The Recent Increase in Email-based Blackmail and Extortion Scams

If you get an email that threatens to expose you to colleagues, contacts, or law enforcement agencies, don’t get overly concerned; unless, of course, you’re a criminal. These kinds of emails have been around for a while, but have recently been on the increase and, in some cases, they are using an upgraded attack methodology.

The Porn Site Scam

This scam seems to be spreading at a serious rate. Although it has been widespread in Australia and the Middle East, it has only recently been showing up in the U.S. It seems that the criminal behind it is exploiting a large database of email addresses. The basic scam is that he says he has proof (possibly photographic/video proof gleaned from your web cam) that the victim has recently visited a porn site he has compromised. Unless the victim pays in Bitcoins, he will send this proof to all of his/her contacts.

The email gets through filters by using actual (probably compromised) email addresses. Here is the header (victim’s address changed) from the most recent attacks as outlined in Dynamoo Blog.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com

Other subject headers have been: “You not first, you not last”, “I would not want you to be very upset”, and “All in your hands”. There are probably more.

Most of these begin with permutations of the following sentences: “I do not want to judge anyone”, “I do not want to judge you”, “I do not presume to judge anyone”, and, most recently, “I sincerely anticipate that I will not hurt ur feelings.” They all end with something like the following: “You can complain to cops for a help, but they wont search out me” or “I do not think that cops can find me”. You are then given a Bitcoin address and told that you have a limited amount of time to pay around $300.

Dynamoo traced the domain address to Russia and someone named Alexey Pokachalov. He discounted that this owner was the actual scammer because “you wouldn’t post real contact details on the WHOIS and then solicit anonymous payments through BitCoin”. True, but maybe the attacker was not as sophisticated as he thinks.

I traced the name through a number of Russian forums where the same gmail address was used. The poster used the nickname of, ‘legzzi”. Of course, the hacker may have used the nickname of the original owner to post on sites the owner already belonged to. But that doesn’t really matter. Only the topic of the posts would matter, especially the most recent posts. For those who may want to pursue this further, here are the contact details he is using.

blackmail

He uses the name, legzzi, on forums and on one of these he complains, or so it seems, that he was unable to use card numbers that he bought, probably on the black market. It seems he wants to buy or sell things that he may have bought from legitimate markets with Bitcoins. In one post, he complains that Russian customs stopped his order.

scammer warned

In another post, it seems he has run into trouble with the Russian government and is asking for advice on how to avoid prosecution. He frequently asks for help in manipulating databases, leading one to believe that he has gotten his hands on a database with email addresses and wants to learn how to use it to send out spam emails.

A new wrinkle on this scam is that these blackmail emails have been showing up in corporate email inboxes. Maybe the hacker believes the threat of being exposed to work colleagues and management will make people pay up. But don’t bother. In short, this looks like a scam run by a low level, technologically inept Russian hacker who simply wants to make a few bucks or Bitcoins. The bottom line is that you can simply delete these emails without worrying.

DDoS Extortion

A distributed denial of service attack (DDoS) uses botnets to overpower a site’s server and effectively knock it offline. As I noted in a recent post, such attacks can be quite costly. Here, however, I’m referring to fake DDoS attacks that try to extort money from companies. Usually, someone in a company gets an email like this.

ddos scam

It is very difficult to tell if the threat is real or not. With the price of prevention relatively low (around $700 in the scam above), as compared to what the cost of a real DDoS attack would be ($2.5 million average), the attackers hope the companies will just pay up rather than take the risk.

In July, the FBI warned of such attacks that hide behind the names of successful DDoS hacking groups such as Anonymous and Lizard Squad. Recently, these scammers have appeared again posing as Armada Collective or Phantom Squad, as seen in the above email. Both groups have successfully launched DDoS attacks against companies in the past. Other names the fake attacks use are New World Hackers, LulzSec, and Fancy Bear.

There are a couple of ways that a company can determine whether this is a scam or not. First of all, the ransom demand is too low. Renting or buying a botnet large enough to bring down a major company for a destructive length of time costs a lot of money. This being the case, the attackers will not be settling for hundreds or even thousands of dollars.

Secondly, check with scam services, the Better Business Bureau, or simply type in an unusual sentence from the email on Google to see if others are being scammed in the same way. True operators behind a DDoS attack don’t have the resources to attack many companies at the same time. Usually, they can only organize a botnet to affect one company at a time. Attack warnings on numerous companies are generally the result of spamming attacks that hope to pick up some easy money from nervous companies.

If the above mentioned signposts are found, simply wait until the deadline (usually 24 hours) has passed. Most companies that have been threatened by these attacks and haven’t paid the ransom found that nothing happened. The attackers just went away.

Of course, it’s normal to be upset by such emails. Some companies have paid the ransom demanded which, of course, will inspire the criminals to keep going. Actual DDoS threats will sometimes do a demo takedown to prove their strength. This could also be a more elaborate scam as botnets are priced according to how long the attackers want the attack to continue. In such cases, it’s up to individual companies to determine whether they want to take the risk of ignoring the ransom demand or not. Just remember that these attackers can’t afford to continue these attacks forever.

The Plagarized Essay Scam

Pay $1500 or be exposed for using essay website to cheat”.

This somewhat elaborate scam is targeted at all the students who aren’t reading this post. However, because of its somewhat more intricate attack vector, it is worth looking at in some detail. Similar scams could eventually evolve that use this same template.

Most schools realize that plagiarism is a problem and, despite the warnings, they understand that students will continue to buy essays from essay writing services or copy material from online sites. This scam, which was exposed by a student at Curtin University in Australia, may be the beginning of a scam that could easily make its way around the globe.

