China May Be Behind North Korean Missile Failures

At first glance, this may seem to be a counter-intuitive viewpoint. After all, China is one of North Korea’s only two friends in the world. The other, Iran, is too geographically separated to give more than psychological support. But things have changed. Last year China agreed to strong U.N. sanctions against North Korea after North Korea conducted its fourth nuclear test. At that time, it was thought that the Chinese were worried that its own economy may be targeted with sanctions by the U.S. if it continued in its reticence to put pressure on North Korea. China also agreed to the sanctions under the condition that the U.S. not install missile defense systems in South Korea.

 Experts agree that China did not seriously enforce these sanctions. China needs North Korea and North Korea knows it. In fact, North Korea feels that China needs them more than they need China. Why else would Kim Jong-un assassinate the main contact between North Korea and China, his uncle, Jang Song-thaek? It was a message not lost on the Chinese leadership.

 North Korea knows that China needs them to serve as a buffer between it and South Korea and, by extension, the U.S. China also doesn’t want a North Korean collapse because of the economic strain Korean refugees would place on their economy. If China could choose its dream scenario, it would be for some sort of regime change to one that would be far less confrontational.

The U.S. has ramped up pressure on China to control North Korea and has gone so far as to install a THAAD missile defense system in South Korea, knowing all along that this would irk China and, perhaps, motivate them to do more to control Pyongyang. Interestingly, this occurred just before The Chinese president was due to meet with President Trump.  We do not know what was agreed upon in the meeting President Trump had with Chinese president Xi, but, from all indications, something positive seemed to come of it as Trump has repeatedly claimed he was happy with the meeting. China has apparently agreed to ramp up economic pressure on North Korea, probably with the promise of not being designated as a currency manipulator. According to some sources, Trump may have threatened China with sanctions on both its banking sector and companies supporting North Korea’s missile and nuclear technology.

 It has been known for some time that China has shipped missile technology to North Korea in violation of sanctions. Some of this technology originated in Europe but was sold on to North Korea through Chinese companies which were often fronts for North Korean owners. A U.N. security council report from February, 2017, details the degree to which Chinese companies are complicit in violating sanctions. It’s an impressive list. Last year, the Security Council imposed sanctions on the North Korea-Ryonha Machinery Joint Venture Corporation, based in China, which produces parts used in the North Korea’s missiles and uranium enrichment centrifuges.

 Also last year, while the North Korean government was celebrating the launch of its Kwangmyongsong-4 satellite, South Korea was celebrating the collection of parts from the rocket that launched it. The U.N. report, mentioned above, said the find demonstrated “the continuing critical importance of high-end, foreign-sourced components” in North Korean missile construction. Though the missile itself was found to have been built in North Korea, many of its components were from a variety of countries around the world.

 One of North Korea’s greatest acquisitions in this regard was that of Computer Numerical Control (CNC) machinery which could be used in the construction of both missile and nuclear components. These computer controlled machines are used for the high precision work so necessary in this field.

 cnc

 According to the U.N. report, Kim got these machines from China.

 “The Panel noted that a Chinese company had exported several computer numerically controlled machine tools to the country, and investigated the possible involvement of Ryonha Machinery Corporation. According to the company’s website, a Democratic People’s Republic of Korea company ordered computer numerically controlled machines and visited its workshop to inspect computer numerically controlled machine tools before purchasing them.”

 So excited was Kim to get these machines that he had a song composed to glorify them. If you didn’t think North Korea was strange before, what can you say about a regime that has songs written to glorify a machine? For your listening pleasure, here is that song.

 

 

As far as I know, it received no Grammy nominations. But if they ever have a category of ‘Best Song about a Machine’…

The media is currently filled with stories about the U.S. being behind North Korea’s rather high rate of missile failures (52% in 2016). They point to the possibility of a Stuxnet-like attack or an attack that corrupts technical components via the supply chain. The problem of a Stuxnet attack is that it would require the use of an insider, and not just one insider, but insiders at every missile launch site. The problem with infecting the supply chain is the lack of technical components that originate in the U.S. This would mean that other countries and companies would either have to agree to letting the U.S. mess with its products or the U.S. would have to ‘arrange’ for sensitive components to be ‘stolen’ or shipped to cooperating middlemen countries and then marketed to North Korea. Both vectors are problematic.

 The following chart shows the specifics on North Korean’s missile launches for last year.

nkorea missles

Note that failures occurred at five separate sites. Except for Kusong, all of the sites also had successful launches. In addition, failures occurred in a variety of ways. If something cyber was behind the failures, it was doing a hit or miss job.

 China is not upset by the number of failures, but they are upset about North Korea destabilizing the region in its pursuit of deployable nuclear weapons. They would, in fact, be happy to see North Korea’s missile program fail. To that end, China is in the unique position to contribute to this failure. If China was selling CNC technology to North Korea with its accompanying software, they could also throw in some malware that could mess with these machines. They could design them to malfunction and damage the product. Since such components must be designed within extremely precise parameters, it would be no problem, with effective malware,  to alter these parameters just enough to make the final product undependable under real world conditions. What’s more, the malware could mask these changes in the parameters to make it appear to the human controllers monitoring these machines that nothing at all was wrong. The problem would be in the unpredictability of the outcome. That is, the parts may be made outside of specification guidelines but may or may not malfunction, and, if they did, the type of malfunction may not be predictable.

 It is well known that the Chinese government can force any company to build backdoors into its products. But doing so with companies which serve as fronts for North Korean owners or who even deal with North Korea is not so easy. In such a case, the North Koreans would know that this was happening and would be able to neutralize the attempt. It would be far better to insert malware after the product left the factory, either through supply chain intervention or remotely, after the device had been installed in North Korea. As far as the remote insertion of malware is concerned, it should be noted that all internet traffic going to North Korea goes through China.

