Can You Really Trust a Site with the Green Padlock in the Address Bar?

 The green padlock that appears on safe sites simply means that the site you are connected to is the true site and not one that has been spoofed to look like the real thing. It also means that traffic to and from the site is encrypted.

 green padlock

 

Here is a good explanation video made by certificate authority, GlobalSign, for those who want more details on what goes into making a site secure.

 

 

So, does this mean it is safe to enter personal or credit card information on these sites? Well, that’s where the problems begin.

 The green padlock means that only those people in control of the site can decrypt and read your credit card details. That’s nice. But the real question to ask is: Who is allowed to get such a green padlock for their site? The answer: Anyone.

 But what about the cost? Surely, if someone has to pay a lot of money for these certificates, they will not be so ready to buy one for their site. That’s true. And some certificates are expensive. But before I get into the cost versus safety debate, I need to briefly explain what those who give out these certificates, the certificate authorities, do.

Certificate authorities insure how trustworthy a site is. They verify a domain. This verification has a number of levels. The more levels of verification, the higher the price the user must pay for the SSL, or verification certificate. These price differences are often reflected in the site’s address bar. Low level certification may simply change the http to https, often with a gray padlock, while more verification will change the address bar or padlock green. I should note that there is no law that the padlock will change green with more validation, though most certificate authorities are trying to make this a standard. The green padlock generally means it has something called EV certification. EV means extended validation.  It is also not true that all browsers will give you the green padlock, though that, too, is a standard that is being established. You have to pay more for an EV SSL certificate because the certificate authority has to do more work to certify the site.

 So, certificates are granted by certificate authorities but who is qualified to be a certificate authority? Well, sadly, almost anyone. So am I saying that you may be lured to a site that seems to be secure but really isn’t? Yes, that can and does happen and certificate authorities know it. Since they do realize that criminals can run sites that can use the https and padlock to steal information, certificate authorities have tried to take actions to prevent this. The best certificate authorities thoroughly check those websites who want one of their certificates. They may do more frequent malware scans of the sites that use their certificates. If the site has malware on it, they will notify the site managers and remove the certificate until the site manager fixes the malware problem. If a certificate authority does a good job in vetting websites, those who manufacture operating systems and browsers (like Microsoft and Mozilla) will list them among trusted certificate authorities and will not warn users about websites that use their certificates for validation. Here is a list of trusted certificate authorities that is included with the FireFox browser, for example. To become a member of Mozilla’s trusted certificate authority community, a certificate authority will have to meet certain standards. Most of the time, you will see the certificate authority’s name after the padlock and clicking on this will give you more information about the certificate it issued.

 Let’s say I have a retail website that I want to certify so that my customers will trust me with their personal information. To get any degree of certification, all certificate authorities must at least be convinced that I own a particular domain. I will usually have to pay a fee to be certified. That fee varies, but can be as much as $1,200 a year and, perhaps, more. Often, the price is less and a few sites, such as Let’s Encrypt, will certify me for free. Yes, that’s correct. If I set up a free, or at least low-priced, valid website, I can get a free SSL certificate for it, and most people will assume it is safe. I will have a padlock and I will have an https address. But there is one problem. The certification information will not be in green. This will mean that I have only attained the lowest level of certification and that communication with my site is encrypted, which, most of the time, is better than nothing. If only I could get a free green padlock with its accompanying certification.

 Although some sites claim to give free EV SSL certificates, they usually come at a price. Some sites hide this price under some term like ‘general verification fee’, which still means you have to pay something even though it might not be for the EV SSL itself. However, there is now intense competition in the EV SSL market as everyone who wants to set up a retail site wants the trust implied in the green padlock. This being the case, I have seen prices as low as $46, and my guess is that even a poor hacker could afford this fee if he/she wants to make some easy money.

