Monthly Archives: February 2016

Hackers Are Holding an LA Hospital’s Computers Hostage

Posted on February 17, 2016 | 2 comments

hpmc-100644867-primary.idge

Ransomware attacks, in which hackers lock your computer or keyboard until you pay a ransom, are on the rise. The latest notable ransomware victim is Hollywood Presbyterian Medical Center in Los Angeles, whose computers have been offline for over a week. The computers will come back online, the hackers reportedly say, in exchange for $3.4 million, paid in bitcoin.

The Hack

The incident, first reported by a local NBC affiliate, affects the Los Angeles hospital’s computer systems, including those needed for lab work, pharmaceutical orders, and even the emergency room.

While the hospital’s spokesperson was unavailable to comment, HPMC president and CEO Allen Stefanek told KNBC that it was “clearly not a malicious attack; it was just a random attack.” It’s not clear what he means, though; a hospital in a wealthy neighborhood seems unlikely to be a random target, especially for such a large sum.

As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a “key” in exchange for the ransom money. The hospital has yet to officially detail the attack.



Who’s Affected

Stefanek told NBC4 that patient care hasn’t suffered, although some 911 patients have been sent to other nearby hospitals. Meanwhile, it appears to mostly add up to a headache for those in the HPMC system because hospital staff have had to write all documentation out by hand for the last week. Some patients, meanwhile, need to drive to more remote hospitals for medical tests that HPMC cannot offer without a functioning network.

The fallout appears limited to this one hospital, though, and even within its walls the impact seems annoying, but not crippling. HPMC says it’s working with the FBI, LAPD, and computer forensics experts to recover its systems.

How Bad Is It?

Given the degree of things that could potentially go wrong at the intersection of hospitals and hackers, this isn’t so terrible. But in terms of the scale of the ransomware, it’s about as as bad as it gets. Symantec recently pegged the total amount of ransomware paid out in any given year at $5 million. This single incident asks for well over half that amount.

The bigger impact may not be clear until after the incident is resolved. If the hospital ends up paying out, it could inspire copycat attacks. If not, and the hackers are identified, it could act as a deterrent. Either way, for now it shows that no target is off limits for ransomware, nor is any sum.

2 Comments

Posted in Data Breach, Hacking, Hacks, Law Enforcement, Malware, Network, Security

Tagged , , , ,

The NSA’s SKYNET program may be killing thousands of innocent people

Posted on February 17, 2016 | 1 comment

“Ridiculously optimistic” machine learning algorithm is “completely bullshit,” says expert.

An MQ-9 Reaper sits on the flightline.

An MQ-9 Reaper sits on the flightline.

In 2014, the former director of both the CIA and NSA proclaimed that “we kill people based on metadata.” Now, a new examination of previously published Snowden documents suggests that many of those people may have been innocent.

Last year, The Intercept published documents detailing the NSA’s SKYNET programme. According to the documents, SKYNET engages in mass surveillance of Pakistan’s mobile phone network, and then uses a machine learning algorithm on the cellular network metadata of 55 million people to try and rate each person’s likelihood of being a terrorist.

Patrick Ball—a data scientist and the executive director at the Human Rights Data Analysis Group—who has previously given expert testimony before war crimes tribunals, described the NSA’s methods as “ridiculously optimistic” and “completely bullshit.” A flaw in how the NSA trains SKYNET’s machine learning algorithm to analyse cellular metadata, Ball told Ars, makes the results scientifically unsound.

Somewhere between 2,500 and 4,000 people have been killed by drone strikes in Pakistan since 2004, and most of them were classified by the US government as “extremists,” the Bureau of Investigative Journalism reported. Based on the classification date of “20070108” on one of the SKYNET slide decks (which themselves appear to date from 2011 and 2012), the machine learning program may have been in development as early as 2007.

In the years that have followed, thousands of innocent people in Pakistan may have been mislabelled as terrorists by that “scientifically unsound” algorithm, possibly resulting in their untimely demise.

The siren song of big data

SKYNET works like a typical modern Big Data business application. The program collects metadata and stores it on NSA cloud servers, extracts relevant information, and then applies machine learning to identify leads for a targeted campaign. Except instead of trying to sell the targets something, this campaign, given the overall business focus of the US government in Pakistan, likely involves another branch of the US government—the CIA or military—that executes their “Find-Fix-Finish” strategy using Predator drones and on-the-ground death squads.

Enlarge / From GSM metadata, we can measure aspects of each selector’s pattern-of-life, social network, and travel behaviour

In addition to processing logged cellular phone call data (so-called “DNR” or Dialled Number Recognition data, such as time, duration, who called whom, etc.), SKYNET also collects user location, allowing for the creation of detailed travel profiles. Turning off a mobile phone gets flagged as an attempt to evade mass surveillance. Users who swap SIM cards, naively believing this will prevent tracking, also get flagged (the ESN/MEID/IMEI burned into the handset makes the phone trackable across multiple SIM cards).

Enlarge / Travel patterns, behaviour-based analytics, and other “enrichments” are used to analyse the bulk metadata for terroristiness

Even handset swapping gets detected and flagged, the slides boast. Such detection, we can only speculate (since the slides do not go into detail on this point), is probably based on the fact that other metadata, such as user location in the real world and social network, remain unchanged.