It began with a student visiting an online forum for help with writing an essay. It was akin to offering yourself up as a victim. The student received advice from one forum member and was event sent a sample essay. Then the trap closed, The forum member who helped him now wanted “tutoring fees”. The student refused to pay, as there had been no previous talk of payment.

Probably because the student had given the scammer his email address to receive the sample essay or possibly from information on the forum, the scammer was able send numerous demands from different email addresses demanding $1500 for not telling the university that he had plagiarized an essay.

As it turned out, however, the student never used the essay he was sent because he felt it was unethical to do so. When he continued to refuse to pay, the scammer sent a fake email that pretended to be from the school’s vice chancellor. This email outlined the plagiary case against the student. One wonders what the student would have done had he actually used the essay or if this angle had already worked on others.

This scam is a little more involved than most and takes a little more work for the scammer. However, the victims come to him on these essay forum help sites and all the scammer needs is their email address to begin the scam. The essay the scammer sends is probably one that they realize will be detected by plagiarism detecting software. They will then need to find the name of some authority at the school the person attends. They may have found this information on their social media sites, which they could have tracked down through their name or email address. Often, the victims are foreign students who may worry that their plagiarism will not only get them in trouble with their professors, but may get them kicked out of the country. Foreign students would be more likely to pay, especially if they used the sample essay. Therefore, if you are a foreign student and receive such emails, report them to the person that the attacker is pretending to be. And, don’t plagiarize.

I should note here that some paid essay writing sites are absolute frauds. This includes essaydom.com which has received 23 out of 23 one-star reviews for writing essays that appear to be cut and pasted together or written by uneducated nonnative speakers, most of whom, it is believed, live in Pakistan.

Students are not the only victims of targeted scams. There are a number of scams that target specific groups. One particularly sinister extortion email targets only Spanish speakers with threats to kill family members unless they pay a few hundred dollars. These emails are sent with pictures of family members that have been taken from the victim’s Facebook page.

Most scams are obvious and can just be ignored. Often the poor English gives them away. Many are filtered into the spam folder by your email provider, but, occasionally, some get through. If you are not sure if the email is legitimate or not, paste a unique sentence from the email into Google search and see if it leads you to similar scams. You can also check some scam information sites like Scambusters.org (though I can’t seem to get their search engine to work for me). However, if you really feel like someone is trying to extort money from you for whatever reason, it’s time to contact law enforcement.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Reaper Madness: The Enigmatic and Potentially Deadly Reaper Botnet

We don’t know where or when, but someday the Reaper will come for us all. I mean the Reaper botnet, of course. It is potentially the most dangerous botnet ever created and one of the most inept. It is a botnet that, at times, seems to be put together by a government committee and, at others, by innovative creators. But, because it contains elements that, if correctly used, can do great damage, we need to take it seriously.

Why do people want to create botnets anyway? No, it’s not always to bring down the internet. In fact, botnets often have more personal uses, like revenge on a hated employer or an ex-partner. Simply put, a botnet is a group of computers organized by attacker(s) to launch a coordinated attack. The attacker can control these computers remotely and make them do a number of things. They can be organized to send spam, send malware-infected spam, or participate in a DDoS (Distributed Denial of Service) attack. A DDoS  attack uses a large number of computers in a botnet to access and overwhelm a site’s servers, effectively shutting the site down. Though somewhat simple in principal, such an attack can be very costly to an internet-dependent site that is knocked offline. The average cost for a business brought down by a DDoS attack is $2.5 million. The Mirai botnet cost businesses at least $121 million. Insurer Lloyds of London, in a report on cyber attacks, estimated that extreme attacks on cloud services would cost between $15 billion and $120 billion. Attacks that take down major portions of the internet could produce even higher financial losses.

Here’s a financial breakdown by DDoS protection firm Neustar. Keep in mind that the totals are hourly.

neustarWhat most people don’t realize is that you can download software that will help you build your own botnet. You can also buy, rent, or even get free, some of the largest botnets available, like the Mirai botnet that brought down major portions of the internet. Some people buy botnets for their personal use but others build them in order to sell them to others. For a good way to visualize how fast botnets can grow, take a look at this website.

So where does this leave the Reaper botnet? We don’t know. All we’ve been able to discover is that someone has been trying to build an extensive botnet that has some characteristics not seen in other botnets. Whereas the Mirai botnet was formed by enslaving internet-connected devices that hadn’t had their default passwords changed, Reaper uses known exploits for targeted devices connected to the internet like routers and cameras. It uses known vulnerabilities that users have not yet patched. Through these, it takes control of the devices and uses them to transmit the malware to enslave other vulnerable devices, thus building the botnet.

Researchers were at first alarmed when security firm, Check Point, reported that a million devices may have been infected by Reaper. This is alarming because the notorious Mirai only used about 400,000 bots. Mirai only took over the devices while the device was online. A computer reboot removed the attacker. Reaper, however, seems to be more persistent and maintains control of the devices it infects unless the victim takes more serious actions, such as restoring factory settings to a router. However, if the attacker changes the username and password, even a reset can’t recover some devices. So far, from what I’ve been able to discover, Reaper hasn’t progressed this far. One of the firms that first discovered Reaper, Netlab 360, now estimates that only 28,000 devices are part of the botnet. Yet, lest you think a sigh of relief is appropriate here, it also said that as many as 2 million devices may be waiting in a cue to be processed for the botnet.