Hackers, however, don’t usually care to go to these extremes. They usually just want someone to go to a site that appears connected to a trusted site like Amazon. Most people seeing the https or gray padlock will look no further. I investigated this angle by using the Censys search engine with Let’s Encrypt and found that they certified over 500 sites with ‘amazon’ in the name. Now, some of these, like amazon-fish.com, seem to be legitimate. This site lists fish in the Amazon River. Other sites that Let’s Encrypt certified, like amazon-cloud-computing.com, led me to a Chinese site. It is not clear what this site does, however, it has recently received a sharp increase in visitors almost entirely from the US (see graph below), which is somewhat suspicious.

 amazon graph

 Many of these amazon-labeled sites have mysteriously disappeared, leading one to believe that they were used in phishing campaigns. Some pseudo-Amazon sites, which I will not name, have clearly been set up to steal personal information using Let’s Encrypt to establish their validity. In fact, Let’s Encrypt has been connected to a serious malvertising attack which installed the Angler Exploit Kit when victims visited Let’s Encrypt-certified sites. This exploit installed a banking Trojan on the victim’s machine.

Trust is not quantifiable. Certificate authorities do their best to give trust, but there is never any guarantee. A comprehensive study undertaken by the Department of Computer Science at Stony Brook University came to the sobering conclusion that “a moderately motivated attacker can discover high-risk vulnerabilities in most certified websites, in less than one working day”. They give an example of such an exploit based on the security scanning protocol of the certificate authority. “We witnessed that the scanning requests of seal providers were always originating from the same IP range, often a block that is registered to the seal provider. It would thus be straightforward for an attacker to only expose his malware in case a request does not originate from an IP address related to a seal-provider. This way, an attacker could easily compromise a seal-utilizing website, while the website owner would remain under the impression the website was still secure as a consequence of the daily or weekly successful seal scans.” This is but one technique that the investigators discovered.

 In short, trust on the internet is under siege and it is reflected in the percentage of people who worry about identity theft, credit card compromise, and banking fraud. This can be seen in a recent US Government report.

internet trust

 Such low trust levels will certainly not be aided by the recent discovery of flaws in Symantec’s SSL system: a system that was considered among the best on the market. The severity of the problem was signaled when Google announced it may take Symantec off of its trusted certificate list. So it is that the preponderance of evidence leads to the conclusion that phishing scams and major industrial and governmental compromises are likely to be perpetrated through the manipulation of SSL certificates and , especially, the green padlock.

Posted in Uncategorized | Tagged , , , | Leave a comment

Hacker Corruption of Data May be the Next Major Attack Vector

“It’s not just even the loss of data. Increasingly, we are worried about the corruption of data. Think about the harm someone could do by an intrusion at a blood bank and changing blood types, an intrusion at a financial institution and changing just a few digits in the holdings of an institution.”

FBI Director, James Comey, March, 2017

 “Weaponized data is the next threat vector challenging all of us in cybersecurity.”

Chris Young, speaking on corruption of data at 2017 RSA conference

 Yes, it should be obvious that serious problems could result if hackers gain control of a database and then alter it to suit their needs. For example, at the same RSA conference mentioned above, TrapX Security showed how medical devices were infected with malware. The company set up fake medical devices, such as MRI and CT scanners, on hospital networks to see if they would be attacked. They were. TrapX subsequently found malware on multiple devices “including an x-ray printer, an oncology unit’s MRI scanner, a surgical center’s blood gas analyzer and a health care provider’s PACS-picture archiving and communication system”. These devices could be used as a way to enter a hospital’s network and steal medical records. Such records could be sold on the deep web for a healthy profit. But they could also be used to get drugs, medical equipment, or healthcare. There is enough data in a medical record to completely take over someone’s identity and use it to apply for credit cards and other services. Stolen credit card information will only last until the owner of the card learns about it. Medical record information lasts forever. This is why hackers can sell one medical record for $50 but the data for one credit card can only bring in 25 cents.

But it’s not only money that’s the problem. These compromised medical machines can be manipulated to give inaccurate or deadly results. It’s unlikely that these hackers want to kill people, but they could do so or do so inadvertently. That being the case, such compromised medical devices could be held for ransom, which would be another way for hackers to monetize these attacks.

And it’s not just medical data that can be corrupted. Hackers can corrupt GPS data to perform a number of nefarious actions. At the lowest level, hackers learned how to spoof GPS data to play Pokemon Go and pretend they were in exotic places when they were not. At the highest level, GPS manipulation can bring down a country’s power grid. This is because power grids depend on GPS signals to synchronize power output within a grid. Spoofing the data could cause sections of the grid to burn out which, in turn, could bring down large sections of the grid. Such spoofing has already been done by North Korea. “North Korea jammed GPS signals in South Korea numerous times for periods that lasted between 4 and 16 days, disrupting GPS receivers in many cell towers in addition to over one thousand aircraft and hundreds of ships.”