Given the complete set of metadata, SKYNET pieces together people’s typical daily routines—who travels together, have shared contacts, stay overnight with friends, visit other countries, or move permanently. Overall, the slides indicate, the NSA machine learning algorithm uses more than 80 different properties to rate people on their terroristiness.

The program, the slides tell us, is based on the assumption that the behaviour of terrorists differs significantly from that of ordinary citizens with respect to some of these properties. However, as The Intercept’s exposé last year made clear, the highest rated target according to this machine learning program was Ahmad Zaidan, Al-Jazeera’s long-time bureau chief in Islamabad.

Enlarge / The highest scoring selector who travelled to Peshawar and Lahore is “PROB AHMED ZAIDAN”, Al-Jazeera’s long-time bureau chief in Islamabad.

As The Intercept reported, Zaidan frequently travels to regions with known terrorist activity in order to interview insurgents and report the news. But rather than questioning the machine learning that produced such a bizarre result, the NSA engineers behind the algorithm instead trumpeted Zaidan as an example of a SKYNET success in their in-house presentation, including a slide that labelled Zaidan as a “MEMBER OF AL-QA’IDA.

Feeding the machine

Training a machine learning algorithm is like training a Bayesian spam filter: you feed it known spam and known non-spam. From these “ground truths” the algorithm learns how to filter spam correctly.

In the same way, a critical part of the SKYNET program is feeding the machine learning algorithm “known terrorists” in order to teach the algorithm to spot similar profiles.

The problem is that there are relatively few “known terrorists” to feed the algorithm, and real terrorists are unlikely to answer a hypothetical NSA survey into the matter. The internal NSA documents suggest that SKYNET uses a set of “known couriers” as ground truths, and assumes by default the rest of the population is innocent.

Pakistan has a population of around 192 million people, with about 120 million cellular handsets in use at the end of 2012, when the SKYNET presentation was made. The NSA analysed 55 million of those mobile phone records. Given 80 variables on 55 million Pakistani mobile phone users, there is obviously far too much data to make sense of manually. So like any Big Data application, the NSA uses machine learning as an aid—or perhaps a substitute, the slides do not say—for human reason and judgement.

SKYNET’s classification algorithm analyses the metadata and ground truths, and then produces a score for each individual based on their metadata. The objective is to assign high scores to real terrorists and low scores to the rest of the innocent population.

Enlarge / A sample travel report produced by SKYNET

To do this, the SKYNET algorithm uses the random forest algorithm, commonly used for this kind of Big Data application. Indeed, the UK’s GCHQ also appears to use similar machine learning methods, as new Snowden docs published last week indicate. “It seems the technique of choice when it comes to machine learning is Random Decision Forests,” George Danezis, associate professor of Security and Privacy Engineering at University College London, wrote in a blog post analysing the released documents.

The random forest method uses random subsets of the training data to create a “forest” of decision “trees,” and then combines those by averaging the predictions from the individual trees. SKYNET’s algorithm takes the 80 properties of each cellphone user and assigns them a numerical score—just like a spam filter.

SKYNET then selects a threshold value above which a cellphone user is classified as a “terrorist.” The slides present the evaluation results when the threshold is set to a 50 percent false negative rate. At this rate, half of the people who would be classified as “terrorists” are instead classified as innocent, in order to keep the number of false positives—innocents falsely classified as “terrorists”—as low as possible.

False positives

We can’t be sure, of course, that the 50 percent false negative rate chosen for this presentation is the same threshold used to generate the final kill list. Regardless, the problem of what to do with innocent false positives remains.

“The reason they’re doing this,” Ball explained, “is because the fewer false negatives they have, the more false positives they’re certain to have. It’s not symmetric: there are so many true negatives that lowering the threshold in order to reduce the false negatives by 1 will mean accepting many thousands of additional false positives. Hence this decision.”

Enlarge / Statistical algorithms are able to find the couriers at very low false alarm rates, if we’re allowed to miss half of them

One NSA slide brags, “Statistical algorithms are able to find the couriers at very low false alarm rates, if we’re allowed to miss half of them.”

But just how low is the NSA’s idea of “very low”?

“Completely bullshit”

The problem, Ball told Ars, is how the NSA trains the algorithm with ground truths.

The NSA evaluates the SKYNET program using a subset of 100,000 randomly selected people (identified by their MSIDN/MSI pairs of their mobile phones), and a a known group of seven terrorists. The NSA then trained the learning algorithm by feeding it six of the terrorists and tasking SKYNET to find the seventh. This data provides the percentages for false positives in the slide above.

“First, there are very few ‘known terrorists’ to use to train and test the model,” Ball said. “If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit. The usual practice is to hold some of the data out of the training process so that the test includes records the model has never seen before. Without this step, their classification fit assessment is ridiculously optimistic.”

The reason is that the 100,000 citizens were selected at random, while the seven terrorists are from a known cluster. Under the random selection of a tiny subset of less than 0.1 percent of the total population, the density of the social graph of the citizens is massively reduced, while the “terrorist” cluster remains strongly interconnected. Scientifically-sound statistical analysis would have required the NSA to mix the terrorists into the population set before random selection of a subset—but this is not practical due to their tiny number.