 The problem with most malware is that it will eventually be discovered and this would certainly not improve relations between China and North Korea. There is, however, a type of malware that can remain hidden, survive updates, and can persist even if the hard drive is reformatted. This is a rare type of malware that can flash or rewrite the firmware. Think of firmware as a program on a chip that tells the hard drive it’s a hard drive. Otherwise, how would it know how to act when someone tries to install an operating system? The problem is that almost no one has the capability to do such a hack. Kaspersky has, however, found one group capable of this so-called god-like power. This group has found a way to rewrite the firmware to make it deliver malware to the computer/device it operates. Kaspersky has termed this malware, “indestructible”. As Kaspersky notes, “this is very high profile engineering which requires months of development and millions in investment.” And what is the group that has such power? Kaspersky has identified it as the Equation Group. It is, apparently, a group that works with the United States National Security Agency or NSA.

 I doubt whether the Chinese have developed such sophisticated malware. If they had, they most likely would have used it, instead of traditional malware, in their attempts to subvert the THAAD missile defense system in South Korea.  But would they agree to work with U.S. intelligence on a cyberattack that would attain the mutual goal of undermining North Korea’s missile program? It’s not that far-fetched of an idea and one that would certainly be more effective than many of the so-called ‘left-of-launch’ techniques currently being discussed. Since all internet traffic is routed through China, remotely triggering a firmware overwrite is not out of the question. To be frank, if the U.S. and China haven’t considered this option, they should.

 Of course, such an agreement would have to be kept under wraps with the appropriate diversionary tactics: China will bristle at any semblance of U.S. aggression in an attempt to appear friendly towards North Korea. After all, they can’t tip their hand and have the already paranoid Kim looking at them with suspicion. North Korea has already castigated China on its improving relations with the U.S. Hu Xingdou, a political analyst at Beijing Institute of Technology, claimed that “there are already cracks” in the relationship but it was better for both parties “to maintain peace on the surface.”

 It’s really a win-win situation for both the U.S. and China. China gets stability in Asia, better trade deals, and not being condemned for hurting the North Korean people which is what is more likely to happen if they stop buying North Korean coal. The U.S. gets a neutralized North Korea. The only person to be hurt by such an arrangement is…

 crying kim

  

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The Growth of Parallel Universes in the Trump Russian-Connection Debate: A Cybersecurity Perspective

If you watch your news on CNN, the headline story will inevitably swirl around the purported connection between the Trump administration and the Russian government. It doesn’t matter what the story is, eventually, it will spin in this direction. If, on the other hand, you watch the same story on Fox, you will be told there is no connection and the story does not deserve any appreciable coverage. The gap separating the pro and anti-Trump camps, as reflected in the media, has become an abyss. In fact, it is as if each side is existing in its own, non-intersecting, parallel universe. One side simply cannot see, or cannot accept, the viewpoint of the other. This widening gap has been found in a recent Gallup Poll.  (Note: The same poll found that most Americans (64%) believe the media favors Democrats.)

gallup poll media

Oddly, this bias in the media has not negatively impacted viewership. In fact, just the opposite seems to be happening as all main media outlets have shown a sharp increase in ratings.

media ratings

It may, in fact, be the case that viewers on both sides of the political spectrum prefer biased news over objective, truth-based news. In other words, media seems to be playing a divisive roll in the American social fabric because that’s what people are seeking. It is an enabling relationship which pushes both camps to be more and more extreme. The media know what their viewers want and will, in some cases, go to unethical lengths to give it to them. The fear is that if they don’t enable their viewers in their addiction to news that supports their views, they may lose them. In no case is this seen more clearly than in coverage of Trump’s possible connections to Russia.

In an attempt to moderate this increasing divergence, I would like to look at this issue from a cybersecurity perspective, which I hope may be somewhat more objective. Of course, I’m realistic enough to know that whatever I write will change few opinions and probably antagonize everyone in the process.

The reason a cybersecurity perspective is justified is simply because this is, at root, a cybersecurity issue. Remember that the current media parallelism has its roots in the DNC hack announced back in June, 2016. The actual attack occurred much earlier as the FBI had contacted the DNC back in September of 2015 to inform them that they thought that their network may have been infiltrated, possibly by Russian hackers. The DNC only confirmed the truth of this in late April, 2016. In May, 2016, the DNC contacted cybersecurity firm, Crowdstrike, and they soon discovered that the network had, indeed, been compromised. It was at that time that Crowdstrike claimed that the DNC had been penetrated by two separate Russian hacking groups known as Fancy Bear and Cozy Bear. Crowdstrike reached this conclusion based on the digital fingerprints the attackers left during the hack. Crowdstrike had seen these actors before and, therefore, the company was familiar with their modus operandi. The bad news was that these attackers appeared to have been on the DNC network for almost a year, as Motherboard reported the Crowdstrike claim that the DNC was likely penetrated in the summer of 2015.

But let’s step back for a moment. If this hack began in mid 2015, it was at a time when few people took candidate Trump seriously. In fact, right-leaning Breitbart news posted an article by Ben Shapiro in October titled, “Is Trump a Serious Candidate”. Shapiro reached no clear conclusion but pointed to a Gallop poll released in July which showed that most people didn’t take him seriously. Here is that poll.

gallup trump candidate

True, by September, Trump had gained more traction, but not much. New York Times columnist, Joe Nocera, wrote, “I wonder, in fact, whether even now Trump is a serious candidate, or whether this is all a giant publicity ploy…I don’t think he’ll ever put himself at the mercy of actual voters in a primary. To do so is to risk losing. And everyone will know it. He’ll be out before Iowa. You read it here first.”

Oops.

So the big question is: Why would the Russians be interested in promoting Trump when he had no apparent road to victory at the time they first hacked the DNC? Clearly, promoting Trump was not their initial motive. More likely, assuming the hackers were really connected to the Russian government, is that they wanted to disrupt the Clinton campaign or the U.S. election in general. They may have changed their focus as Trump rose to the top of the candidate heap, but they clearly did not have Trump in mind when they started their hack.

It should be noted here that the FBI never had access to the DNC servers so they basically took Crowdstrike’s word on the specific groups involved in the hack. The reason why the FBI were so quick to take Crowdstrike’s word for this was because of what Russia had done in previous elections. This is why they initially jumped to the Russian conclusion when they warned the DNC in September, 2015. Crowdstrike only claimed a medium confidence level in ascribing the attack to Russia, but there was little doubt in the FBI’s mind.

