Daily Archives: July 6, 2016

Thoughts on Emailgate.

Posted on July 6, 2016 | Leave a comment

Department of State

Note: not a political post, just adding some Infosec commentary to what we were told yesterday.

Last night, I sat back and watched FBI Director James Comey’s press conference on the Hilary Clinton email saga through my technical and investigative eyes.

I think it was the first mainstream press conference I’d seen with so much mention of slack space, a digital forensics term for the portions of the hard drive not currently used, but filled with fragments of previously deleted files. It was like when you see someone you knew from growing up on the local news and thinking, “oh, I used to sit next to that person in math class!”

The overview of how the FBI had reconstructed years worth of “shadow IT” usage by the former Secretary of State and her staff, spoke of a classic unwinding of the spaghetti exercise. Where a path that lead to an end state is crisscrossed by avenues that may or may not be of relevance, but nevertheless must be investigated.

James Comey then went on to list the findings of the investigation, and painted a picture, which is unfortunately a picture that I’ve personally seen painted over and over again through my work in information security and digital forensics.

A culture existed at the State Department that allowed Mrs. Clinton and her staff to operate outside the boundaries of the policies, procedures and regulations that were in place to protect information and people. In this case of course, that is all the more concerning, because we’re talking about highly sensitive national security information which is protected by law.

In Comey’s words, Clinton and her staff were “Extremely Careless” in their information handling.  He was right, they were, there can be no denying that. As he went into detail on some of Mrs. Clinton’s email practices, I was reminded of a few similar cases I’d personally worked on.

  • While conducting a security review of a semiconductor’s perimeter IP address range, I found evidence that FTP sites were being hosted on an unofficial server within the range. As it turned out, one of the network administrators had punched a hole through the firewall to a server that was hidden in the data center, attached to the internal network, and he made money hosting data for others with zero overhead costs. I was shocked to discover that this was a known activity when it was raised in the report, although, when I explained the risk in more detail the sites did go away, and the network administrator was reprimanded and eventually lost their job.
  • I once stumbled across an undocumented SSH entry point to a hosting environment, set up by a team to bypass a corporate two-factor requirement. It had been “approved” by a couple of layers of management.
  • I conducted an audit of an on-premises corporate Exchange deployment and found that a senior member of an organization was forwarding every single email received to a personal Gmail account, because they preferred the Gmail UI. The idea had been suggested by another person within the company.
  • Anecdotally, I have a thousand stories of siloed groups within organizations using “cloud services” and tools dangerously “under the radar”.

In all of the cases above, a culture existed in which, for whatever reason, people were empowered to do extremely careless things, which put the safety of information at risk. Much like at the State Department in regards to email.

The problem is, the end result doesn’t really care if it is born of malice, extreme carelessness or ignorance. It’ll still be the same. And if the end result is a breach, well, we’ve all seen that one play out many times.

In the end, the FBI will not be recommending charges against Mrs. Clinton or her staff. I’m not going into any more detail on whether I think that is right or wrong. To use one of those most horrific of terms, “it is what it is, and we can’t change that.”

Given this fact, I hope if anything positive comes out of this case, it’s the following:

  • The case highlights that security cultures everywhere, especially in government agencies charged with keeping us all safe, that empower this type of behavior, get an overhaul.
  • It encourages more productive and positive conversations between IT teams, Security teams and end users about things that they find restrictive or cumbersome in their working lives, so a mutually acceptable solution can be found.
  • It reinforces that no one within an organization should be above the rules when it comes to information security. Leaders should set an example.
  • That security teams are reminded that not all threats come in the form of IDS alerts from Chinese IP addresses. Some of your biggest risks might be right under your nose, in the form of Shadow IT lurking in broad daylight. Get visibility, now.

 

The US government is touting cyber as the next theatre of warfare. If the US wants to be seen as a leader in cybersecurity, a top down order to discover and address the doubtless many Emailgates that are occurring right now must surely be forthcoming.

Leave a comment

Posted in Cyber Security, eDiscovery, Forensic, Law Enforcement

Tagged ,

Mobile ransomware use skyrockets, blocking access to phones

Posted on July 6, 2016 | Leave a comment

mobile_phones-100576186-primary_idge
Kaspersky Lab has detected almost four times as many attacks on its Android customers compared to last year

The number of users infected with mobile ransomware is skyrocketing, as hackers try to expand the number of potential victims they can target.

Compared with a year ago, almost four times as many users are being attacked by mobile ransomware, security firm Kaspersky Lab said on Wednesday.

It’s a troubling trend. Ransomware has typically targeted PCs by encrypting all the information that is inside the targeted machines, and then holding the data hostage in exchange for money.

The threat is that users who fail to pay ransom will see all the data erased. Hospitals, schools and police departments have all been major victims. But increasingly, hackers have begun focusing on smartphones.

Kaspersky looked at its own Android customers and noticed the spike. Between April 2015 and March this year,136,532 of its users encountered a mobile version of ransomware. That’s up from 35,413 in the year earlier period.

Kaspersky customers in Germany, Canada, the U.K. and the U.S., in that order, were the top four countries affected by mobile ransomware.

The largest mobile ransomware family detected is called Fusob, Kaspersky said.  It was responsible for 56 percent of the attacks during the year and targets Android users.

Victims are unwittingly downloading it when visiting porn sites. Fusob masquerades as a multimedia player, called xxxPlayer, that’s been designed to watch the porn videos.

Once downloaded, Fusob can block all user access to a device. Victims are told to  pay between $100 and $200 in iTunes gift cards to deactivate the block.

Most of the victims have been located in Germany. The ransomware ignores devices that use Russian and several Eastern European languages.

Kaspersky noted that much of mobile ransomware detected actually doesn’t encrypt any information on the infected device. Smartphone owners usually back up all their data to a cloud service anyway, so there’s no point to try and encrypt it, the security firm said. Instead, the ransomware blocks user access to apps on the phone. Often, victims of mobile ransomware will see a ransom note on their device’s screen with instructions on how to pay the ransom, and will not be able to use the phone otherwise until they do so.

Hackers are increasingly using mobile malware in order to expand the number of potential targets outside of PCs, according to security firms.

“In the end, they’re going to follow the money, and find what’s most effective,” said Christopher Budd, the communications manager with Trend Micro. He expects ransomware to continue to evolve and possibly target more Android-based devices, including smart TVs in the future.

To avoid ransomware, Kaspersky advises that users regularly update their software and back up all crucial files. Users should also be wary of downloading anything from untrusted sources and look into buying strong security software.

Leave a comment

Posted in Cyber Security, Data Breach

Tagged ,