IEEE Cipher --- Items from security-related news (E161)
Summary:
One of the many ransomware groups operating today is called "Clop". They
have a double-threat attack that exfiltrates files and then encrypts them
locally. An organization that can overcome the encryption problem with
backups will still be subjected to extortion if any of the files
contained sensitive information, such as names and social security
numbers or passport data. The University of California Merced, University of
Maryland, University of Miami, University of Colorado, and Shell seem to
have endured the disclosures rather than pay the extortion demands.
Summary:
Accellion published the patches needed to protect its legacy file transfer
app from exploitation by ransomware actors. They emphasize that only a couple
of dozen customers suffered significant consequences from the exploit.
The four steps in the compromise of the application were:
Summary:
This is a description from FireEye of the early results from their
investigation of the compromise of the Accellion file transfer app.
The core of the exploit involved installing a "web shell" that could
run arbitrary commands locally. The shell had not been seen before,
and the method of delivery was obscure.
"... the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk."
Summary:
One of the users of Accellion's FTA app was an airplane manufactorer,
Bombardier. Although they carefully separated their network to isolate
their operational resources from more outward-facing applications,
like FTA, they were still subjected to exposure of their internal
designs by the exploit. FTA is a web-based file sharing app that
handles arbitrarily large files, and one might assume that they
needed FTA to share information with engineering design partners.
As the saying goes, "Trust but encrypt!".
Summary:
This isn't exactly news, but it is significant. Back in 2019, Facebook
realized that its trusted partners had the ability to exfiltrate user's
personal data, and a giant trove it turned up online (
Hundreds of millions of phone numbers once tied to Facebook accounts posted online). The data has since been usefully indexed and reposted, providing
hackers with a more powerful tool for identity theft. Only about 1% of the
US population is exposed in this database. Access to the information was
being offered for bargain basement prices.
Summary:
Facebook seems unconcerned about the recent posted database of users'
personal information, dismissing the information as "old". It was
current in 2019, and few people are likely to have changed all their
identifying information in the past two year, but the company does not
think that they are subject to past settlements requiring notifications
to users in the event of a privacy breach. The US FTC and Ireland's Data
Protection Commission are both seeking answers from the company.
Summary:
Applus+ Technologies in Wisconsin seems like an innocuous player in the
database game. However, when they were hit by ransomware, vehicle
emissions testing companies across the US faced a week without income.
Apparently the companies lost the ability to upload the testing results
to the DMV sites. Owners who needed to get the test results to the DMV
immediately were told to get 30 day temporary permits.
Summary:
Federal Reserve Chairman Jerome Powell says that he fears a breakdown
in liquidity if an attack should blockade money transfers for banks
or payment processors. That could cause as much damage as any human-caused
swings in investment. Powell also said that if the US gets involved
in crypto currency, it will be "done right".
Summary:
Some hundreds of privately owned US computer servers got an unrequested
upgrade from the FBI. Although Microsoft published the critical patches
quite a while ago, not all companies took the trouble to apply them.
Because the vulnerabilty could be used to attack other systems, the FBI
took the extraordindary step of applying the patches by first exploiting
the vulnerability and then closing it from within.
Summary:
Perhaps you'd never heard of Colonial Pipeline before it shutdown for
a week. It's an important piece of infrastructure:
"Colonial transports 2.5 million barrels per day of gasoline, and other
fuels through 5,500 miles (8,850 km) of pipelines linking refiners on
the Gulf Coast to the eastern and southern United States. It also
serves some of the country's largest airports, including Atlanta's
Hartsfield Jackson Airport, the world's busiest by passenger traffic."
When it was crippled by a ransomware attack, it shut down delivery,
turning off that 2.5 billion barrels per day and causing panic buying
in the eastern US.
"... investigators are looking at a group dubbed "DarkSide," known
for deploying ransomware and extorting victims while avoiding targets
in post-Soviet states."
Summary:
Back in March, after the SolarWinds exploits, Biden drafted an order
that was touted as requiring more cooperation from software vendors
when their US government customers were affected by exploits (a
href="https://www.reuters.com/technology/exclusive-software-vendors-would-have-disclose-breaches-us-government-users-2021-03-25/"
target="_">Reuters, March 25). The Colonial pipeline fiasco
apparently spurred Biden to sign the draft, which also creates an
organization to review major security failures. Furthermore, it
mandates two-factor authentication and encryption for not just
communication, but also stored data.
More rules will be drawn up and enforced through government software acquisition contracts.
Summary:
This article is an overview of the scope of serious ransomware attacks against
computer systems in the US. It notes that Colonial Pipeline's vulnerability
stemmed from the need to protect the health of workers by letting them work
remotely. The company allegedly paid $5M in ransom in order to bring back
operations.
The large number of attacks means that a lot of money is changing hands and sophisticated versions of ransomware are being promulgated widely. There are even tech support hotlines for attackers to consult. This has gone from a food truck movement to a major industry.
Summary:
The website used by the ransomware group that struck Colonial Pipeline
went offline after posting the message "A couple of hours ago, we lost
access to the public part of our infrastructure," including its blog
and payment server. Security experts were divided as to whether or
not law enforcement had taken down the website or if it was an
"exit scam" by the hackers.
Summary:
This research paper about some serious flaws in the WiFi protocol has
raised a great deal of discomfort. Although it was known that there
was some hand-waving in the WiFi specifications when it came to handling
fragmented packets, no one had looked at the problem seriously until now.
There is a hodge-podge of implementation variations, some of them quite
insecure. The paper will be presented at USENIX Security in August, but
Summary:
I think that most people with even a small amount of cryptography
knowledge realized that the US government was collecting at least
some intelligence information from intercepts of communication that
was encrypted with insecure ciphers. However, the idea that the
cryptography implementations were being sold surreptiously by the
US government to unsuspecting users through a Swiss company seemed
far-fetched. The reality of it was that the company Crypto AG, based
in Switzerland, was doing just that because it was actually owned by
the US CIA and German BND intelligence service. This came to light
last year, and the Swiss were not amused.
Bern's investigation into the matter revealed that a small number of people in the Swiss intelligence service chose to approve the operation to keep it a secret unto themselves. The secret "escaped political control." Changes to government rules are being enacted to prevent future escapdes.