In June, 2016, Guccifer 2 appeared online with the announcement that he had given the hacked DNC documents to Wikileaks. Remember that the initial winner in this release was Bernie Sanders, as it appeared he was correct in assuming that the DNC was trying to back-burner him. Also keep in mind that Russian TV, RT, was, if anything, championing the Sanders and not the Trump campaign when this occurred. Later, when Trump praised Putin’s leadership ability and questioned NATO, RT and the Kremlin showed him more interest.

Guccifer 2 claimed to be working independently and ridiculed Crowdstrike for trying to pin the hack on Russia. Although I believe Guccifer 2 is Russian, based on metadata, release times, and linguistic analysis, I, or no one, can link him directly to the Russian government. He may even be trying to pretend to be Russian by giving out false clues. That’s the way things are in cyberland. Others claim that Guccifer 2 was a disgruntled DNC employee. The reason for these diverse conclusions stems from the fact that any hack is difficult to conclusively pin to a particular perpetrator. As cybersecurity expert Brian Krebs notes, “I can’t say for certain if the Russian government was involved in directing or at least supporting attacks on U.S. political parties.” Only those who perpetrated the hack can confirm it. Along these lines, a member of the hacktivist group, Anonymous, who goes by the name, Commander X, claimed, in March, that Guccifer 2 was actually a group of hackers not connected to the Russian government. According to him, the Guccifer 2 group teamed with other hacker groups to undermine the U.S. election for the sole purpose of causing confusion. He wrote that “this band included the Guccifer Crew, Anonymous Russia, WikiLeaks, and a handful of western Information Activists who chose to fly no flag for this action.” He claimed that the only election disruption that the Russian government sponsored was that based on using trolls and false news.

Crowdstrike and other cybersecurity firms claim they found evidence in the malware code and other places that led them to suspect Russian operants behind the hack. Other experts believe that Russian hackers are too good to leave any evidence of their origins. They claim that good hackers always try to leave indicators that point to other attackers in other countries. Krebs disagrees with this assessment claiming that the arrogance of the Russian hackers may have led them to be unconcerned as to whether they were uncovered or not. Why? Because the Russian government will protect hackers from extradition if push comes to shove. However, this arrogance may only be true for unaffiliated hackers. The individual Russian hacker may not care if they get caught, but it is unlikely that the Russian government would want to be caught meddling in the U.S. election. In other words, if careless mistakes were made which led investigators to a Russian source, it is unlikely that these hackers worked for the Russian government. Of course, this is not conclusive evidence. Russian government hackers could still make mistakes, but they would not be obvious, easily spotted mistakes.

Julian Assange has always claimed that the hacker who gave him the DNC emails was not connected to the Russian government but did not and could not rule out the possibility that the emails were ‘laundered’ through a third party. A Reuter’s article, posted in January, sites an anonymous source within the intelligence community who stated that this was, in fact, what occurred.

For argument’s sake, let’s just assume that Russia did participate in the hack on the DNC and that they released these documents to Wikileaks. It’s still a big leap from here to saying that Trump colluded with the Russian government to win the election. In fact, in recent weeks, the evidence has been piling up against this line of reasoning. Here is some of it.

March 6- Former Director of National Intelligence James Clapper told ABC : “There was no evidence whatsoever, at the time, of collusion between the Trump campaign and the Russians.”

March 16- Former Acting CIA chief Michael Morell told NBC News: “On the question of the Trump campaign conspiring with the Russians here, there is smoke but there is no fire, at all…There’s no little campfire, there’s no little candle, there’s no spark. And there’s a lot of people looking for it.”

March 23- Crowdstrike’s attempt to increase its confidence rating in Russian participation in the DNC hack from medium to high fails. (note: I contacted Crowdstrike to see if they would like to comment on their current position concerning the DNC hack but, as of this writing, I have received no reply.)

April – BuzzFeed News, after interviewing 6 members of the Senate Intelligence Committee who are investigating Russian interference in the election, concluded,  “there’s a tangible frustration over what one official called ‘wildly inflated’ expectations surrounding the panel’s fledgling investigation… I don’t think the conclusions are going to meet people’s expectations.”

Let me make it perfectly clear. If undisputed proof was found linking President Trump to colluding with the Russian government in order to either gain an advantage in the 2016 election or to receive some financial benefits, I would be the first to call for impeachment. The facts, however, at least for the moment, are clearly heading in the opposite direction. But here is the problem. It is not only the majority of democrats that have gotten on the Russian connection bus but most of the mainstream media as well. They have ignored all the signs warning them of danger in order to achieve their goal of delegitimizing and ending the Trump presidency. It is the same Quixotic hope they displayed when they used celebrities to try to get electoral college delegates to change their votes. Driven by what is, no doubt for them, higher ideals, they have reached the point where they are balanced on the edge of an ideological cliff. They have simply failed to ask the question: What happens if we are wrong?  If the truth comes down on the opposite side, how much credibility will they be able to salvage? In short, they have put it all on the line for this quest.

msm bus

Fox News, the only right-leaning mainstream media outlet, can often be accused of spinning any confusing tweet from President Trump to make it look more rational than it actually is. If Donald Trump tweeted that an alien spacecraft with little green men had landed in his garden, Fox would tell you not to take the tweet literally. They would claim he was speaking metaphorically about the ever-present danger of illegal aliens. CNN, on the other hand, would warn viewers not to take the tweet seriously because it was only made to distract people from the true issue; the Trump connection to Russia. If you don’t believe this line of reasoning, watch how MSNBC’s Lawrence O’Donnell suggests that Putin orchestrated the Syrian gas attack to distract from the investigation into Trump’s connections with Russia. In short, that Trump approved of gassing babies as a way to escape scrutiny. I’m not the only one who sees this as going over the edge. Many left-leaning, MSNBC-watching Americans felt the same. But take a look to see what you think.