There are devices that can produce false GPS signals which can trick GPS-dependent machinery into doing things that they normally would not do. Imagine what could happen to self-driving, GPS-dependent cars if these signals could be altered.

gps sim

Then there are the hacks that could alter financial data to make monetary gains. A number of trading companies have been hacked and the data they held was either stolen or manipulated to make millions of dollars on stock markets around the globe. At Fast Track Holdings in Hong Kong, for example, “somebody hacked into its brokerage account on the afternoon of September 23 (2016) using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.”

In December of last year, it was reported that “Chinese traders hacked into the computer systems of U.S. law firms that handle mergers, then used the data for insider trading that generated more than $4 million.” Online brokers are constantly targeted. Sometimes, like in the attack on Scottrade which compromised 4.6 million users, they succeed.

Other forms of data corruption attacks have met with frequent success, such as those involving  students hacking into school computers to change grades and alter schedules. In an attack at Kennesaw State University, the hacker managed to change his and some other students’ grades but failed to disable or alter the automatic messaging that informed the professor of the change, which led to the attacker’s arrest. The sad truth is that it is no longer unusual to see schools reporting such grade-changing hacking. Moreover, you can find hackers online who advertise that they can change the grades of students in any school or university. What we don’t know is how many hacks have succeeded and have not been noticed. I have yet to see anyone hacking a university to give themselves a fake degree, but this is not necessary as fake degrees from every Ivy League college are available for purchase in the deep web.

There is a demand in the deep web community for hackers who can break into police databases and change criminal records. This has reportedly been done in at least one instance. In this case, a hacker supposedly broke into police records related to the Orlando terrorist attack and attempted to change evidence to influence the investigation. “The FBI has detected some strange activity on the transcript.  A hacker has been tracked from a Muslim region of Indonesia. He has tried to edit and remove all major key points.” Whether this really happened or not is difficult to confirm; however, the possibility of such data altering hacks is valid.

Other motives for altering data can involve companies or countries trying to undermine each other to gain a competitive edge. Altering production parameters could result in a company producing a defective product, for example. The Stuxnet malware altered the operating parameters of Iran’s centrifuges and destroyed them by making them spin out of control.

Intercepting and altering news feeds can create chaos and undermine journalistic credibility. It could get to the point where there is a general loss of confidence in anything we hear reported. Fake news has caused the stock market to plunge before and will probably do so again. If those making the fake news knew that it would cause such a reaction, they could profit from it.

Comey’s quote cited at the beginning of this post should be taken seriously because, in the past,  Comey has often hinted at things that he already knows. In other words, data manipulation by hackers is already going on. The problem is that it is much harder to detect than something like theft. Expect to hear stories about such hacks making the news in the near future.

 

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Trump May Have Been ‘WireTapped’ Through His Samsung Smartphone

And I’m not the only one who’s made this observation. One of the members of the hacking group, Anonymous, made the following comment on Trump’s smartphone of choice, the Samsung Galaxy S3.

anonymous

Whatever you may think about members of Anonymous, the statement is fundamentally correct. However, if you don’t trust anything coming from a member of Anonymous, cybersecurity expert, Bruce Schneier, remarked that, “His (Trump’s) off-the-shelf Android could potentially become a room bug without his knowledge and an attacker could certainly hijack his apps.”

samsung galaxy

The Samsung Galaxy 3

Trump’s smartphone could easily be infected by a RAT; a Remote Access Trojan. This type of malware allows an attacker to take complete control of a device from a remote location using internet connectivity. The attacker can turn on the microphone, the camera, and the GPS. With the built in keylogger, they can gather all of the victim’s usernames and passwords. They can, then, take over the victim’s email accounts and send any message they wish to any contacts. In short, they can pretend to be the user. How hard is it to get one of these programs? Not hard at all. Some are offered for free and come with complete instructions. In fact, you can watch Youtube videos on how to install and use them.