So what’s happening? This is where the amateurish nature of the botnet builders comes to the forefront. It seems to use a narrow range of IPs as its command and control (C2) centers. In other words, security software can easily block any attacks by simply blocking the IP address. So, when I entered the Reaper IP address on my computer, Malwarebytes blocked me from going to it.

malwarebytes

On the other hand, the Reaper botnet hasn’t been activated yet, so it may be that the developers are in the “practice” phase; ironing out any bugs until the right moment. In other words, the amateur aspects of this botnet could suddenly disappear just before activation. If anything near the one million member botnet is activated, that’s when the trouble begins.

Some think this botnet may never be activated, or that it will be activated only after it is believed to be perfected. Maybe it is being designed to be sold to a wealthy buyer, like a nation state. Maybe a nation state is in the process of constructing it. That is certainly something to consider seriously. Such a powerful botnet in the hands of a rogue state could cause apocalyptic damage. I am not saying this lightly. Security firm F5 Labs made the following statement on the potential size of the Reaper botnet, “We have data that suggests it could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day.” They arrived at this number in the following manner. (CVE stands for Common Vulnerabilities and Exposures.)

f5 diag

How serious this botnet could be will depend on how it is deployed. Sure, even if it is used as a simple DDoS attack on key internet nodes, it could cause havoc. But there are other vectors it could use. In June, the Department of Homeland Security warned that North Korea was setting up a botnet that targeted infrastructure. It is not clear how such an attack would work, but some speculate that a large botnet suddenly powering up all connected devices in a small area could stress the power grid to such an extent that it actually collapsed. Others claim that Russia is positioning itself to take out the power grids in several Baltic countries. Russia is not targeting the power stations directly with DDoS attacks, but the networked gateways that are used by power companies to control the grid.

Since Reaper has the ability to distribute malware, it could easily be armed with ransomware which it could distribute to vulnerable devices. Ransomware that encrypted key infrastructure components would work even better than a DDoS as it could disable them for a longer period of time. This actually happened when a ransomware attack took down the San Francisco metro system by shutting down all ticket machines (encrypting the hardware) until a ransom was paid. Hospitals are another frequent target of such attacks.

All we can do for now is to wait for the Reaper to appear. No one really knows the form it will take but it seems hard to believe that, after all the work put into it, it will turn out to be nothing more than an apparition.

reaper pic

 

Posted in Uncategorized | Tagged , | 3 Comments

Can Kaspersky Antivirus Be Trusted? The Case For and Against

This story is complex. That’s why, in this post, I will attempt to make it as simple as possible, but it will still be complex. The goal here is not to delineate the technical details of the specific malware involved. Instead, this will be the story behind the malware and its use. The aim will be to determine the extent, if any, of Kaspersky’s implication in hacking the NSA. I will stay as close to the facts as possible and let them speak for themselves.

This story, as is true of so many cybersecurity stories involving nation-states, begins with the development of the Stuxnet malware. This malware set new standards by, among other things, attacking physical machinery that was not connected to the internet. It specifically changed the operating parameters on Iran’s nuclear centrifuges, making them spin out of control until they destroyed themselves.

The important point of this story is that this malware was jointly developed by the U.S. and Israel. This meant that both countries had control over this malware if they needed to modify it for future uses. Unfortunately, those attacked by malware often end up with an understanding of the code behind it. Stuxnet was no exception. As the documentary about Stuxnet, Zero Days, claims, “ironically, the secret formula for writing the code for the virus software fell into the hands of Russia and Iran – the country against which it was developed.” Thus, by at least 2013, four countries controlled the code for this powerful malware.

In 2014, Israel used a Stuxnet variant, named Duqu 2.0, to spy on the ongoing nuclear talks between the PS5+1 nations (the U.S., U.K, France, China, Russia, and Germany) and Iran. Oddly, Israel was not invited to participate even though they had the most to lose. After all, Iran had previously vowed to wipe Israel off the face of the earth. The Duqu 2.0 spyware was used to infiltrate three luxury hotels that were sponsoring the talks. Once installed, the malware took control of the hotels’ networks and was able to obtain information on any device connected to it. They could also listen in on conversations and the actual negotiations themselves. The malware was so good at hiding that it was only discovered by Kaspersky in mid-2015 or, coincidentally (?) at approximately the same time that the nuclear deal was reached with Iran.

In fact, Kaspersky wouldn’t have known about the PS5+1 attacks at all had they not been attacked by the Duqu 2.0 malware themselves. Costin Raiu, director of the global research and analysis team at Kaspersky, said the attackers first targeted a Kaspersky employee in an office in the Asia-Pacific region, likely through an email that contained an attachment in which the virus was hidden. By opening the attachment, the employee inadvertently allowed the virus to infect his computer and, subsequently, the entire Kaspersky network.

But why would Israel make such an effort to target an antivirus firm like Kaspersky? Apparently, Israel wanted information on what Kaspersky had named, The Equation Group. Kaspersky had been targeting the actions of this hacking group for some time and, although they did not state it directly, it became common knowledge in the cyber espionage community that the Equation Group was, in fact, the U.S. National Security Agency (NSA).

The Equation Group had been targeting Iran and other Middle East countries.  The information from such attacks would be of especial interest to Israel. Learning how these attacks took place and getting access to these NSA tools could be very useful. At the time, US-Israeli relations were at an all time low, and the Israeli government couldn’t depend on getting updated information on Iran from U.S. intelligence. Such information was crucial to Israel because the U.S. and the other PS5+1 partners were on the verge of signing a nuclear agreement with Iran. So, why not hack into a firm that probably had this information and possibly some NSA hacking tools as well; Kaspersky.