This may sound like a mere academic problem, but, Ball said, is in fact highly damaging to the quality of the results, and thus ultimately to the accuracy of the classification and assassination of people as “terrorists.” A quality evaluation is especially important in this case, as the random forest method is known to overfit its training sets, producing results that are overly optimistic. The NSA’s analysis thus does not provide a good indicator of the quality of the method.

Enlarge / A false positive rate of 0.18 percent across 55 million people would mean 99,000 innocents mislabelled as “terrorists”

If 50 percent of the false negatives (actual “terrorists”) are allowed to survive, the NSA’s false positive rate of 0.18 percent would still mean thousands of innocents misclassified as “terrorists” and potentially killed. Even the NSA’s most optimistic result, the 0.008 percent false positive rate, would still result in many innocent people dying.

“On the slide with the false positive rates, note the final line that says ‘+ Anchory Selectors,'” Danezis told Ars. “This is key, and the figures are unreported… if you apply a classifier with a false-positive rate of 0.18 percent to a population of 55 million you are indeed likely to kill thousands of innocent people. [0.18 percent of 55 million = 99,000]. If however you apply it to a population where you already expect a very high prevalence of ‘terrorism’—because for example they are in the two-hop neighbourhood of a number of people of interest—then the prior goes up and you will kill fewer innocent people.”

Besides the obvious objection of how many innocent people it is ever acceptable to kill, this also assumes there are a lot of terrorists to identify. “We know that the ‘true terrorist’ proportion of the full population is very small,” Ball pointed out. “As Cory [Doctorow] says, if this were not true, we would all be dead already. Therefore a small false positive rate will lead to misidentification of lots of people as terrorists.”

“The larger point,” Ball added, “is that the model will totally overlook ‘true terrorists’ who are statistically different from the ‘true terrorists’ used to train the model.”

In most cases, a failure rate of 0.008% would be great…

The 0.008 percent false positive rate would be remarkably low for traditional business applications. This kind of rate is acceptable where the consequences are displaying an ad to the wrong person, or charging someone a premium price by accident. However, even 0.008 percent of the Pakistani population still corresponds to 15,000 people potentially being misclassified as “terrorists” and targeted by the military—not to mention innocent bystanders or first responders who happen to get in the way.

Security guru Bruce Schneier agreed. “Government uses of big data are inherently different from corporate uses,” he told Ars. “The accuracy requirements mean that the same technology doesn’t work. If Google makes a mistake, people see an ad for a car they don’t want to buy. If the government makes a mistake, they kill innocents.”

Killing civilians is forbidden by the Geneva Convention, to which the United States is a signatory. Many facts about the SKYNET program remain unknown, however. For instance, is SKYNET a closed loop system, or do analysts review each mobile phone user’s profile before condemning them to death based on metadata? Are efforts made to capture these suspected “terrorists” and put them on trial? How can the US government be sure it is not killing innocent people, given the apparent flaws in the machine learning algorithm on which that kill list is based?

“On whether the use of SKYNET is a war crime, I defer to lawyers,” Ball said. “It’s bad science, that’s for damn sure, because classification is inherently probabilistic. If you’re going to condemn someone to death, usually we have a ‘beyond a reasonable doubt’ standard, which is not at all the case when you’re talking about people with ‘probable terrorist’ scores anywhere near the threshold. And that’s assuming that the classifier works in the first place, which I doubt because there simply aren’t enough positive cases of known terrorists for the random forest to get a good model of them.”

The leaked NSA slide decks offer strong evidence that thousands of innocent people are being labelled as terrorists; what happens after that, we don’t know. We don’t have the full picture, nor is the NSA likely to fill in the gaps for us. (We repeatedly sought comment from the NSA for this story, but at the time of publishing it had not responded.)

Algorithms increasingly rule our lives. It’s a small step from applying SKYNET logic to look for “terrorists” in Pakistan to applying the same logic domestically to look for “drug dealers” or “protesters” or just people who disagree with the state. Killing people “based on metadata,” as Hayden said, is easy to ignore when it happens far away in a foreign land. But what happens when SKYNET gets turned on us—assuming it hasn’t been already?

1 Comment

Posted in Big Data, Network, Security, Technology

Tagged , , , , ,

The Windows 10 Security Settings You Need to Know

Posted on February 16, 2016 | 3 comments

windows10-microsoft-story-582x437
So you finally installed Windows 10 and joined the ranks of the other 67 million users. You open your browser to search for a place to grab lunch, and Bing already knows your location. You notice that all the banner ads are geared toward your secret knitting hobby. And when you open Cortana to ask what’s going on, she knows your name and the embarrassing nickname your mother calls you.

This may seems like a stretch, but you’d be surprised by the amount of personal information Windows 10 collects from its users—information including phone numbers, GPS location, credit card numbers, and even video and audio messages. Of course, Microsoft’s privacy statement outlines all the data that is collected, and you agreed to this when you downloaded Windows 10 and checked the terms of service.

In this Age of the Unread Terms of Service Agreement, it’s important to, well, read the ToS. It’s too easy for our technologies to gather personal information without our realizing it. Microsoft is far from the only perpetrator, but since it just delivered us an exciting new operating system, it’s time to dig into those settings.