This is what happens when you look at events through the tinted lens of an assumption. If you accept a conspiracy theory as fact, you will pick and choose only those aspects of a story that supports this ‘fact’. I have followed some of the discussions that members of the left have been having on this topic in various forums and I have to congratulate them on the depth to which they’ve investigated this issue. However, their conclusions can be summed up by posts like the following.

“You don’t just assemble the “greatest minds” and find out literally the ten people closest to you, with the closest ties to your organization, have deep-rooted Russian contacts. The balance of probability of that happening by accident are astronomical. You add in Trump’s own ties (Russian money launderers operating out of his pent house, buying his real estate for more than double its value, his refusal to speak badly of Putin, his request for Russia to hack Clinton’s emails on live TV), and you have a scenario where it is, quite literally probabilistically impossible for him to not have been in illegal collusion with the Russian government.”

Actually, in today’s business or political world, it is not unusual for people in administrative positions to have ties with Russia. The odds of this happening are within the parameters of normal probability and are by no means ‘astronomical’. I would have to ask the poster of the above comment to explain what they meant by ‘deep-rooted’ and to name the ten people with these ties. To support their position, the poster notes other conspiracy theories. The Russians-funneling-money-to-Trump theory has been debunked by the rumor checking site, Snopes, as “mostly false”.

snopes

I realize that those who believe in collusion will focus on the word, “mostly”. That determination was arrived at because Trump said he probably sold some condos to Russians at sometime or other, thus, he would have received some money from Russians. I should note here that many on the right consider Snopes as having a liberal bias.

It is not only the left that is guilty of twisting facts. There are just as many, if not more, bizarre conspiracy theories on the right. Fox News has recently suspended commentator Andrew Napolitano for propagating a false story about then President Obama asking British intelligence to investigate Donald Trump.

As both universes continue to fly away from each other at an ever-increasing rate of speed, we can expect more false news to be treated as news and more real news to be spun into biased news, and this might be precisely what viewers want. To stop the situation from spinning out of control, to bridge the gap, truth must triumph over opinion. There’s a word for that. It’s called, journalism.

 

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Watch Out for Last Minute IRS Scams that will Target You Even After You’ve Filed

Every once in a while, you should look in your spam folder. For whatever reason, I sometimes find valid, non-spam emails there. Most of the spam is obvious. Amazon keeps wanting to give me free gift certificates, Russian women are dying to meet me, and I can become wealthy working from home. However, if I see a message that reads, “Important Information from the IRS”, I have trouble just ignoring it. What if it really is important information? So the criminals have gotten me to step 1 of their attack. Take the email seriously and open it. A good subject line is the key to the attack. If the email manages to bypass the spam filter and get into my inbox, so much the better.

Upon opening the email, I may get something that looks like this.

irs phish

This is where part 2 of the scam kicks in; getting you to believe the message is real. Well, it has the right logo. It may, in fact, be a copy of a real IRS message. There is even a warning that looks real. Then there’s the appeal to the reader’s greed. Don’t we all hope that one day the IRS will find that they owe us money for a change? Maybe this is that moment!

Everything is good except for the link. Depending on what the attacker wants, clicking on the link could do just about anything. At best, you could be led to a site with a form that collects your personal data. At worst, it could install ransomware on your device and make you pay to get your files back. Some of the fake emails don’t have links. They will have a document for you to open and fill out so that you can get your refund. Opening the document will install the malware. Just a note of caution here. If you go so far as being fooled into opening a Word document file, you are not compromised unless you allow macros. The fake document may even give you instructions on doing this because the document will appear as gibberish. In order to read it, you are told to allow macros. At this point, it depends on how much you want the fake refund. By default, Word disables macros. If you are not sure of your settings, you can check them in your tools/options/security menus or trust center/macro settings.

Remember also that attachments can be given valid looking names and links can be called anything that seems to match the contents of the message. Don’t believe them on face value. Check the link in the email by hovering the cursor over it and looking at the real link in the lower left hand corner of the screen.

Another attack vector has been through tax preparers, such as TurboTax. TurboTax has been hacked in the past and attackers may know who uses it. They can, therefore, send you an email like the following.

turbo fake

Again, it looks good. Don’t believe the ‘From’ address because that may be hidden. Hold your cursor over that to see if the sender is who they say they are. Check the link in the same way. If you are a TurboTax customer, you could easily be fooled into clicking on the link and either filling out a fake form or having malware installed on your device.

The latest scam that the IRS is warning about is the Form W-2 scam, which is, apparently, spinning out of control. According to IRS Commissioner, John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

So how does it work? A legitimate looking email is sent to someone in a firm or organization’s payroll or human resource department. The email appears to come from top management. It may look like this. It will often look informal.

w2 fake

Here is another variation on the same idea. I would normally mask the sender but Sjouwerman actually gave this scam email to cyber security expert, Brian Krebs, so that he could get the word out.

irs ceo

You can understand why the person receiving this would probably comply with the request. The only thing that stopped the scam from working was that the receiver of the request asked Sjouwerman, in person, if he had sent the request. How many of your employees would have done something similar? Had the person sent the information to the return address, the attackers would have had the personal information on all the company’s employees that is included on a W-2 form, which includes their Social Security Numbers.

According to the IRS, these are the common phrases used in these W-2 phishing emails.

“Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).

I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

There are a number of variations on this scam. The IRS has reported that some of these requests are coupled with a request for a wire transfer of money. Apparently, the hackers feel that if they’ve made it this far, they might as well try to get some money thrown into the deal.

One major, and quite effective, variation targets organizations that rely on paperless W-2 forms. The scam targets major U.S. universities at this time, but there is certainly no reason why companies or organizations using wireless W-2 forms could not be targeted in the same way. Here is the actual email which fooled staff at the University of California at Berkeley. Notice that the “From” field has an email address rather than a name to give it some look of legitimacy. The other address is that of a school teacher in Georgia. These names don’t matter. The criminals want the reader to click on the link. The “Click Here” link is revealed by the cursor hover and leads to a site that will compromise the individual fooled into going there.