The U.S., however, was spying on Israel and learned that, somehow, Israel had managed to get key documents concerning the upcoming Iran agreement. Alarmed by this finding, they warned Benjamin Netanyahu not to give details of the Iran agreement when he spoke to Congress in March of 2015. Netanyahu only partially complied. He did not give details but said, “This is a bad deal — a very bad deal. We’re better off without it.”

Meanwhile, Kaspersky was beginning to learn that someone, probably Israel, had hacked into their network. Interestingly, the Israeli’s Duqu 2.0 malware targeted Kaspersky’s antivirus programs and used them to infiltrate any network using them. In other words, the notion of using antivirus software as an information gathering agent was first used in 2014. This is the same vector that Kaspersky is accused of using against one of the employees of the NSA in 2015. (This particular attack, according to the Wall Street Journal story, was only identified in the spring of 2016.)

Probably realizing that they would be discovered by Kaspersky (or had already gotten everything they needed), Israel contacted the U.S. and informed them that, while they were within the Kaspersky network, they found evidence of Russian operants lurking there. They claimed that the Russian government was using Kaspersky software, such as its antivirus software, to gather information on U.S. intelligence. Was this a ruse? Was Israel the actual agent behind these attacks and were they trying to shift the focus to Kaspersky and Russia? This is still an open question. In any event, when the U.S. intelligence community learned about this, they set up honeypots to lure in any attacks that used Kaspersky software. These were probably set up before Kaspersky realized it had been attacked by Israel’s Duqu 2.0.

In the most recent defense of itself, Kaspersky claims, in a re-analysis of events at the time of the purported attack, that the last Kaspersky antivirus scan that found NSA-related malware/software on the NSA employee’s computer occurred in November of 2014. They claimed that they deleted the file when they realized it was part of the NSA’s software collection. They claim that no other files from the NSA have been collected since, inadvertently or not. They do claim, however, that they began discovering those aforementioned honeypots after February, 2015. Did they suspect that these honeypots were set up to catch them? They claim these honeypots were “loaded with various Equation-related samples” that they did not take.

That last claim seems unlikely considering the interest that Kaspersky had always had in the Equation Group. This is exemplified by the publication of Kaspersky’s report on the Equation Group in February, 2015. Knowing the group’s products as well as they did, it is possible that Kaspersky did recognize the honeypot files as fakes and ignored them. More likely, though, considering subsequent events, was that the NSA found that Kaspersky was, indeed, interested in these files and actually took some of them. Otherwise, why would they begin spreading the word that Kaspersky was not to be trusted? The subsequent finding of the victimized NSA employee one year later and the connection of the theft of NSA files from his computer to Kaspersky software simply sealed the deal in the minds of those in the NSA.

Throughout 2016, the U.S. intelligence community stepped up its focus on Russian meddling in the U.S. election. It is quite possible that Kaspersky, a Russian-based company, got caught up in this fervor and attracted more suspicion than it normally would have. In any event, by February of this year (2017), Kaspersky had become a real suspect. The U.S. intelligence community began publicly expressing serious doubts about Kaspersky software, according to secret documents prepared by the Department of Homeland Security (DHS). The release of information about this document began an avalanche of bad news that eventually buried Kaspersky.

In early May, the U.S. intelligence community told a Congressional committee that they were considering banning all Kaspersky software in use on government networks. Company founder, Eugene Kaspersky, countered with an offer to appear in person before the committee to answer any questions. His argument at the time was, “I’m very sorry these gentlemen can’t use the best software on the market because of political reasons.” In other words, he blamed the current anti-Russian sentiment for his company’s demise.

e kasperskyEugene Kaspersky

In June, the FBI interviewed a dozen Kaspersky employees in the U.S. In July, Bloomberg reported it had obtained emails proving that Kaspersky was working closer with the Russian government than they let on. So, with the walls closing in, Eugene Kaspersky made a surprising offer.  He would share the company’s source code with U.S. intelligence agencies. “Anything I can do to prove that we don’t behave maliciously I will do it, he said.” In addition, in late July, Kaspersky began giving away free versions of its antivirus software.

But it was too little, too late and, on September 13, the ax fell. The Department of Homeland Security ordered all federal executive branch agencies using Kaspersky software (approximately 22) to stop using Kaspersky products. They gave these agencies 90 days to remove the software. Although Kaspersky tried to downplay the importance of this decision, it was, in fact, a serious, perhaps even mortal, blow.

Kaspersky’s Defense Scenarios

 “Ask yourself one thing:  If these recent allegations are true, where’s the evidence? If there was any evidence that we’ve been knowingly involved in cyber-espionage, we’d be toast! No ifs or buts – it’d be game over. Eugene Kaspersky

 As I see it, there are three main scenarios that can explain the Kaspersky demise.

Scenario 1: Israel never found Russian operants in the Kaspersky network. They used this as a screen to use Kaspersky’s antivirus software to gather information on the NSA themselves. After all, according to the Kaspersky report on Duqu 2.0, the malware specifically sought out Kaspersky’s antivirus in order to exploit it. Israel told the NSA that Russia was in the Kaspersky network to take the spotlight off themselves. Since the U.S. intelligence agencies were already looking for Russian meddling, they readily accepted Israel’s information. Kaspersky was collateral damage.

For Kaspersky, the bad part of this scenario is that they failed to discover what Israel was up to for over a year. This does not help their reputation as a cybersecurity firm.

Scenario 2: The Russian government infiltrated Kaspersky’s network and gained access to any Equation Group files it had stored. It also made use of Kaspersky’s products to steal information from U.S. intelligence agencies. Kaspersky had no knowledge of this.

