate in Europe.

    No, It Wasn't a Zero Day
    Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers
    Ars Technica
    By Dan Goodin

    Although the NSA hacking tools revealed vulnerabiliites in the Microsoft Windows operating system, they were not "zero day" exploits. For unexplained reasons, Microsoft issued patches a month before the tools became public knowledge. Nonetheless, not all Windows systems were patched.

    NSA Knows Windows Hacks, and You Should, Too
    NSA considered harmful to Windows users
    The Washington Post
    By Hayley Tsukayama
    Apr 20, 2017

    A hacking group released the source for many of NSA's own hacking tools, and it included a serious zero day vulnerability for Windows' users. Microsoft issued a patch, but older systems (like the 7.4 per cent of the cyberworld that runs XP) have no protection.

  • Inadequate controls
    N.S.A. Halts Collection of Americans' Emails About Foreign Targets
    The New York Times
    Apr 28, 2017

    On April 28 NSA issued a statement saying that it had ended a long-standing, warrantless surveillance practice. Its communications surveillance program had been collecting messages that mentioned the email addresses of foreign targets even when the sender and recipient were US citizens who never communicated with the target.

    NSA had revealed this to the FISA courts previously and said that its technology could not be tuned to prevent the collection of these messages. The practice became public knowledge with the disclosure of the Snowden papers. NSA says it has corrected the problem. The result is that Americans can now mention foreign email addresses without turning the surveillance apparatus onto themselves.

    On the other hand, if foreign targets mention Americans, then the Americans can then be subject to warrantless surveillance.

  • The Fitbit Fink
    Cops use murdered woman's fitbit to charge her husband
    By Amanda Watts
    Apr 27, 2017

    In another novel use of the Internet of Things, police in Connecticut used data from a murdered woman's Fitbit as evidence to contradict her husband's account of an attack and to bring charges against him. The husband claimed that his wife walked only a short distance in the time before the attack, but her Fitbit registered 10 times as many steps.

    In a separate case in Ohio, a man's alibi was undermined by his pacemaker data. He is facing charges of aggravated arson and insurance fraud.

  • Police Slow to Grok Cybercrime
    Local police don't go after most cybercriminals. We need better training
    The Washington Post
    By Nick Selby
    Apr 21, 2017

    A Texas police detective who is also an Internet cybercrime author makes the case that local police need more training in Internet crime in order to provide effective protection for citizens. "The FBI can't do it all," he notes.

    Selby would like local police to have the tools to go after the scams that hurt the ordinary person --- identity theft, credit card fraud, etc. Although the amount of loss may be small, the victim faces hours of lost time and thousands in attorney's fees in the wake of the crime. The local police don't have the ability to build a case against the cybercriminal, even when they know the perpetrator.

  • All Your Sirens Are Belong ...
    Someone hacked every tornado siren in Dallas. It was loud
    The Washington Post
    By Avi Selk
    Apr 9, 2017

    Over a million people in Dallas were subjected to 90 minutes of city sirens due to a hack carried out within the city. Officials determined that someone with physical access to the siren hub caused the cacaphony.

  • CIA Has Cisco Switches at its Mercy
    A simple command allows the CIA to commandeer 318 models of Cisco switches
    Ars Technica
    By Dan Goodin
    Mar 20, 2017

    Cisco has been around since the Internet was in knee pants, and so has the telnet protocol. When WikiLeaks revealed that the CIA has ways to take control of Cisco switches, it turned out the source of the vulnerability was Cisco's modifications to this venerable communication service. It carries the control commands for configuring network services on the switches.

    Cisco has no workaround for the problem other than disabling telnet or setting strict access controls that prevent unauthorized devices from completing telnet connections.

    WikiLeaks came under criticism for not giving Cisco a chance to respond before releasing the information about the existence of a vulnerability.