Original Message:

From: ESSW2@berkeley.edu (link sends e-mail) <huatom@clarke.k12.ga.us (link sends e-mail)> Date: January 6, 2016 at 5:53:32 AM PST To: undisclosed-recipients:;

Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE‏‎

Dear: Account Owner,

Our records indicate that you are enrolled in the University of California paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing.

Your W2 is ready for viewing under Employee Self Service. Logon at the following link:

Click Here to Logon

If you have trouble logging in to Employee Self Service at the link above, please contact your Payroll Department for support.

If you would like to un-enroll in the Paperless W2 Program, please logon to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions.

And it doesn’t end there. Recently, the IRS warned that tax preparers may be targeted by clients asking that their refund address be changed. The phishing email may include personal details of a real, but compromised, client. The criminal usually wants the refund sent to a prepaid debit card account.

This is the time of year when most taxpayers are preparing their forms and sending them off to the IRS. They may not be surprised by communications seeming to come from the IRS. They are, therefore, more susceptible to scams. Last year, there was a 400% increase in scams at the end of the tax season and that is expected to occur again this year. It’s good to keep in mind the warning from the IRS.

“REMEMBER: The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

You’ve been warned. But if you fall for the following scam, you deserve no pity.

irs simple

Posted in Uncategorized | Tagged , , | Leave a comment

Can You Really Trust a Site with the Green Padlock in the Address Bar?

 The green padlock that appears on safe sites simply means that the site you are connected to is the true site and not one that has been spoofed to look like the real thing. It also means that traffic to and from the site is encrypted.

 green padlock

 

Here is a good explanation video made by certificate authority, GlobalSign, for those who want more details on what goes into making a site secure.

 

 

So, does this mean it is safe to enter personal or credit card information on these sites? Well, that’s where the problems begin.

 The green padlock means that only those people in control of the site can decrypt and read your credit card details. That’s nice. But the real question to ask is: Who is allowed to get such a green padlock for their site? The answer: Anyone.

 But what about the cost? Surely, if someone has to pay a lot of money for these certificates, they will not be so ready to buy one for their site. That’s true. And some certificates are expensive. But before I get into the cost versus safety debate, I need to briefly explain what those who give out these certificates, the certificate authorities, do.

Certificate authorities insure how trustworthy a site is. They verify a domain. This verification has a number of levels. The more levels of verification, the higher the price the user must pay for the SSL, or verification certificate. These price differences are often reflected in the site’s address bar. Low level certification may simply change the http to https, often with a gray padlock, while more verification will change the address bar or padlock green. I should note that there is no law that the padlock will change green with more validation, though most certificate authorities are trying to make this a standard. The green padlock generally means it has something called EV certification. EV means extended validation.  It is also not true that all browsers will give you the green padlock, though that, too, is a standard that is being established. You have to pay more for an EV SSL certificate because the certificate authority has to do more work to certify the site.

 So, certificates are granted by certificate authorities but who is qualified to be a certificate authority? Well, sadly, almost anyone. So am I saying that you may be lured to a site that seems to be secure but really isn’t? Yes, that can and does happen and certificate authorities know it. Since they do realize that criminals can run sites that can use the https and padlock to steal information, certificate authorities have tried to take actions to prevent this. The best certificate authorities thoroughly check those websites who want one of their certificates. They may do more frequent malware scans of the sites that use their certificates. If the site has malware on it, they will notify the site managers and remove the certificate until the site manager fixes the malware problem. If a certificate authority does a good job in vetting websites, those who manufacture operating systems and browsers (like Microsoft and Mozilla) will list them among trusted certificate authorities and will not warn users about websites that use their certificates for validation. Here is a list of trusted certificate authorities that is included with the FireFox browser, for example. To become a member of Mozilla’s trusted certificate authority community, a certificate authority will have to meet certain standards. Most of the time, you will see the certificate authority’s name after the padlock and clicking on this will give you more information about the certificate it issued.

 Let’s say I have a retail website that I want to certify so that my customers will trust me with their personal information. To get any degree of certification, all certificate authorities must at least be convinced that I own a particular domain. I will usually have to pay a fee to be certified. That fee varies, but can be as much as $1,200 a year and, perhaps, more. Often, the price is less and a few sites, such as Let’s Encrypt, will certify me for free. Yes, that’s correct. If I set up a free, or at least low-priced, valid website, I can get a free SSL certificate for it, and most people will assume it is safe. I will have a padlock and I will have an https address. But there is one problem. The certification information will not be in green. This will mean that I have only attained the lowest level of certification and that communication with my site is encrypted, which, most of the time, is better than nothing. If only I could get a free green padlock with its accompanying certification.

 Although some sites claim to give free EV SSL certificates, they usually come at a price. Some sites hide this price under some term like ‘general verification fee’, which still means you have to pay something even though it might not be for the EV SSL itself. However, there is now intense competition in the EV SSL market as everyone who wants to set up a retail site wants the trust implied in the green padlock. This being the case, I have seen prices as low as $46, and my guess is that even a poor hacker could afford this fee if he/she wants to make some easy money.

Hackers, however, don’t usually care to go to these extremes. They usually just want someone to go to a site that appears connected to a trusted site like Amazon. Most people seeing the https or gray padlock will look no further. I investigated this angle by using the Censys search engine with Let’s Encrypt and found that they certified over 500 sites with ‘amazon’ in the name. Now, some of these, like amazon-fish.com, seem to be legitimate. This site lists fish in the Amazon River. Other sites that Let’s Encrypt certified, like amazon-cloud-computing.com, led me to a Chinese site. It is not clear what this site does, however, it has recently received a sharp increase in visitors almost entirely from the US (see graph below), which is somewhat suspicious.

 amazon graph

 Many of these amazon-labeled sites have mysteriously disappeared, leading one to believe that they were used in phishing campaigns. Some pseudo-Amazon sites, which I will not name, have clearly been set up to steal personal information using Let’s Encrypt to establish their validity. In fact, Let’s Encrypt has been connected to a serious malvertising attack which installed the Angler Exploit Kit when victims visited Let’s Encrypt-certified sites. This exploit installed a banking Trojan on the victim’s machine.