Again, this does not make Kaspersky look good. It would mean that two attackers had gained access to their network without them knowing it. In their most recent defense, Kaspersky said it found no other network intrusions after they found Duqu 2.0. However, this could mean that the Russian government, possibly realizing they had been discovered by Israel, activated a kill switch which removed every trace of its attack from Kaspersky’s network.

 Scenario 3: Kaspersky worked with the Russian government to infiltrate the NSA network and steal files and programs. A case could be made that the Russian government could threaten to close down Kaspersky if it didn’t comply with its demands.

Clearly, this would be the worst case scenario for Kaspersky. However, it wouldn’t make sense that the Russian government would continue to steal files from honeypots even after Kaspersky had discovered the files in these honeypots were fake. If they were working together, Kaspersky would have warned the Russian government to avoid touching these fake files. Yet, as I mentioned above, it seems the honeypots identified Kaspersky as a threat.

It may be too late for Kaspersky to salvage anything from this situation even if they are not complicit. Sure, many people will take advantage of their free antivirus and some loyal customers will stick with them. But 60% of the company’s sales come from the U.S. and Western Europe and these are certain to fall. Rebranding is not and should not be an option as the company has made numerous contributions to the cybersecurity community that should not be forgotten. However, something drastic needs to be done if Kaspersky is to repair its reputation. It may even mean having to relocate their headquarters outside of Russia.

Giving up the source code to its products to prove that there are no hidden backdoors will not convince anyone who doesn’t trust Kaspersky. After all, Kaspersky may have removed the backdoors before they released the code. The cold truth, whether it is fair or not, is that Kaspersky will have to give up the idea of getting back on U.S. government networks at any time in the near future. The negative atmosphere surrounding Kaspersky will make individual users balk at installing their products even if they are not a political  target. So, can you trust Kaspersky? That’s something each person, each company, and each government will have to decide for themselves.

 

 

 

 

Posted in Uncategorized | Tagged , , , , | 1 Comment

Hacker Confessions: What do they think of themselves? What are their favorite targets?

At the recent Black Hat Conference, security firm, Bitglass, surveyed over 100 black hat and white hat hackers to learn what motivated them and what they looked for when attacking a network. Irrespective of their current hat color affiliation, 81% claimed that they had worked in corporate IT at some time in their careers. Here are some of the findings.

The Morality of Hacking

 To many, perhaps most, individuals, stealing is wrong, no matter what excuses are made to justify it. Most hackers steal. They either steal money or information. That’s just part of the game. The exception to this would be hackers who hack for political reasons. However, according to the survey, money is the main motivation for most hackers.

hacker motivation

How do they feel about that? 48% feel that hacking is either neutral or always good. Only 3.9% believe that hacking is always bad. It is not clear from the statistics if certain types of hacking are considered better than others on the morality scale.

What vulnerabilities are the easiest to exploit?

 Actually, the question was along the lines of which security tool was least effective. The study found that hackers thought that password protection of documents was the least effective security tool. The top 5 least secure tools (most easily circumvented) were agreed upon by over 80% of these hackers. Here is that list.

hackers security tools

It’s somewhat surprising that face recognition made the list as it is a relatively new tool. However, in early September, Samsung facial recognition was reportedly hacked with Facebook photos. In defense, Samsung did include a disclaimer for their facial recognition software, saying that “your phone could be unlocked by someone or something that looks like your image. Face recognition is less secure than Pattern, PIN, or Password.” Something that looks like your image? Would it be fooled by holding up an artichoke? Yeah, this seems pretty insecure to me.

MDM stands for ‘mobile device management’. It is a term that describes the policies corporate or institutional IT departments implement to protect the network from mobile devices connected to it. Apparently, hackers find such policies easy to circumvent, which should be bad news to these enterprises. Access controls may be physical or digital and their purpose is to limit who can use what resources. Hackers often circumvent these by infiltrating a connected endpoint (smartphone) and enabling administrative rights.

What is the best way to infiltrate a network?

 To many in the cybersecurity business, the answer to this question will be of no surprise. Almost 60% of hackers admit that phishing is the best way into a network. Phishing exploits the human component which has always been found to be the weakest point in any network. Appealing to the basic human emotions of greed, romance, sex, or fear can induce an emotional human to open an email that a logical human would never open. (See my post on Phishing with Naked Women and Romantic Lures ). A recent survey of executives, IT managers, and other cybersecurity experts found that 74% of them agree that employees were the most likely source for a criminal attack. The only thing preventing phishing from being much more deadly than it is is the notable lack of social skills possessed by most hackers. It’s their own social ineptness that often exposes them as hackers.

Malware came in second among hackers as a way to infiltrate a system, but this is somewhat misleading as most malware is introduced through an initial phishing attack. However, other methods of exploiting malware exist, such as bundling it with a trusted app and putting it on Google Play Store.

Since these first two methods of infiltration account for over 85% of all infiltration techniques, IT departments should focus primarily on them rather than more obscure vectors.

What network blind spots are the easiest to exploit?

 All corporate or institutional networks do their best to plug all possible holes, but, invariably, they will always overlook a few until they are successfully hacked. It is why some enterprises pay for the ‘privilege’ of being hacked by a competent hacker in what is known as ‘pentesting’.

So, the list basically sums up what vulnerabilities a hacker looks for before beginning an attack. Respondents could choose more than one category. Here is the chart.

hacker blindspots

Notice the concentration on endpoints, such as smartphones. Almost every hacker (97.6%) looked for blind spots/vulnerabilities involving endpoints that were either poorly managed or poorly protected. Clearly, IT teams have to find better ways to secure this weak point.