The problem is getting the victim to install the malware on their device. If I were going to attack Trump’s smartphone, I would not do so directly. I would try to compromise one of his family members or a trusted friend. Then, I could send a message from their compromised email or some app with an attachment for him to open. It could even be a valid attachment like a picture from some event that both of them had attended. Clicking on the attachment would install the malware. If it was good malware, especially a zero-day exploit, it would not be easily detectable. Trump would assume all was well because the phone would continue to operate as usual. However, he would continually be giving information to those controlling his device. Cybersecurity experts know that he continued to use the Samsung phone to send tweets until early this month. What we don’t know is if the phone had been upgraded to make it more secure. In late January, President Trump gave Fox’s Sean Hannity a tour of the Oval Office and showed him his desk which seemed to have a smartphone on it.

trump desk hannity

If we assume that Trump’s Samsung phone was hacked, the next question should be, who would hack it? Here, we are not short of suspects. Almost any nation-state would be interested in learning what the President of the United States was up to. If a nation-state hacked Trump’s phone, it wouldn’t be with off-the-shelf malware. It would probably be with a zero-day exploit that would remain well hidden. Although Russia is the cyber-attack darling of the moment, it is highly unlikely that they would gather and then leak any sensitive information. And it’s the leaking that’s important here. Someone or some entity was hacking and then leaking the information to the New York Times, the Washington Post, and the Associated Press.

If we eliminate nation-states as the source of the leaks, we are left with those actors who would benefit from shining a negative light on the executive branch. The fact that the leaks were given to members of the media associated with anti-Trump leanings points towards those who share these leanings. As Louis Clark, executive director of the Government Accountability Project, pointed out, these leaks seem to be made with the sole purpose of harming the president and his reputation. “There has been an extraordinary amount of leaking from this administration in just the first month.”

Trump initially blamed the intelligence community for some of the leaks. “It was disgraceful, disgraceful that the intelligence agencies allowed [out] any information that turned out to be so false and fake.” It is no secret that a hostile environment existed between the Trump administration and the intelligence community, but would they, or someone within it leak information? If this was the case, or if Trump was under investigation by some branch of the intelligence community, those responsible for securing Trump’s smartphone may not have pushed to have him stop using it. After all, it would be giving away one of the best sources for information. If Trump or his administration was being investigated for ties with Russia, for example, it is unlikely that the intelligence community would impede such an investigation by removing Trump’s smartphone from the loop. However, leaking information to the press would be counterproductive and would undermine their secrecy. Such leaks could only come from a rogue employee who had some political axe to grind.

The recent announcement from House Intelligence Chairman Rep. Devin Nunes disclosed that the intelligence community had incidentally collected information on Trump and the Trump administration while pursuing other investigations. Nunes was particularly upset in finding that members of the Trump administration and possibly Trump himself had been ‘unmasked’. Their identity was not protected even though the information was gathered incidentally. But it is no longer true that this need be the case if one of 16 government intelligence agencies is investigating someone within the administration. New legislation was quietly signed off on by then Attorney General, Loretta Lynch, just before leaving office that allows such unmasking to occur. According to the New York Times, agencies can now “ask the N.S.A. for access to specific surveillance feeds, making the case that they contain information relevant and useful to their missions.” In other words, if Trump, or members of his administration, are being investigated by the FBI, that agency can request any intelligence gathered on them by the NSA, even if it has been incidentally gathered. The original document (PROCEDURES FOR THE AVAILABILTY OR DISSEMINATION OF RAW SIGNALS INTELLIGENCE INFORMATION BY THE NATIONAL SECURITY AGENCY UNDER SECTION 2.3 OF EXECUTIVE ORDER 12333) can be viewed here.

So was Trump’s Samsung smartphone hacked and, if so, was it the source for many of the leaks? I think the real revelation would be if his smartphone was not hacked. As for the leaks, the ability of 16 intelligence agencies to share data would expose that data to more individuals, some of whom may want to discredit the Trump administration and who are willing to risk leaking this information to do so. In fact, the new legislation makes it easier to leak documents because, with so many people having access to the classified information, the risk of being caught is reduced. In short, we can not only expect such leaks to continue, we should expect the number of leaks to increase.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Are You Being Spied On?

So, Wikileaks releases its CIA documents and the one thing that everyone loses their minds over is learning that their TVs can be used as eavesdropping devices. Really? Where have you all been for the last 5 years? This isn’t even news. Check out an article I wrote on spying devices some years back, When Appliances Attack, and you’ll see what I mean.