Trust is not quantifiable. Certificate authorities do their best to give trust, but there is never any guarantee. A comprehensive study undertaken by the Department of Computer Science at Stony Brook University came to the sobering conclusion that “a moderately motivated attacker can discover high-risk vulnerabilities in most certified websites, in less than one working day”. They give an example of such an exploit based on the security scanning protocol of the certificate authority. “We witnessed that the scanning requests of seal providers were always originating from the same IP range, often a block that is registered to the seal provider. It would thus be straightforward for an attacker to only expose his malware in case a request does not originate from an IP address related to a seal-provider. This way, an attacker could easily compromise a seal-utilizing website, while the website owner would remain under the impression the website was still secure as a consequence of the daily or weekly successful seal scans.” This is but one technique that the investigators discovered.

 In short, trust on the internet is under siege and it is reflected in the percentage of people who worry about identity theft, credit card compromise, and banking fraud. This can be seen in a recent US Government report.

internet trust

 Such low trust levels will certainly not be aided by the recent discovery of flaws in Symantec’s SSL system: a system that was considered among the best on the market. The severity of the problem was signaled when Google announced it may take Symantec off of its trusted certificate list. So it is that the preponderance of evidence leads to the conclusion that phishing scams and major industrial and governmental compromises are likely to be perpetrated through the manipulation of SSL certificates and , especially, the green padlock.

Posted in Uncategorized | Tagged , , , | Leave a comment

Hacker Corruption of Data May be the Next Major Attack Vector

“It’s not just even the loss of data. Increasingly, we are worried about the corruption of data. Think about the harm someone could do by an intrusion at a blood bank and changing blood types, an intrusion at a financial institution and changing just a few digits in the holdings of an institution.”

FBI Director, James Comey, March, 2017

 “Weaponized data is the next threat vector challenging all of us in cybersecurity.”

Chris Young, speaking on corruption of data at 2017 RSA conference

 Yes, it should be obvious that serious problems could result if hackers gain control of a database and then alter it to suit their needs. For example, at the same RSA conference mentioned above, TrapX Security showed how medical devices were infected with malware. The company set up fake medical devices, such as MRI and CT scanners, on hospital networks to see if they would be attacked. They were. TrapX subsequently found malware on multiple devices “including an x-ray printer, an oncology unit’s MRI scanner, a surgical center’s blood gas analyzer and a health care provider’s PACS-picture archiving and communication system”. These devices could be used as a way to enter a hospital’s network and steal medical records. Such records could be sold on the deep web for a healthy profit. But they could also be used to get drugs, medical equipment, or healthcare. There is enough data in a medical record to completely take over someone’s identity and use it to apply for credit cards and other services. Stolen credit card information will only last until the owner of the card learns about it. Medical record information lasts forever. This is why hackers can sell one medical record for $50 but the data for one credit card can only bring in 25 cents.

But it’s not only money that’s the problem. These compromised medical machines can be manipulated to give inaccurate or deadly results. It’s unlikely that these hackers want to kill people, but they could do so or do so inadvertently. That being the case, such compromised medical devices could be held for ransom, which would be another way for hackers to monetize these attacks.

And it’s not just medical data that can be corrupted. Hackers can corrupt GPS data to perform a number of nefarious actions. At the lowest level, hackers learned how to spoof GPS data to play Pokemon Go and pretend they were in exotic places when they were not. At the highest level, GPS manipulation can bring down a country’s power grid. This is because power grids depend on GPS signals to synchronize power output within a grid. Spoofing the data could cause sections of the grid to burn out which, in turn, could bring down large sections of the grid. Such spoofing has already been done by North Korea. “North Korea jammed GPS signals in South Korea numerous times for periods that lasted between 4 and 16 days, disrupting GPS receivers in many cell towers in addition to over one thousand aircraft and hundreds of ships.”

There are devices that can produce false GPS signals which can trick GPS-dependent machinery into doing things that they normally would not do. Imagine what could happen to self-driving, GPS-dependent cars if these signals could be altered.

gps sim

Then there are the hacks that could alter financial data to make monetary gains. A number of trading companies have been hacked and the data they held was either stolen or manipulated to make millions of dollars on stock markets around the globe. At Fast Track Holdings in Hong Kong, for example, “somebody hacked into its brokerage account on the afternoon of September 23 (2016) using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.”

In December of last year, it was reported that “Chinese traders hacked into the computer systems of U.S. law firms that handle mergers, then used the data for insider trading that generated more than $4 million.” Online brokers are constantly targeted. Sometimes, like in the attack on Scottrade which compromised 4.6 million users, they succeed.

Other forms of data corruption attacks have met with frequent success, such as those involving  students hacking into school computers to change grades and alter schedules. In an attack at Kennesaw State University, the hacker managed to change his and some other students’ grades but failed to disable or alter the automatic messaging that informed the professor of the change, which led to the attacker’s arrest. The sad truth is that it is no longer unusual to see schools reporting such grade-changing hacking. Moreover, you can find hackers online who advertise that they can change the grades of students in any school or university. What we don’t know is how many hacks have succeeded and have not been noticed. I have yet to see anyone hacking a university to give themselves a fake degree, but this is not necessary as fake degrees from every Ivy League college are available for purchase in the deep web.

There is a demand in the deep web community for hackers who can break into police databases and change criminal records. This has reportedly been done in at least one instance. In this case, a hacker supposedly broke into police records related to the Orlando terrorist attack and attempted to change evidence to influence the investigation. “The FBI has detected some strange activity on the transcript.  A hacker has been tracked from a Muslim region of Indonesia. He has tried to edit and remove all major key points.” Whether this really happened or not is difficult to confirm; however, the possibility of such data altering hacks is valid.

Other motives for altering data can involve companies or countries trying to undermine each other to gain a competitive edge. Altering production parameters could result in a company producing a defective product, for example. The Stuxnet malware altered the operating parameters of Iran’s centrifuges and destroyed them by making them spin out of control.