There is a good reason why some enterprises don’t have their software instantly updated. In fact, the larger the enterprise, the more difficult it is for it to keep its systems updated. Software or system updates usually aren’t implemented until they’ve been tested. This is because some updates may cause unpredictable behavior when installed on a network. But this testing takes time. It is during this testing period that a network is vulnerable to attack. Hackers know this and will often attack corporations as soon as they analyze the updates, hoping to get malware installed before the security hole is closed. Updates take place to repair security flaws. The explanation that accompanies updates details these flaws, meaning that hackers are given a known attack vector. Although not as effective as a zero-day attack, in which an unknown security flaw is used to attack a network, these so-called one-day attacks are successful more often than one might think.

Note also that data in the cloud is considered a blind spot. Many firms have the mistaken belief that their troubles are over when they store data in the cloud. It is basically passing the security buck to those who manage the cloud service. Hackers, apparently, aren’t convinced that the cloud is so safe.

The one overriding conclusion that can be drawn from these statistics is that IT departments have their work cut out for them. Any solution that can lower the burden on corporations or institutions in managing endpoints will be welcomed. Some newer solutions have appeared which allow endpoint users to be careless without this behavior affecting the network, but most enterprises keep trying to implement tired, time-worn, and frequently compromised policies and, in such an environment, we can all expect to hear about hackers breaching more and larger networks. Government networks, it appears, will be the most vulnerable if the statistics given above are true. Their sheer size, outdated operating systems, and slow response to updates leave them in a continuous state of vulnerability. In short, fearing neither moral or physical consequences and possessing predictable access to porous networks, hackers will continue to practice their increasingly complex skills and keep IT teams perpetually on the back foot.

 

 

 

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Whew! At Least Hackers Didn’t Get My Yahoo Password… Or Did They?

When Yahoo admitted that the 2013 breach of their site exposed the personal information of all 3 billion users of its email service, many people in the cybersecurity community were probably not surprised. Yahoo has been periodically updating the extent of the breach ever since it occurred, and, if it weren’t for Verizon, which recently took over the company, we may have never known the full extent of the breach. Verizon deserves some credit for trying to start over with a clean slate, though it may take them a while to shake off the Yahoo legacy.

Many users, however, probably took solace in the information that their passwords were not stolen. There was probably a huge sigh of relief followed by the usual ‘it’s-only-some- personal-information-so-what’ defense. I have written elsewhere about the short-sightedness of such a defense. A criminal possessing your personal information could subject you to, at the very least, spamming attacks which, of themselves, could be used to compromise your device and network. At the highest level, you could lose your identity and the contents of your bank account.

Besides, it is not precisely true that passwords were not stolen in this breach. That’s actually a semantic construct. Passwords, in their pure, readable form, are stored on very few sites. Most passwords are ‘hashed’ before they are stored. An algorithm is applied to your password to transform it into a unique string of characters. It is this hashed string that is stored, not your password. When you sign into your account, the password you signed in with is again hashed and compared with the stored hashed password. If the two match with your username, you are allowed to proceed. A person who has only your hashed password cannot perform a reverse operation on it to get the original unhashed password. Sounds pretty good, right?

Yahoo claims that it stored passwords using the MD5 algorithm. Is this good or bad? It is better than the worst hashing algorithm but far from the best. When hackers get a hashed password, they can simply guess at the password it was based on. That’s why simple or often used passwords are easily guessed. Here is an example.

The MD5 hash of the password, ‘password’, is:

5f4dcc3b5aa765d61d8327deb882cf99

How do I know? Easy. I just go to this website, type in the password I want hashed, and get the hash created by the MD5 algorithm. Thus, I can use this information to search a list of hashed passwords to see how many accounts are using the password, ‘password’. You can imagine that hackers have already created lists of the most common passwords based on pre-computed hashes. These are referred to as “rainbow tables”.

So, if I take the hashed password I created above, I should be able to find it in a rainbow table. To test this out, I went to this site and typed in the hash. It returned this result,

hashed password

Apparently, the hash was correctly decoded.

Yahoo admitted that it was using MD5 hashing when it was hacked in 2013 but claimed that it soon after changed to bcrypt hashing, which is much more secure. However, if users have not changed their passwords since the original hack, it is possible that hackers already have access to their accounts. More disconcerting is the fact that experts think that between 800 and 900 million passwords could have been decoded within weeks of the breach and before bcrypt was implemented. In short, if you haven’t changed your password since the initial breach, you are still in danger. And remember, if you use the same password, or simple variations on it, on other accounts, those accounts, too, are in danger.

It is also important to note that, although bcrypt is much more secure, it is not foolproof. It adds a random string of code (salt) for each user’s password, which makes a rainbow table impossible to construct as each user has a different code even if the password they use is the same. Bcrypt’s secret is to use time against a hacker. They put in an encryption loop which would slow down a hacker trying to decrypt a large number of hashed passwords.

A bcrypt generator for the password, ‘password’ will give this much more complex result.

$2a$06$ULkSAs1GAVnw5cbySepKo.ouITCgQGYWfN10YPKEpd8gXtQT6hDOS

I can see if the hash matches the password by going to this site. If I compare a known or guessed password to a bcrypt hash, I get this result.

bcrypt

Sadly, this would only give me the password for one user, not for every user who uses the same password. However, if a hacker hacked a site and only found a database of bcrypt hashes, they could use this information to see if a password that they already know for a user (username) on one account is being used on another account. (Keep in mind that credit card information is also hashed on most sites, but that’s a different discussion.)