The Fine Print

In the privacy statement mentioned before, Microsoft goes through three ways it uses personal data: “(1) to operate our business and provide (including improving and personalizing) the services we offer, (2) to send communications, including promotional communications, and (3) to display advertising.” If you want to know more about what Microsoft is talking about, I highly encourage you to browse the privacy statement (seriously), but here’s the gist of it:

1. “To operate our business…”: Many of Microsoft’s applications require personal information in order to operate. For example, if you are using the Maps application, it will need your location to function properly. This instance makes sense, but not all applications are quite as direct with their usage of your information. Cortana also uses your location, and the only way to prevent this is to not use Cortana. Microsoft also collects data to understand why certain applications crash in order to improve them, but this also means tracking your usage of these applications. This means that if Microsoft Office crashes while you are using it, Microsoft will be able to see the Excel or Word documents that were open during the crash.

 2. “To send communications…”: Microsoft gathers contact information to make sure it can reach you if any of its primary means of communication fail. Recall that Microsoft already disclosed in the privacy statement that it collects the phone number, email, and mailing address of its users. But Microsoft mainly disclosed that it uses this information to send promotions. Microsoft does this because it wants you as a loyal customer, but to manage these communications click here if you have a Microsoft account, or here if you do not. It is also important to mention that this information is shared with “Microsoft partners.”

3. “To display advertising”: It seems like standard internet procedure to track users in order to sell ads. Facebook does it, Google does it, and Microsoft does it. Microsoft generates revenue from ads, and by selling demographic information to third-party advertisers, Microsoft can make even more. This is called interest-based advertising, and Microsoft even gives you your own advertising ID to make things easier. You can opt-out of interest-based ads, by following this link. However, opting-out does not prevent data collection nor does it result in less ads.

Turning Off the Tracking

First things first: Head to your privacy settings. Hit Start, then finding Settings, then clicking Privacy. From the Privacy menu you can alter how your computer uses the information from your location, microphone, camera and so on. While in the Privacy menu, you’ll want to click Feedback & Diagnostics and change the Feedback Frequency to “never” and Diagnostic and Usage Data to “basic.” Doing this will help prevent Microsoft from gathering random information.

Guard Your Browser History

Edge sends your Internet browsing history to Microsoft in order to “help Cortana personalize your experience.” You can turn this off by clicking on the ellipsis button in the top right corner of Edge, then go to Settings > Advanced Settings > View Advanced Settings, and under Privacy and Services turn off “Have Cortana Assist Me in Microsoft Edge.” And while you’re in the Privacy and Services menu, make sure you turn off “use page prediction to speed up browsing, improve reading, and make my overall experience better” (which is an incredible title for a default setting).

Don’t Get Tricked Into Creating a Microsoft Account

Windows 10 also prompts you by default to create a Microsoft account, but you should probably skip this if you are concerned about your private information. Not creating an account will keep your activity and information local to your computer, while having an account will create a link for Microsoft to piece all of the metadata it gathers back to your identity. Before creating a Microsoft account, be sure to read up on its privacy policy.1

In order to delete or manage your Microsoft account go to Settings > Accounts > Your Account.

Exercise Cortana Caution

While Cortana may be one of the most exciting parts of Windows 10, she’s a bit intrusive. Microsoft prides itself on Cortana’s ability to learn about you and create a more personal experience, but in order to do this Cortana has to gather a lot information from you. This information includes anything from location, contacts, and even speech and handwriting data. Perhaps most significantly, all your interactions with Cortana are stored in the cloud.

All of this is part of Microsoft’s attempt to make Windows 10 more personalized, but if that sounds too creepy for you, you can adjust your settings by logging in here. From there you can clear the “interests” data that Cortana and Bing learned about you, as well as clear other Cortana data including “Speech, Inking and Typing” information.

Make sure to recheck your settings after each Microsoft Update !!

3 Comments

Posted in Security, Technology

Tagged , , , , ,

Password cracking attacks on Bitcoin wallets net $103,000

Posted on February 16, 2016 | 1 comment

wallet-640x464
Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years’ worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required.

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as “brain wallets” because, the thinking went, Bitcoin funds were stored in users’ minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen, and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

By contrast, Google, Facebook, and virtually all other security-conscious services protect passwords by storing them in cryptographic form that’s been passed through a hash function, typically tens of thousands of times or more, a process known as key stretching that greatly increases the time and resources required by crackers. The services also use cryptographic salt, a measure that requires each hash to be processed separately to prevent the kind of mass cracking Castellucci did. Security-conscious services also go to great lengths to keep password hashes confidential, a secrecy that’s not possible with Bitcoin because of the transparency provided by the blockchain.

Brain drain

According to a recently published research paper, the brain wallet vulnerability was known widely enough to have been regularly exploited by real attackers going after real accounts. Over a six-year span that ended last August, attackers used the cracking technique to drain 884 brain wallet accounts of 1,806 bitcoins. Based on the value of each coin at the time the theft took place, the value of the purloined coins was $103,000.

“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” the paper authors wrote. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”

The paper, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” is scheduled to be presented later this month at the Financial Cryptography and Data Security 2016 conference. Its publication comes about six months after Brainwallet.org, the most widely used Bitcoin-based brain wallet service, permanently ceased operations. The service voluntarily shut down following the Defcon presentation by Castellucci, who is one of the authors of the most recent paper.Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.