Intercepting and altering news feeds can create chaos and undermine journalistic credibility. It could get to the point where there is a general loss of confidence in anything we hear reported. Fake news has caused the stock market to plunge before and will probably do so again. If those making the fake news knew that it would cause such a reaction, they could profit from it.

Comey’s quote cited at the beginning of this post should be taken seriously because, in the past,  Comey has often hinted at things that he already knows. In other words, data manipulation by hackers is already going on. The problem is that it is much harder to detect than something like theft. Expect to hear stories about such hacks making the news in the near future.

 

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Trump May Have Been ‘WireTapped’ Through His Samsung Smartphone

And I’m not the only one who’s made this observation. One of the members of the hacking group, Anonymous, made the following comment on Trump’s smartphone of choice, the Samsung Galaxy S3.

anonymous

Whatever you may think about members of Anonymous, the statement is fundamentally correct. However, if you don’t trust anything coming from a member of Anonymous, cybersecurity expert, Bruce Schneier, remarked that, “His (Trump’s) off-the-shelf Android could potentially become a room bug without his knowledge and an attacker could certainly hijack his apps.”

samsung galaxy

The Samsung Galaxy 3

Trump’s smartphone could easily be infected by a RAT; a Remote Access Trojan. This type of malware allows an attacker to take complete control of a device from a remote location using internet connectivity. The attacker can turn on the microphone, the camera, and the GPS. With the built in keylogger, they can gather all of the victim’s usernames and passwords. They can, then, take over the victim’s email accounts and send any message they wish to any contacts. In short, they can pretend to be the user. How hard is it to get one of these programs? Not hard at all. Some are offered for free and come with complete instructions. In fact, you can watch Youtube videos on how to install and use them.

The problem is getting the victim to install the malware on their device. If I were going to attack Trump’s smartphone, I would not do so directly. I would try to compromise one of his family members or a trusted friend. Then, I could send a message from their compromised email or some app with an attachment for him to open. It could even be a valid attachment like a picture from some event that both of them had attended. Clicking on the attachment would install the malware. If it was good malware, especially a zero-day exploit, it would not be easily detectable. Trump would assume all was well because the phone would continue to operate as usual. However, he would continually be giving information to those controlling his device. Cybersecurity experts know that he continued to use the Samsung phone to send tweets until early this month. What we don’t know is if the phone had been upgraded to make it more secure. In late January, President Trump gave Fox’s Sean Hannity a tour of the Oval Office and showed him his desk which seemed to have a smartphone on it.

trump desk hannity

If we assume that Trump’s Samsung phone was hacked, the next question should be, who would hack it? Here, we are not short of suspects. Almost any nation-state would be interested in learning what the President of the United States was up to. If a nation-state hacked Trump’s phone, it wouldn’t be with off-the-shelf malware. It would probably be with a zero-day exploit that would remain well hidden. Although Russia is the cyber-attack darling of the moment, it is highly unlikely that they would gather and then leak any sensitive information. And it’s the leaking that’s important here. Someone or some entity was hacking and then leaking the information to the New York Times, the Washington Post, and the Associated Press.

If we eliminate nation-states as the source of the leaks, we are left with those actors who would benefit from shining a negative light on the executive branch. The fact that the leaks were given to members of the media associated with anti-Trump leanings points towards those who share these leanings. As Louis Clark, executive director of the Government Accountability Project, pointed out, these leaks seem to be made with the sole purpose of harming the president and his reputation. “There has been an extraordinary amount of leaking from this administration in just the first month.”

Trump initially blamed the intelligence community for some of the leaks. “It was disgraceful, disgraceful that the intelligence agencies allowed [out] any information that turned out to be so false and fake.” It is no secret that a hostile environment existed between the Trump administration and the intelligence community, but would they, or someone within it leak information? If this was the case, or if Trump was under investigation by some branch of the intelligence community, those responsible for securing Trump’s smartphone may not have pushed to have him stop using it. After all, it would be giving away one of the best sources for information. If Trump or his administration was being investigated for ties with Russia, for example, it is unlikely that the intelligence community would impede such an investigation by removing Trump’s smartphone from the loop. However, leaking information to the press would be counterproductive and would undermine their secrecy. Such leaks could only come from a rogue employee who had some political axe to grind.

The recent announcement from House Intelligence Chairman Rep. Devin Nunes disclosed that the intelligence community had incidentally collected information on Trump and the Trump administration while pursuing other investigations. Nunes was particularly upset in finding that members of the Trump administration and possibly Trump himself had been ‘unmasked’. Their identity was not protected even though the information was gathered incidentally. But it is no longer true that this need be the case if one of 16 government intelligence agencies is investigating someone within the administration. New legislation was quietly signed off on by then Attorney General, Loretta Lynch, just before leaving office that allows such unmasking to occur. According to the New York Times, agencies can now “ask the N.S.A. for access to specific surveillance feeds, making the case that they contain information relevant and useful to their missions.” In other words, if Trump, or members of his administration, are being investigated by the FBI, that agency can request any intelligence gathered on them by the NSA, even if it has been incidentally gathered. The original document (PROCEDURES FOR THE AVAILABILTY OR DISSEMINATION OF RAW SIGNALS INTELLIGENCE INFORMATION BY THE NATIONAL SECURITY AGENCY UNDER SECTION 2.3 OF EXECUTIVE ORDER 12333) can be viewed here.

So was Trump’s Samsung smartphone hacked and, if so, was it the source for many of the leaks? I think the real revelation would be if his smartphone was not hacked. As for the leaks, the ability of 16 intelligence agencies to share data would expose that data to more individuals, some of whom may want to discredit the Trump administration and who are willing to risk leaking this information to do so. In fact, the new legislation makes it easier to leak documents because, with so many people having access to the classified information, the risk of being caught is reduced. In short, we can not only expect such leaks to continue, we should expect the number of leaks to increase.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Are You Being Spied On?