The other disconcerting news concerning the Yahoo hack is their admitting that “in some cases, encrypted or unencrypted security questions and answers” were compromised. It is easy to see that anyone obtaining the answers to your security questions could reset your password and take control of your account. Even if they didn’t have the answers directly, they may be able to use the personal information they stole to compromise your account.

So, should you be breathing that sigh of relief that your Yahoo password was not stolen? I would suggest you go to the Have I Been Pwned? website and type in your Yahoo email address. If your name shows up as having been pawned and you haven’t changed your password since 2014, change it. Make it 16 characters long (as in a phrase that’s easy for you to remember) and you don’t need to worry much. In fact, even if your account doesn’t appear as having been hacked and you use a shorter password, change your password for your own peace of mind.

Posted in Uncategorized | Tagged , , | 1 Comment

Recent DHS and FDIC Hacks Indicate the Need for More Innovative Security Solutions

The bigger the organization, the slower it adapts to changes and challenges, and no organization is bigger than the U.S government. So, when I hear news of the DHS or FDIC being hacked through careless or vindictive employees or that the White House’s Chief of Staff, John Kelly, had his smartphone compromised for months before it was discovered, I am no longer surprised.

The DHS was purportedly compromised when hackers used Kaspersky antivirus to steal top secret documents from an employee’s home computer; a computer he should not have been working on with such documents. We have no information on whether or not this computer was an endpoint on the DHS network, but if it was, then the DHS network could easily have been penetrated.

Kelly’s smartphone was compromised last December, which could go a long way towards explaining why leaks were emanating from the White House. It is highly likely that, if Kelly’s phone was accessed, it could have been turned on to record meetings, take photos, read emails, and listen in on phone calls, among other things.

Kelly phone

According to one source, “It’s not known which brand and model of phone is involved, but Kelly is seen using an iPhone in a number of photos, including the AP shot by Susan Walsh above.” There is a mistaken belief that iPhones are safe from attacks that employ remote access trojans (malware that can take full remote control of a device), but there is a good reason why the government prefers Android phones. Well, actually, there is only one good reason. Apple denied the U.S. government access to the details of its operating system while Android (Google) agreed to work with them. Nonetheless, both systems have been hacked and continue to offer bad agents portals through which government networks can be penetrated.

Adding to the bad news for government agencies is a new report from the Office of Inspector General that the FDIC had been hacked 54 times between 2015 and 2017 and the personal information of over 113,000 individuals was stolen. This information included “names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks”. What’s worse is that it took the FDIC an average of 9 months to inform those affected, if they were informed at all. According to a report on the incident by ZDNET, “at least seven of the incidents occurred when outgoing FDIC employees left the agency with downloaded files of personally identifiable information, including Social Security numbers and loan and banking information of US citizens.” Ugh.

There seems to be a common weak point underpinning all of these attacks; rogue or careless employees. Some were knowingly or unknowingly undermining instituted security policies while others were intentionally leveraging their insider position for personal or political gain. Some have yet to be discovered but, without a doubt, they are out there.

Worse yet is that even those who should know better have been hacked. You would think that the heads of major government agencies would be more wary of being attacked than others, since they hold the keys to the most sensitive information, but this simply does not seem to be true. Kelly is not alone in his careless or cybersecurity naïve behavior. Other major government leaders to be hacked include

Director of National Intelligence James Clapper
CIA Director John Brennan
Homeland Security Secretary Jeh Johnson
Former Secretaries of State Colin Powell and Hillary Clinton.
and let’s not forget all of the members of the DNC.

What this means is that government agencies will always be trapped between two unavoidable facts. First, there will always be rogue employees no matter what regulations are put in place. Some are wittingly malicious, like the leaker, Reality Winner, and some are unwitting victims, like John Kelly. The second unavoidable fact is that all personal devices, all agency endpoints can be hacked by skilled hackers. IT teams are then faced with a seemingly unresolvable dilemma; a dilemma that must understandably make many IT staffers want to give into despair and hopelessness.

The problem is that, no matter what the breach, government agencies respond with the same counter strategies which normally amount to more regulations on employee behavior, more device management, and more layers of software security. These will all work for a while, but they are all destined to fail over time. However, there is another way to look at this problem which may hold a solution.

Let’s make a wild, yet valid, assumption. Let’s just assume that employees will not follow all regulations to the letter. Let us also assume that all devices will be hacked. In fact, let’s not even worry about this at all. Just let employees be imperfect and hackers be, well…hackers. But let’s put one caveat into the mix. Suppose we design a device’s architecture in such a way that it has two separate operating systems that cannot directly communicate with each other. That’s right; two separate operating systems on the same device. This could be accomplished through hardware separation, not through pseudo-separation as can be found in numerous varieties of sandboxes, since these strategies are really software solutions that shares the same hardware architecture. It is no secret that sandbox mechanisms have been successfully hacked.

In true hardware separation, employees can do whatever they want on one side of a device but, if they want to work on sensitive material that may be connected to a government or corporate network, they must work on the other side of the same device. Here is such a technology as developed by InZero Systems. Notice that each side has its own kernel. In other words, it is true hardware separation.

workplay phone

Since malware is software, it must use available software resources on a device to begin an attack. If the hardware barrier is well-constructed, the malware will not be able to make the breach into the other operating system on the device. In fact, it may not even be able to detect that the device has another operating system. Here is what could happen if the normal user side of such a device was attacked. (Of course, most users would want to use good security on the open side of the device, but attacks can always happen.)

workplay system

The extent to which the work side of the device is exposed to attack depends on what network policies are instituted. The work side could be completely shut down with no internet access or it could be allowed to access trusted sites. The WorkPlay Technology shown above includes a hardware-connected virtual machine on the work side which prevents even the most sophisticated malware from communicating with its C&C servers, as always occurs in a remotely controlled attack.