To identify brain wallets and then crack them, the research team compiled 300 billion password candidates taken from more than 20 lists, including the Urban Dictionary, the English language Wikipedia, the seminal plaintext password leak from the RockYou gaming website, and other large online compromises. By collecting words and entire phrases from a wide body of sources, the researchers employed a technique Ars covered in 2013 that allowed them to crack words and phrases many people would have considered to be strong passwords. Cracked passphrases included “say hello to my little friend,” “yohohoandabottleofrum,” and “dudewheresmycar.”

The researchers ran each password candidate through the SHA256 function to derive a list of potential private keys for Bitcoin addresses used by brain wallets. They then used a cryptographic operation based on elliptic curves to find the public key corresponding to each potential private key. Since the Bitcoin blockchain contains the public key of every account wallet, it was easy to know when a password guess was used by a real Bitcoin user.

The paper reported that vulnerable accounts were often drained within minutes of going live, and in an interview, Castellucci said that some accounts were liquidated in seconds. Castellucci said he suspects the speed was the result of attackers who used large precomputed tables containing millions or billions of potential passwords. While many of the attackers who drained vulnerable accounts earned paltry sums for their work, the top four drainers netted about a total of $35,000 among them. Meanwhile, the drainer who emptied the most brain wallets—about 100 in all—made $3,219.

The thefts were often chronicled in online forums, where participants would report that their Bitcoin wallets had mysteriously been emptied. For a while, people assuming the role of a digital Robin Hood claimed to crack vulnerable wallets, drain them of their contents, and then wait for the victim to publicly complain of the theft on Reddit or various bitcoin forums. The Robin Hood and Little John hackers would then claim to return the funds once the victim proved control of the compromised private key.

While plenty of people publicly warned of risks of brain wallets over the years, the vulnerability was often dismissed as theoretical by some. Brain wallets are now generally shunned by Bitcoin users, but Castellucci warned that an alternative crypto currency known as Ethereum can use a brain wallet scheme that’s every bit as weak as the Bitcoin one was. He is withholding details for now in the hopes that Ethereum brain wallets will soon be abandoned.

1 Comment

Posted in Encryption, Hacking, Hacks, Security, Technology

Tagged , , , , ,

Verizon Shutting Down Public Cloud, Gives Users One Month to Move Data

Posted on February 15, 2016 | 1 comment

Verizon-HQ-NY-getty-e1455314841646
Verizon Communications, which several years ago had huge public cloud ambitions, is shutting down its public cloud service, which competes head to head with giants like Amazon Web Services and Microsoft Azure.

The company notified its cloud customers of the coming change Thursday, giving them one month to move their data or lose it forever. It has already removed any mention of public cloud compute services from its website.

The move appears to be a confirmation of what many in the industry have been predicting, especially since news started coming out of big telcos looking to offload massive data center portfolios they had amassed in recent years to go after the cloud services market. It has become almost impossible to compete with AWS, Azure, and to a lesser extent with Google Cloud Platform in the market for renting virtual compute power over the internet and charging by the hour.

In competing with each other, these giants have made the cost of using cloud VMs so low and built out global infrastructure so big, no-one can really manage to keep up. HP made several attempts to become a public cloud provider but failed, and so did Dell. Notably, IBM is still in the market, gradually expandintg its cloud data center capacity around the world.

Read more: Who May Buy Verizon’s Data Centers?

Publicly, Verizon has been quiet about its plan to discontinue public cloud services, one of its spokespeople telling Fortune the closure affected a “cloud service that accepts credit card payments…” The world learned about it from a tweet by one of its cloud customers, who posted the entire notice, giving customers the deadline of April 12 to move their data elsewhere:

Ca9xq65UAAA5sz1Ca9xq6_UsAATNKM

A Verizon spokeswoman did not respond to a request for comment from Data Center Knowledge in time for publication.

The company is offering its Virtual Private Cloud services as an alternative. These are dedicated, physically isolated cloud environments. They are usually a lot more expensive than public cloud services, where many customer VMs run on shared physical servers.

“Please take steps now to plan for migration to VPC or another alternative before the discontinuation date,” the notice read. “Verizon will retain no content or data remaining on these Cloud Spaces after that date and any content or data that you do not transfer prior to discontinuation will be irrecoverably deleted.”

Services being shut down are Public Cloud and Reserved Performance Cloud Spaces. Public cloud storage services will remain intact.

Kenneth White, the user who posted Verizon’s notice on Twitter, is a security researcher and co-founder of the Open Crypto Audit Project. In another tweet, he referred to Verizon’s “credit card payment” response to Fortune as spin:

One of the people who commented under White’s original tweet was involved in one of HP’s failed early efforts to build a public cloud business, saying those efforts stood little chance against AWS:

The commenter, Tim Pletcher, was a senior engineering manager at HP between 2011 and 2014, according to his LinkedIn profile.

Gartner analyst Lydia Leong, one of the top industry analysts covering cloud services, wrote in a tweet that although the technology behind Verizon’s public cloud was impressive, going from vision to successful product is a difficult road:

Another one bites the dust !!!!!

 

 

1 Comment

Posted in Network, Public Cloud, Technology

Tagged , ,

Laboratory and Online Malware Analysis

Posted on February 14, 2016 | Leave a comment

MalwareYour Network has been compromised by a Virus, Worm, Trojan, a botnet client or some other form of Malware. As the Systems or Network Administrator, you know Malware Analysis is necessary because your system (or network) has been exposed. The goal is to figure out what that malware has done so you can determine the destruction or the damage caused by this activity. You also need to figure out the threat or vulnerability your company has been exposed too and determine if (there is a risk) information is leaving your enterprise.