So, Wikileaks releases its CIA documents and the one thing that everyone loses their minds over is learning that their TVs can be used as eavesdropping devices. Really? Where have you all been for the last 5 years? This isn’t even news. Check out an article I wrote on spying devices some years back, When Appliances Attack, and you’ll see what I mean.

Our main concern should be whether or not we, the average citizen, should worry about the government spying on us. These leaks demonstrated the vast array of tools that the CIA has to spy on everyone. Can they install malware that will turn your TV or other connected devices into eavesdropping devices or worse? Yes, they can, but, according to the law, they cannot do so without a court order based on probable cause. That said,  law enforcement could, in the course of their investigations, stumble across one of your devices. Yes, they could gather data from that device by accident, but it would not, in this case, be admissible in court.

It didn’t help the surge in paranoia when  FBI director, James Comey, was widely quoted as saying, “There is no such thing as absolute privacy in America; there is no place outside of judicial reach.” And “Even our communications with our spouses, with our clergy members, with our attorneys are not absolutely private in America.”  Furthermore, he claimed that “Even our memories are not absolutely private in America.”

All of this has been quoted out of context to make it appear as if the government has some supreme right to spy on anyone it has a whim to spy on. In fact, what Comey was saying was that the right to privacy disappears for those who participate in criminal behavior. Thus, “absolute privacy”, privacy for all, no matter what, does not exist. You may make the argument that the concept of probable cause can be stretched too far, but, legally, the government cannot spy on you without good reason.

But what about spying done by those outside of law enforcement? What are the chances that these bad agents are spying on you? Well, that depends largely on your profile and how you define ‘spying’. If you appear to have something that would pique the interest of certain parties, you will decidedly increase your risk. What are these factors? According to one source, if you

have an important, responsible, or secretive job,

have to attend confidential interviews or meetings,

are a scientist/politician/journalist/attorney/judge/police officer/local government official,

have a jealous partner or spouse who believes you are having an affair,

are getting divorced,

are a suspected activist,

are interested in conspiracies and frequent certain websites,

have a neighbor who hates you,

were arrested for, but never convicted of, a terrorist-related crime,

have a friend, neighbor, or relative who is under suspicion,

have recently made a substantial insurance claim,

are very wealthy,

are a celebrity, or

are the victim of a stalker

your chances of being spied on increase.

Yeah, there are a lot of good reasons to be paranoid and, for the most part, you can assume you are being spied on. Why? Because if you use Google, Facebook, Yahoo, or many other websites, you have given them the right to spy on you. Didn’t you read the privacy statement when you checked the ‘Accept’ box? Sure, few people do. Basically, you’ve given these sites the freedom to build a profile of you by watching you while you browse the internet and do other online activities. Yes, both Google and Yahoo can legally read your emails because you told them they could. They are trying to ‘enhance your online browsing experience’ by targeting you with ads that you will, hopefully, find more interesting. They learned what you are interested in by reading your email. But what if you joked about being a terrorist? Hmm, that’s when problems could begin. The government can always compel these companies to hand over your emails. They can also read your emails without you ever knowing about it. You can stop some of this spying by adjusting your privacy settings on Google and Yahoo, but you’ll never be completely free.

google spy

Smartphones are perfectly made to spy on you. They have GPS information, cameras, and microphones. With the proper spyware, (which can be downloaded for free) all of these can be turned on remotely by those who are interested in your behavior. They can film you, listen to you and your calls, and see where you are and where you’ve been. They can harvest your passwords, take over your email, and send messages to all of your contacts. In short, they can pretend to be you.

android spy

How do you know if your phone has been compromised? Well, if the spies use good malware, you may never know. However, if your battery appears to be running low faster than it used to, it may be an indication that your phone is doing something that you haven’t given it permission to do. If you’re not sure, you can download an app that will give you a record of your battery activity.

Sometimes spyware will turn your phone on without you being anywhere near it. Be suspicious if you see this happening. Snowden supposedly put his phone in a microwave oven or refrigerator to stop it from being accessed by unwanted agents or sending out radio signals. He has since designed a special case to prevent such behavior. Of course, the best prevention is to take out the phone’s batteries when the phone is not in use.

If you hear a strange background noise or clicking sounds while you’re speaking on your phone, your call might be being monitored. And, of course, look at your monthly phone bill to see if anything unusual has been going on. Also, keep in mind that the NSA can listen to any call you make to a location or receive from a location outside of the US.

samsung

Chances are your TV is not being used as a spying device. Yes, it can be hacked into to listen to you or, for those sets with built in cameras, watch you. The current CIA leak focused on malware called, Weeping Angel, which targets certain Samsung smart TVs. The malware can make it appear as if your TV is turned off when, in fact, it is not. It is secretly listening to you. This malware specifically targets Samsung TVs from 2012 (UNES8000F, E8000GF plasma, and UNES7550F) and 2013 (UNF8000 series, F8500 plasma, UNF7500 series, and UNF7000 series). You can tell if your TV has been compromised by looking behind it and seeing if a blue LED is on while the TV is supposed to be off. Unless you are a particularly high profile target, I wouldn’t worry much about this. It is far more likely that your smart TV could become part of a botnet rather than an eavesdropping device, though I’m not sure this will necessarily give you much more psychological  comfort.

Just remember that anything that is connected to the internet has the potential to be compromised. Your refrigerator won’t be watching what you eat because it doesn’t, at least for now, have a camera. It can, however, read your Gmail. What? How is that possible? Well, it’s not possible for all refrigerators, but one developed by Samsung linked the device to a user’s Gmail Calendar so as to put this information on the refrigerator’s display. In so doing, it compromised the user’s Gmail account. Using a man-in-the-middle technique, hackers were able to lurk in the calendar and capture the owner’s username and password, thus, gaining full control of the user’s account. This is a somewhat unique attack method which has probably never been used to any great extent. Most compromised connected refrigerators are used to send non-edible spam. Just remember that what is true of refrigerators is true for all your connected devices. But, as the old saying goes, if you can’t trust your refrigerator, what can you trust?

 

 

Posted in Uncategorized | Tagged , , , | Leave a comment