The responses to breaches on government agencies have always followed a predictable pattern. Maybe it’s time for the government to seek solutions that are more unconventional, less predictable, and more up-to-date. After all, what have they got to lose that they haven’t already lost.

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

NFL Controversy Threatens Sponsors and Teams with Fake News and Cyber Attacks

The red line has been drawn. There seems to be no middle ground in the NFL-Anthem  controversy. And where there is controversy, there is Twitter. And where there is Twitter, there are trolls, hackers, and fake news generators.

The Washington Post has already echoed comments by Sen. James Lankford (R-Okla.) claiming that Russian trolls are “hash-tagging out ‘take a knee’ and also hash-tagging out ‘Boycott NFL’ ”. Lankford is a member of the Intelligence Committee so his remarks can’t be casually set aside. He’s right in asserting that Russian trolls like to ramp up controversy in the U.S. to either detract from other issues or simply to muddy the political waters and make the U.S. look bad. However, he is wrong in asserting that all such sites are Russian-based. In fact, #BoycotNFL seems legitimate. There are numerous Twitter accounts being formed in support of both sides in this debate, but, as of this writing, the anti-NFL sites have an overwhelming edge. Are some of these accounts fake? Probably, and it is probably in the range of 20-30%, if not more, but that still gives these anti-protest sites a decisive edge.

The official NFL Twitter account is, for the most part, acting like it’s just business as usual. The only exception being an anemic tweet on the Cowboys-Cardinals game, stating that the two teams, “shared a moment of unity on the field.” The tweet received far more criticism than support. Even tweets asking fans to vote for the “Air Player of the Week” received responses like, “Does it matter anymore?”

So, in this time of controversy, the fake news squad is bound to step in. Monetizing controversy is what fake news is all about. Fake news actors depend on clicks to get paid. They don’t really care if the news is fake or not as long as they get people clicking on it. They thrive on controversy so be careful of what news you click on, it may not be real, although it can often be designed to look like it is.

For example, a recent news story claimed that Budweiser had cancelled its advertising support for the NFL. The story was not true. However, when I visited the @budweiser site on Twitter, here is what I found.

bud twit

Seems suspicious to me, even though it is a verified account (note the blue check). Has the account been hacked? Well, either it has or Anheuser-Busch has made a novice marketing mistake by not claiming the @budweiser account for their own. The reason I believe it was purposely taken over can be seen in the link it gives to “budwesierUSA”. There is an official site called budweiserUSA but there is no site as the one they list. This seems like a clear attempt to try to legitimize a fake site. But why?

It’s possible that I stumbled upon this site before it could do what it is designed to do; tweet fake news. That said, a link to this fake site has already appeared in a recent Anheuser-Busch retweet.

anheuser ad

Checking the archives for this site shows that all references to it now point to the new fake site. This means that it was, at one time, a legitimate site associated with Budweiser. All tweets from this account, however, have been deleted. It is, therefore, ready to be deployed for nefarious purposes.

Have you seen the following news flash?

goodell resigns

Probably not, because I just made it up. I did have some help from a website called Break Your Own News, which gives you an easy template to work with. Not only that, you can distribute your news immediately as links to Facebook and Twitter are conveniently placed below your creation. Actually, there are many sites that will help in the dissemination of false news. I can almost guarantee fake news will proliferate. For example, did Michael Bennett of the Seahawks really burn the American flag as has been reported on some sites?

bennett flag

Actually, no. The picture was constructed from a picture of Michael Bennett doing a post game victory dance. Yeah, I’m not sure which one is more embarrassing.

bennett dance

It will also be just a matter of time before sponsors feel the brunt of this wrath in the form of hacks that will likely take the form of DDoS attacks. In other words, official NFL sponsor sites will be knocked offline by having their servers overwhelmed by requests. This could be very costly for these firms. It will take a while for hackers to organize such attacks, but they are looming. I say this because I have never seen such a tirade of abuse hitting these sponsors. (Note: Just after writing the above, the following story surfaced. “Anheuser Busch’s consumer help line temporarily went down Friday afternoon. A company representative says there was a high volume of calls from a social media campaign.”… Didn’t I tell you?)

But does it matter in the long run? Most sponsors are either keeping silent or voicing platitudes that try to put them into some middle-of-the-road position. Unfortunately, in this controversy, there really is no middle-of-the-road position. Most are hoping that the storm will blow over, as it usually does. One writer on market investing sweeps aside these initial protests. “Pro football is our nation’s most popular sport. I’m supposed to believe that Americans will tune out altogether and boycott NFL sponsors? Yeah, right!” This attitude seems to be flying in the face of recent polls like the one below from Yahoo Finance.

yahoo poll

I suspect the investment writer is only partially correct in his assessment of the climate surrounding this controversy. Fans may or may not continue to view games, but they are more likely to view them on TV. Some will not forget the protests and may make an effort to stop supporting NFL sponsors. Others will do so only temporarily. But these protests are likely to flare up again the next time an incident occurs that hints at an unjustified police action against a member of a minority group. If the time between such cycles decreases, sponsors could, indeed, be hurt by repeated boycotts, hacks, and fake news. It looks like tough times ahead for the NFL and its sponsors.

 

Posted in Uncategorized | Tagged , , , | Leave a comment