Depending on the nature of your business (Cybersecurity facilitates the conduct of business); the Administrator investigates to determine if there could be damage to individual users (or consumers) through the loss of credit card or personal information. The Administrator must also check to see if there is damage to the company through the loss of intellectual property which Malware has caused to be taken. An initial assessment of the loss or damage is made. Although Malware attacks have permeated every platform, the Windows environment remains the most popular platform (to attack) among Malware authors.

The Security minded Administrator will have a Virtual or traditional controlled (isolated) laboratory set up to examine Malware specimens. The Virtual lab allows the Administrator to run multiple clients or servers (and multiple operating systems) on a single computer system to examine how Malware specimens interact with other computer systems within a network. The Virtual lab also allows you to record the state of a system or network (before the Malware is introduced) by taking snapshots. This also allows the Administrator to return a system or network to its original state after the analysis is complete.

Networking in the Virtual environment allows the Administrator to observe the Malware exhibit its full potential in a controlled environment as the malicious program reveals its network interactions. When you employ this laboratory set up, you must employ a large hard drive (for the files on the physical system’s hard drive) and you must install as much RAM into the physical system as you can ( which is an important performance factor for virtualization tools). You will employ an inexpensive hub or switch where applicable.

The Professional Malware writer has begun producing Malware that can detect if it is being run in a virtualized environment. This makes it practical to also have physical machines available for laboratory systems also. The Isolated Test Lab is a necessity for proper analysis and developing the skills critical to an Administrator and Incident Response (IR) team responding to security incidents. The free tools that will aid the Administrator’s analysis in the lab are:

  1. Network monitoring: Wireshark – We can use this network sniffer to observe lab traffic for malicious communications
  2. Process monitoring: Process Explorer (and Process Hacker) – We can replace Windows Task manager and observe malicious processes.
  3. Change detection: Regshot – We can compare the system’s state (Registry and File System) before and after the infection.
  4. File system and registry monitoring: Process Monitor (with ProcDOT) – We can observe how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.

An Administrator who has gained a sense of the key capabilities of the malicious executable may seek to discover details of the Malwares characteristics through code analysis. There are disassemblers, debuggers and memory dumpers freely available that will assist with the process of reverse engineering the malicious executable.

Malware Behavioral Analysis

In the Behavioral Analysis of the Malware specimen we have isolated it allows an Administrator to figure out what the Malware has done and what it is capable of doing as it interacts with its environment. When we are subject to a Malware attack, we can see if it maintains contact with an attacker, what actions it performs within an infected system and how it spreads. Analyzing the Malware in a controlled (isolated) environment can answer all of our IR questions and guide the IR team to the proper response.

In the case of zero day infections (signatures), the IR team has a virus loose on the system or the network performing tasks that are contrary to operations while the Administrators don’t really know what it is doing. The antivirus software does not get the signatures up-to-date and we do not get the Malware removed. We must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape (and infect the operations environment).

Online Malware Analysis Tools

There are many websites that can be of assistance in performing malware analysis. People are concerned enough to understand the value of malware analysis because of the overbearing amount of malware we are inundated with and the destructive nature of what it does. There are many sites that will perform the malware analysis for you.

The first website we will mention is “Virus Total”. It is a community driven website. It allows you to upload a file and have “Virus Total” perform the analysis. The site will analyze your upload and tell you if it’s a piece of malware, identified by name or class, and give you some understanding of what that malware has done or what it can do which gives the user a better understanding of what they are dealing with.

A second website I would like to mention is “Cuckoo”. It gives you the ability to perform an analysis from file properties and from a hash of the file. “Virus Total” looks at the characteristics of the file that has been uploaded. “Cuckoo” will actually run the software for you and capture what is going on in real time.

This is actually done in a very safe environment. It performs these actions through the use of virtual machines. “Cuckoo” automates the process with virtual machines running the executable malware so we can actually see what is going on in the machine or on the network. Basically, “Cuckoo” is a virtual sandbox that allows us to observe and analyze malware.

There are other websites that perform free automated behavioral analysis (malware analysis) on compiled Windows executables (that an Administrator may supply). The primary difference is each website employs a different analysis technology on the back end. The advantage for the Administrator (who is submitting the executable) is that it broadens the field of analysis on the executable. These tools include:

Anubis

BitBlaze

Comodo (Automated Analysis System)

EUREKA

Malwr

ThreatExpert

Conclusion

When we have software that is being used for malicious purposes, the Administrator needs to understand what is happening on the systems or network. The Administrator needs to know the damage this piece of executable software has introduced into the network that is causing problems so we can determine what contingency to undertake to correct the problem. The Administrator can also figure out what is needed to protect the network or recover from the malicious activity that has gone on with this malware that was introduced into operations

 

Leave a comment

Posted in Data Breach, Encryption, Forensic, Hacking, Hacks, Malware, Security, Technology

Tagged , ,

New Technology Could Help Predict When And Where Crimes Will Happen

Posted on February 14, 2016 | Leave a comment

Police_Line

NEW YORK (CBSNewYork)– Slashings. Rapes. Murders. Imagine what life would be like if the criminals could be stopped before they ever get started.