Our main concern should be whether or not we, the average citizen, should worry about the government spying on us. These leaks demonstrated the vast array of tools that the CIA has to spy on everyone. Can they install malware that will turn your TV or other connected devices into eavesdropping devices or worse? Yes, they can, but, according to the law, they cannot do so without a court order based on probable cause. That said,  law enforcement could, in the course of their investigations, stumble across one of your devices. Yes, they could gather data from that device by accident, but it would not, in this case, be admissible in court.

It didn’t help the surge in paranoia when  FBI director, James Comey, was widely quoted as saying, “There is no such thing as absolute privacy in America; there is no place outside of judicial reach.” And “Even our communications with our spouses, with our clergy members, with our attorneys are not absolutely private in America.”  Furthermore, he claimed that “Even our memories are not absolutely private in America.”

All of this has been quoted out of context to make it appear as if the government has some supreme right to spy on anyone it has a whim to spy on. In fact, what Comey was saying was that the right to privacy disappears for those who participate in criminal behavior. Thus, “absolute privacy”, privacy for all, no matter what, does not exist. You may make the argument that the concept of probable cause can be stretched too far, but, legally, the government cannot spy on you without good reason.

But what about spying done by those outside of law enforcement? What are the chances that these bad agents are spying on you? Well, that depends largely on your profile and how you define ‘spying’. If you appear to have something that would pique the interest of certain parties, you will decidedly increase your risk. What are these factors? According to one source, if you

have an important, responsible, or secretive job,

have to attend confidential interviews or meetings,

are a scientist/politician/journalist/attorney/judge/police officer/local government official,

have a jealous partner or spouse who believes you are having an affair,

are getting divorced,

are a suspected activist,

are interested in conspiracies and frequent certain websites,

have a neighbor who hates you,

were arrested for, but never convicted of, a terrorist-related crime,

have a friend, neighbor, or relative who is under suspicion,

have recently made a substantial insurance claim,

are very wealthy,

are a celebrity, or

are the victim of a stalker

your chances of being spied on increase.

Yeah, there are a lot of good reasons to be paranoid and, for the most part, you can assume you are being spied on. Why? Because if you use Google, Facebook, Yahoo, or many other websites, you have given them the right to spy on you. Didn’t you read the privacy statement when you checked the ‘Accept’ box? Sure, few people do. Basically, you’ve given these sites the freedom to build a profile of you by watching you while you browse the internet and do other online activities. Yes, both Google and Yahoo can legally read your emails because you told them they could. They are trying to ‘enhance your online browsing experience’ by targeting you with ads that you will, hopefully, find more interesting. They learned what you are interested in by reading your email. But what if you joked about being a terrorist? Hmm, that’s when problems could begin. The government can always compel these companies to hand over your emails. They can also read your emails without you ever knowing about it. You can stop some of this spying by adjusting your privacy settings on Google and Yahoo, but you’ll never be completely free.

google spy

Smartphones are perfectly made to spy on you. They have GPS information, cameras, and microphones. With the proper spyware, (which can be downloaded for free) all of these can be turned on remotely by those who are interested in your behavior. They can film you, listen to you and your calls, and see where you are and where you’ve been. They can harvest your passwords, take over your email, and send messages to all of your contacts. In short, they can pretend to be you.

android spy

How do you know if your phone has been compromised? Well, if the spies use good malware, you may never know. However, if your battery appears to be running low faster than it used to, it may be an indication that your phone is doing something that you haven’t given it permission to do. If you’re not sure, you can download an app that will give you a record of your battery activity.

Sometimes spyware will turn your phone on without you being anywhere near it. Be suspicious if you see this happening. Snowden supposedly put his phone in a microwave oven or refrigerator to stop it from being accessed by unwanted agents or sending out radio signals. He has since designed a special case to prevent such behavior. Of course, the best prevention is to take out the phone’s batteries when the phone is not in use.