In the aftermath of a crime, investigators rush to connect the dots that can help crack the case.

But now, thanks to new technology, those dots are being connected before a crime is even committed.

“This is the next level,” George Spadoro, former mayor of Edison, New Jersey, told CBS2’s Maurice DuBois.

Spadoro says the technology is the future of law enforcement and that it could prevent anything from a subway slashing to a terror attack.

“When you have tight budgets, you need to be able to provide an increased level of protection for your citizens with less manpower,” Spadoro said.

Here’s how it works: Hitachi’s new visualization system gathers massive amounts of information from a wide range of unconnected sources. These sources include social media, transit maps, weather reports, crime statistics, camera feeds and more. It then interfaces all of those sources on one pane of glass.

Authorities can then activate the crime prediction software to look for patterns. Patterns that can not only help identify criminals’ intent, but also when and where they’ll likely strike again within a two-block radius.

Mark Jules is the brainchild behind the system.

“If you go back and look at hey, it’s a Saturday, it’s a certain time of day, it’s a certain temperature, this is where that’s happened… then you combine that with social media that can all start to predict when and where it’s going to happen,” Jules told CBS2.

New York Waterway is the first organization in the area to incorporate parts of the Hitachi system, allowing both the ferry company and law enforcement to monitor its boats in real time.

“If there was a hostage situation on a boat, they can see the lay out of the vessel, the placement of the cameras and how many people we have on board,” Jules said.

The software is currently being used in Washington, D.C. and is expected to roll out in six more cities soon, New York City not being one of them. The NYPD would not specifically comment on Hitachi, but did tell CBS2 it began field-testing a similar application just last month.

Leave a comment

Posted in Forensic, Law Enforcement, Security, Technology

Tagged , , ,

FBI and Local Retired Law Enforcement Offer Security Training for Houses of Worship

Posted on February 13, 2016 | 1 comment

Church
On February 9, about 165 faith leaders attended a new U.S. government program at Dallas FBI Headquarters to provide security training for houses of worship. Dallas U.S. Attorney John Parker said churches, synagogues, and mosques want to have a welcoming environment, but “they have to be very careful about who they let in.” An active shooter drill was part of the training for religious leaders. Parker said he plans to repeat the program to expand the training to more religious leaders. “They’ll go back to their places of worship and they’ll develop security committees and protocols to, not fortify their places of worship necessarily, but make them more secure,” he said

PLACERVILLE (CBS13) — A Placerville gun range owner is offering training for church leaders to help keep their congregations safe.
Geof Peabody says he’s trained more than 500 ministers and church security teams and has seen a dramatic increase in calls over the last few months.

At the Green Valley Community Church, about half of the security team is now packing heat.  Dan Moore is a gun-toting, God-fearing man who is part of a growing trend of faithful with firearms at the church.
“How many of the mass shootings lately have occurred in gun-free zones? All of them. Okay? They know it’s a target rich environment,” he said

Peabody aims to make the environment less target rich with concealed carry weapons courses for ministers and church security teams.“The last class that we just did which was introductory handgun training for church security members, we had nine different churches that were represented with about 25 students who came,” he said.

But he’s quick to point out that being armed does not mean you necessarily have to shoot. He walked through the interference technique.“As long as it can keep turning I can keep firing. But as soon as you can grab it all the way around and stop the cylinder from turning, all of a sudden the machinery becomes inoperable and you can put a stop to the execution. You don’t need to have a gun,” he said.

While nearly half of the church security team armed, Moore admits not everyone in the congregation is on board with it. His hope is that over time, they’ll see value in the education where he says parish safety is his only goal.

“The more of us there are, the better the chance of success is,” he said.

1 Comment

Posted in Law Enforcement, Security, Technology

Tagged , , ,

FBI Still Can’t Access San Bernardino Shooter’s Encrypted Phone

Posted on February 13, 2016 | Leave a comment

Although the phone has been taken as evidence, there is still no way to find out what information it holds due to the encryption key that only the owner can unlock.

phone

The FBI still cannot unlock the encrypted cellphone of one of the San Bernardino shooters more than two months after the California terrorist attack.

FBI Director James Comey told the Senate Intelligence Committee on Tuesday that his agency’s inability to access the information in the retrieved phone is an example of the effect on law enforcement of the growing use of encryption technology.

Comey said the problem of “going dark” is overwhelmingly affecting law enforcement at all levels.

“It affects cops and prosecutors and sheriffs and detectives trying to make murder cases, car accident cases, kidnapping cases, drug cases,” Comey said.

He said the biggest concern was phones that automatically locked and secured all information inside.

“It is a big problem for law enforcement armed with a search warrant, when you find a device that can’t be opened even when a judge said there’s probable cause to open it,” Comey said.

Sen. Dianne Feinstein of California, the ranking Democrat on the committee, and the committee’s chairman, Sen. Richard Burr, R-N.C., have said they are considering legislation that would compel manufacturers to provide law enforcement access to encrypted data when there’s a court order. Industry associations have opposed such proposals.

While encryption issues are more common in local criminal cases, counterterrorism investigations are also affected, Comey said. He cited the December attack in San Bernardino, in which Syed Rizwan Farook and Tashfeen Malik killed 14 people at a holiday party.