If you hear a strange background noise or clicking sounds while you’re speaking on your phone, your call might be being monitored. And, of course, look at your monthly phone bill to see if anything unusual has been going on. Also, keep in mind that the NSA can listen to any call you make to a location or receive from a location outside of the US.

samsung

Chances are your TV is not being used as a spying device. Yes, it can be hacked into to listen to you or, for those sets with built in cameras, watch you. The current CIA leak focused on malware called, Weeping Angel, which targets certain Samsung smart TVs. The malware can make it appear as if your TV is turned off when, in fact, it is not. It is secretly listening to you. This malware specifically targets Samsung TVs from 2012 (UNES8000F, E8000GF plasma, and UNES7550F) and 2013 (UNF8000 series, F8500 plasma, UNF7500 series, and UNF7000 series). You can tell if your TV has been compromised by looking behind it and seeing if a blue LED is on while the TV is supposed to be off. Unless you are a particularly high profile target, I wouldn’t worry much about this. It is far more likely that your smart TV could become part of a botnet rather than an eavesdropping device, though I’m not sure this will necessarily give you much more psychological  comfort.

Just remember that anything that is connected to the internet has the potential to be compromised. Your refrigerator won’t be watching what you eat because it doesn’t, at least for now, have a camera. It can, however, read your Gmail. What? How is that possible? Well, it’s not possible for all refrigerators, but one developed by Samsung linked the device to a user’s Gmail Calendar so as to put this information on the refrigerator’s display. In so doing, it compromised the user’s Gmail account. Using a man-in-the-middle technique, hackers were able to lurk in the calendar and capture the owner’s username and password, thus, gaining full control of the user’s account. This is a somewhat unique attack method which has probably never been used to any great extent. Most compromised connected refrigerators are used to send non-edible spam. Just remember that what is true of refrigerators is true for all your connected devices. But, as the old saying goes, if you can’t trust your refrigerator, what can you trust?

 

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Snapchat: The Best App for Those Having an Affair or Hiding Bad Behavior… Or Is It?

I have never seen an app so overrated as Snapchat. I have no idea why it is valued at $24 billion. My only guess is that there is either too much extra money floating around or that speculation has become dangerously optimistic.

The key selling point to Snapchat is its disappearing messages and photos. It’s meant to keep your communications secret. But Snapchat is to secrecy as Twitter is to informative discussion. In principle, both are possible. In practice, both fail at their goals.

Because it supposedly leaves no evidence, Snapchat is the first choice for those engaged in bad behavior, like having an affair. Why Snapchat and not Facebook? Let’s look at a few statistics. 41% of people caught having affairs say that they were caught because of what they posted on Facebook, and 66% of divorce lawyers claimed they used evidence from Facebook to advance their cases. The fear of getting caught is the main reason people give for not having affairs. 75% of men and 60% of women said that they would have an affair if they knew they wouldn’t get caught. You might wonder why these people simply don’t ratchet up their Facebook privacy settings. Well, maybe they don’t know how to. You can’t rule out ignorance when it comes to cyber security. However, even if they do lock down their Facebook page to just friends, it doesn’t stop the dedicated investigator from using a fake profile to get befriended by the targeted individual. So wouldn’t it be better just to use an app that includes the service of automatically making messages disappear? It is no wonder, then, that those involved in bad behavior, especially behavior that they expect to engage in over an extended period of time, choose Snapchat to stay safe from prying eyes. In fact, a site known as “The Affair Handbook (Learn how to cheat without getting caught!)” points out some “clever ways” you can use Snapchat with “your affair partner”. It’s at the point where simply seeing Snapchat on your partner’s smartphone should make you suspicious. Parents should also be concerned about their children in the same way.

This being the case, users of the app need to be assured that it does what it says it will do; keep their communications secret. There must be no way for disappearing messages to suddenly reappear. Well, in most cases and for most people, Snapchat will do the job. However, for those dedicated to saving chats and photos, there are ways to circumvent the disappearing message conundrum. For example, the person who receives your secret chat could take a screenshot of your photo or message. This is handy if, for example, you receive a photo of something you’d like to save, like a recipe or bus schedule. However, if the receiver does choose to take a screenshot of what was sent them, the sender will be notified that this action has taken place. It’s too late to take the photo back, but the sender would probably be wary of sending any compromising photos in the future.

But there are other, more devious, ways to save chats and messages that do not inform the sender of what is really happening. At the most basic level, the person could just take a regular photo of the phone screen. It’s a bit primitive and probably not so easy to do, but it is effective. A phone, tablet, or camera could be used to take a continuous video of the Snapchat screen during a session and then this video could be saved thereafter.

There are apps and workarounds that do much of the same thing but within the phone itself. Many of these apps have been sued by Snapchat and taken off Google Play and Apple app stores. Still they continue to pop up. Often, they are the same apps but with different names. Some apps are not specifically designed to capture Snapchat sessions but can be programmed to do just that. There are various screen capture apps that are said to work in capturing Snapchat sessions. However, even though some of these apps continue to be offered on Google Play, they have had to change their modus operandi. In the past, Apowersoft Android Recorder, could be used to save Snapchat sessions. However, the app now notifies Snapchat message senders that it is being used. It is not clear if another screen recorder, AZ Screen Recorder, is still working with Snapchat, but it used to. The point here is that there will always be apps popping up that will compromise Snapchat’s secrecy, at least until they are blocked.

There are also some workarounds which take advantage of the Snapchat app itself. Some, such as the airplane mode hack, still seem to be working. This basically turns off connectivity to the Snapchat session which leaves the photo/message/video screen locked and available to saving. If the app and phone are subsequently turned off and, then, connectivity is restored, the sender will not be notified that their information has been saved. You can see a video on this workaround here.

But you may not even need a workaround. According to some comments on Google Play, sometimes the messages won’t automatically delete.

“They do not delete any texts or pics or videos you send in the chats. Even with the clear conversation nothing gets deleted. My cousin hasn’t saved any texts either. Nothing deletes.”

And at other times the screen freezes on its own, even without using the airplane mode.

“I hate this app the video chat sucks make it a good quality chat I can’t look at the screen for more than 5 seconds without it freezing 6 seconds if I’m lucky but PLZ fix it.”

snap homer

Snapchat is not without its rivals, some of which are more reliable in keeping your conversations secret. A number of them even offer more features. In other words, Snapchat, as a messaging app, may be now having its temporary moment in the sun. Even its arch rival, Instagram, has reasserted itself. In fact, one assessment shows that Instagram has gained the advantage.

snap instagram

Instagram now offers a delete-after-24-hours feature and, recently, WhatsApp has offered the same. Apparently, that’s been a big hit. “Facebook Live and Instagram Stories have been a runaway hit and the Instagram feature, in particular, has stolen a large chunk of Snapchat’s user base. A similar feature on WhatsApp — which, with a user base of over a billion, dwarves both Instagram and Snapchat in number of daily users — will probably spell doom for the company that came up with the idea in the first place.”   According to one report, “there’s been an average decline in Snapchat Stories views of 20 to 30 percent from August until mid-January”. It now looks like Snapchat is using the IPO to shore up the company until some better idea comes along.

views per snap

It may be that Snapchat can solve its problems or come up with something more innovative. The teenagers I’ve talked to, who use Snapchat as a regular messenger and not simply to hide their behavior, say that the interface is easier to use than the other social apps. They like the disappearing message/photo feature because they don’t have to worry about cleaning up storage space later on. They were not aware of the new disappearing message feature in WhatsApp and Instagram, however.

Snapchat does include a cash transfer feature called, Snapcash, which the company may be banking on. Some have expressed alarm at this cash transfer app being included in a messaging app that is most popular with children and teens. Others claim that the app’s lack of good security practices leaves it vulnerable to hacking, similar to the hack that occurred in 2014.

At the beginning of this post I said that, “I have never seen an app so overrated as Snapchat”, and I’ll stand by that conclusion no matter how much of a darling the stock may be at the beginning of its IPO offering.

Posted in Uncategorized | Tagged , , , | Leave a comment

Ukraine Braces for an All-Out Cyber Attack on its Infrastructure

Nir Giller, co-founder and CTO of cybersecurity firm, CyberX, suspects that Russia is behind new malware that has been found lying in wait in key infrastructure, banks, media, and scientific research sites throughout Ukraine. However, a member of CyberX contacted me and indicated that they have no direct evidence that this is true.

 The main purpose of this new malware, dubbed, BugDrop, is reconnaissance. It is designed to turn on the microphones of specifically targeted devices so as to let the operators listen in on sensitive conversations. The conversations are saved as sound files and then surreptitiously uploaded to Dropbox. Although eavesdropping seems to be its main purpose, the malware is also capable of scanning computers/devices for documents,  passwords, and grabbing screenshots. Since there is no way for the malware to determine which conversations are valuable and which are not, it appears to require a large network of humans who can analyze the immense amount of uploaded data coming in from numerous sources. This requirement for human support, with the expense that this would incur, plus the sophistication of the malware indicate that it must have been developed and deployed by a nation-state.