“In San Bernardino, a very important investigation to us, we still have one of those killers’ phones that we have not been able to open. It’s been over two months now; we’re still working on it,” Comey said.

Comey previously told Congress that investigators could not read more than 100 text messages that one of the shooters who attacked a cartoon contest in Garland, Texas, last year exchanged with an “overseas terrorist.” The contest was to draw caricatures of the Prophet Muhammad.

Privacy advocates who oppose limits on encryption argue that giving such backdoor access to data opens devices to thieves and hackers. A recent report from Harvard University’s Berkman Center for Internet and Society concluded that law enforcement fears of encryption are exaggerated, in part because increasingly sophisticated technology is opening up other ways for police to conduct surveillance.

National Intelligence Director James Clapper told the senators that he thinks the government and tech companies should be able to work out a solution without resorting to legislation.

“I’m not sure we’ve exhausted all the possibilities here technologically,” Clapper said.

Adm. Michael Rogers, director of the National Security Agency, said “encryption is foundational to the future.” The challenge, he said, is finding the balance between privacy and security.

Leave a comment

Posted in Encryption, Forensic, Hacking, Hacks, Network, Security

Tagged , , , , ,

Security for Wireless Devices

Posted on February 12, 2016 | 3 comments

 

WirelessThis subject  of securing wireless devices      conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts:

  • Even back in 2013, 98 percent of U.S. small businesses used wireless technologies in their operations according to an AT&T poll.
  • The Internet of Things (IoT) is rapidly expanding, and it is based firmly on wireless. For example, many home and office security systems are wireless.
  • Mobile phones are becoming the main avenue to the Internet for an increasing number of people all over the world.

So it makes sense that wireless security should be a big concern.

Wireless technologies are more vulnerable than wired technologies

Keep in mind that many businesses have wired and wireless networks. Wireless devices are vulnerable to any attacks that may be made on wired devices. But there are many more threats to wireless networks. This is because wireless transmits data over the air. The air cannot be secured. So wireless technologies must incorporate more safeguards against eavesdropping and man-in-the middle attacks than wired technologies.

For example, man-in-the middle attacks in a wireless environment are child’s play. An attacker connects to the Internet and configures a laptop to look like a legitimate wireless access point (AP). Victims wanting Internet access unwittingly connect through the bogus AP. Furthermore, the attacker can launch a de-authentication attack, causing devices already connected to a legitimate AP to drop their connection and to automatically reconnect to the attacker’s AP. The attacker now has unlimited access to data transmitted by any attached user since wireless operates at Layer 2. Layer 3 protections such as encryption, network authentication, and virtual private networks (VPNs) cannot protect against this scenario.

Two wireless devices can communicate without involving the access point. This is clearly not a possibility in the wired world. So not only must there be protection against external threats, but also against other devices attached to the AP.

Denial of Service attacks are a danger to any network, but especially with the restricted bandwidth of wireless networks.

Wireless Security measures that don’t work

Some sources recommend wireless security measures that are not effective for business. Here are three examples:

  1. Most wireless configurations provide MAC filtering. Here, an administrator enters a list of the MAC addresses (Layer 2 addresses) of authorized devices. A device with a MAC address that is not on the list is blocked. But any attacker with sniffing software can easily find authorized MAC addresses since MAC addresses in Layer 2 headers are not encrypted. The attacker simply changes his own MAC address, via widely-available software, to an authorized address, and he’s “in”.
  2. In setting up a wireless network connection, there is normally an option to hide the SSID (Service Set Identifier). This keeps the connection from appearing on a list, but does not prevent anyone from using the connection.
  3. Static IP addressing stops attackers from being assigned DHCP addresses. It does not block a knowledgeable attacker.

Recommended strategies to implement a wireless network

There are different approaches depending on the size of the organization and the level of in-house IT expertise:

  1. Create a completely isolated wireless network: Users must authenticate and have acceptable security software before they can connect to the Internet or, for that matter, to any local network resources. This approach requires a Network Access Server.
  2. Forward all web traffic to a proxy server which provides authentication and authorization.
  3. Require users to access resources through a virtual private network (VPN). VPNs provide encryption from the user’s location to the destination router (remote-access VPNs) or from the user’s router to the destination router (site-to-site VPNs). There are numerous implementations of VPNs including PPTP, L2TP, IPsec, and SSH.

Using end-to-end encryption would be ideal. However, not all intervening software and hardware may support encryption.  For example, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text. The next best alternative is to require users to connect to the company network through VPNs .

Of course, authentication is critical. IEEE 802.11i Wi-Fi Protected Access II (WPA2) should be used. For authentication, there are alternatives:

  • Pre-shared key (PSK) – This is normally used only in a home environment and provides Advanced Encryption Standard (AES) encryption.
  • EAPOL (Extensible Authentication Protocol over LANs) with 802.1X and an authentication server such as RADIUS or DIAMETER: There are open-source RADIUS servers that could easily accommodate the needs of most businesses.
  • EAPOL with EAP-TLS: The majority of implementations require client-side X.509 certificates.

A hardware or software card or token can be used in combination with the above authentication techniques, depending on the vendor.

Finally…

Educate your users about the dangers of using public wireless. Be aware of “shoulder surfing” in public wireless areas. An attacker doesn’t necessarily have to be a computer genius.

3 Comments

Posted in Encryption, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,