 The real sophistication in this malware is in the methods it uses to remain undetected. Here are some of the ways CyberX discovered  BugDrop uses to remains hidden.

 bugout

In addition, the malware encrypted the file in which all of the stolen data was stored, so, if found, it could not be identified.

 Keep in mind that much malware only needs to infect one device, such as a smartphone, to spread throughout a network. To no surprise, the initial infection begins with a well-designed phishing email which includes an appropriately named Microsoft Office document as an attachment. However, when the victim tries to open the document, they receive what appears to be a legitimate message which looks like this.

 bugdrop-office

The message is in Russian, but translates as, “The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of the document”. If the victim subsequently enables macros, as suggested, the malware is released.

 It may not seem as if this malware is very threatening. After all, the malware developers only seem to have a network of reconnaissance devices. No harm seems to have been done. However, it is well-known that reconnaissance is the first stage of a more serious attack, such as the attack that took down part of the Ukrainian power grid in December, 2015. In other words, the attackers have a far more sinister goal in mind and, given the extent of the surveillance, whatever the attack will be, it is sure to be highly organized, precisely targeted, and extensive. It is probably being planned as you read this. With that, let me introduce BlackEnergy and Telebots.

 It is quite clear that if an all out cyber attack occurs, it will probably be based on the malware that brought down part of the Ukrainian power grid in 2015, BlackEnergy 3. BlackEnergy has been around for a while, but its newer models come with Stuxnet-like capabilities as they can target any computer-dependent industrial controls that, for example, are necessary for the proper operation of most machinery. Although the latest malware found in the infrastructure has been named Telebots, ESET, the cybersecurity firm that discovered it, believes it to be just another upgrade of BlackEnergy.

 Similar to the attack vector outlined above, the Telebots group uses spearphishing email with a fake Microsoft Excel document as the malware-releasing attachment. The malware can compromise other computers not connected to the internet by employing a tunneling tool. They can also, when they are finished with their attack, employ KillDisk, which is basically a hard drive erasing tool. It can be set to begin its destruction at a particular date or to target particular files. Look at it this way. If you wanted to disrupt a network, you would first steal all the important data that you could, then, you could make the computers operating that network, or machinery connected to it, unusable.

 To begin the attack, the reconnaissance performed with BugDrop would be analyzed to discover the weak points in the target country’s infrastructure. The subsequent attack would simultaneously bring down those weak points in a specified manner, the purpose of which would be to spread chaos. Needless to say, since many institutions and businesses are interconnected and, thus, dependent on one another, the attackers would not have to infect all aspects of the country’s infrastructure with malware to bring the entire nation to the point of complete collapse, but the developers probably already know this.

 The assault on the Ukrainian power grid in 2015 can be considered as a test; a proof of concept. The fact that that test succeeded led to phase two; a comprehensive reconnaissance program. The final assault, phase three, will likely use an even more sophisticated malware which can be installed by initiating an upgrade of pre-existing malware already residing in the infrastructure. It is important to note that the Telebots malware contains an automatic malware updater. In my opinion, the chaos resulting from a full scale cyber attack would most likely be coordinated with, phase 4, the final, physical, military assault. Under these conditions, the ensuing battle would be overwhelmingly one-sided.

 But Ukraine will not give up without a fight. They have some of the best hackers of all shades, and some of them have probably used BlackEnergy as a template to develop infrastructure-destroying malware of their own. In other words, a serious infrastructure attack on Ukraine will probably trigger a counterattack against Russia. Did the Russian trial cyber attack in 2015 trigger a counterattack? It’s possible. According to one source, Russia suffered a 50% increase in cyber attacks on power companies in 2016, with 350 total attempts. The US government is also getting nervous. They are also preparing for an infrastructure attack, and, in anticipation of it, they have invested $4 million in the Chess Master Project aimed at protecting critical infrastructure. Tests of Ukraine’s response capabilities may continue to ramp up to the point at which Russia may feel enough confidence to launch a more serious attack. If an attack occurs, other nations may be wittingly or unwittingly drawn into it. This is why the situation must be closely monitored. I will update this post if more information becomes available.

Posted in Uncategorized | Tagged , , | Leave a comment