Monthly Archives: September 2016

Ransomware Is Now Officially Extortion Under California Law

Posted on September 30, 2016 | Leave a comment

Extortion

Of course everyone knows that hacking into a computer is a federal crime, and infecting a system with ransomware already falls into that bucket. However, California’s SB-1137signed into law last Tuesday by Governor Jerry Brown, is the first one that specifically expands extortion laws to include ransomware.

The bill’s support in the California Senate was helped by testimony from Hollywood Presbyterian Medical Center, where operations were largely shut down by a ransomware infection. The attackers sent the decryption code after the hospital paid $17,000 in Bitcoin.

It is very easy to hide your tracks as a ransomware criminal. Very few people have been arrested for ransomware attacks in the continental U.S. From our perspective, the California bill is more of an “awareness” thing than anything else. Some hackers decided to have some fun with it and soon after the California Senate passed it, its site was hit with ransomware and in a separate attack, Sen. Bob Hertzberg who introduced the bill, saw his office also hit.

Though it’s existed for at least 10 years, ransomware has skyrocketed since September 2013 with CryptoLocker. Europol declared Wednesday it’s the internet’s “most prominent malware threat.” The FBI has issued multiple warnings to American businesses. Prevention requires a multi-layered approach.

Here Are 8 Things To Do About It (apart from having weapons-grade backup)
  1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal.
  2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly.
  3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps.
  4. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
  5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).
  6. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud.
  7. Check your firewall configuration and make sure no criminal network traffic is allowed out.
  8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

IT Security Vulnerabilities that Can Lead to an Inside Job

Posted on September 27, 2016 | Leave a comment

Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities.  What a timely piece of writing.  So many industries are facing security issues today both external and internal.  Vlad will cover how to take steps to guard your business from all fronts.  Please help me welcome Vlad to TheDigitalAgeBlog.

Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.

In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).

It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.

Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.

Here are some of the reasons your employees can contribute to IT security failures.

Inside Insider Jobs

There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.

Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.

There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.

According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.

In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.

Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.

Management Vulnerabilities

Motivations and unusual behaviors are just one side of the story.

The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:

  • Administrator and other privileged access that aren’t monitored.
  • Unattended company devices such as USB’s and laptops.
  • Hard drives that weren’t properly disposed.

But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.

In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.

Secure Your Posts

Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.

ABOUT THE AUTHOR:
Vlad
Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.

 

 

Leave a comment

Posted in Data Breach, Hacking, Hacks, Security, Technology

Tagged ,

Yahoo says 500 million accounts stolen

Posted on September 23, 2016 | Leave a comment
500 million accounts stolen
Yahoo_Hacked
Yahoo (YHOO, Tech30) confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.

The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.

The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.

Yahoo is working with law enforcement to learn more about the breach.

“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn (LNKD, Tech30) and MySpace.

Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.

“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”

U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.

160922095225-yahoo-hack-780x439

Re/code first reported Yahoo would confirm the data breach.

The data breach comes at a sensitive time for Yahoo.

Verizon (VZ, Tech30) agreed to buy Yahoo’s core properties for $4.83 billion in late July, just days before the hack was first reported. The deal is expected to close in the first quarter of 2017.

Verizon says it only learned of the breach this week.

“Within the last two days, we were notified of Yahoo’s security incident,” a spokesperson for Verizon said in a statement provided to CNNMoney.

We understand Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.”

The mega-breach could create a headache for both companies, including damaging press, scrutiny from regulators and a user exodus, just as they’re working to close the deal and figure out the future of Yahoo.

Blumenthal said law enforcement and regulators “should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud

Tagged ,

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Posted on September 21, 2016 | Leave a comment
Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed
David Navetta (US)Andrew Hoffman (US)
By David Navetta (US) and Andrew Hoffman (US) on Posted in Data breach, Dispute resolution and litigation

Data_Breach_Challenge
The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.

The Data Breach & Notification Letter
In Galaria v. Nationwide Mutual Insurance Co., the plaintiffs in a putative class action alleged that hackers breached Nationwide’s computer network and stole their personal information, along with that of 1.1 million other individuals. The plaintiffs learned of the incident when Nationwide sent them a breach notification letter. The letter suggested that plaintiffs monitor their bank account statements and credit report to mitigate misuse of stolen data, offered one year of free credit monitoring and identity-fraud protection, and also suggested that the plaintiffs set up a fraud alert and place a security freeze on their credit reports. Although the credit freezes may cost money to place and remove, the plaintiffs alleged that Nationwide did not offer to pay for the associated expenses.

The Lawsuit
The plaintiffs sued Nationwide, alleging invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The plaintiffs alleged that there is an illicit international market for stolen data and that identity thieves may fraudulently use victims’ personal information for a variety of purposes. According to the plaintiffs, the breach created an “imminent, immediate and continuing increased risk” that the plaintiffs and class members would be subject to identity fraud. Further, the plaintiffs alleged that victims of identity theft typically spend hundreds of hours of personal time and hundreds of dollars of personal funds. The plaintiffs sought damages for the increased risk of fraud, expenses incurred in mitigating the risk (including the cost of credit freezes), and time spent on mitigation efforts.

The Trial Court’s Dismissal
The trial court dismissed the plaintiffs’ claims, concluding that the plaintiffs lacked Article III standing to sue in federal court because they had not alleged a cognizable injury. In addition, the trial court concluded that the plaintiffs did not have “statutory standing” under FCRA so that the court lacked subject-matter jurisdiction over the federal claim. The plaintiffs appealed.

The Appeal
On appeal, the Sixth Circuit reversed and concluded that the plaintiffs had Article III standing to sue. The court explained that the plaintiffs sufficiently demonstrated that they (1) suffered an injury in fact, (2) that is fairly traceable to Nationwide’s conduct, and (3) that is likely to be redressed by a favorable judicial decision. Regarding Article III standing, the appellate court concluded –

Injury in Fact
The court concluded that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish injury at the pleading stage. Because the plaintiffs’ “data has already been stolen and is now in the hands of ill-intentioned criminals,” the court could reasonably infer that hackers would use the victim’ data for the fraudulent purposes that the plaintiffs’ alleged. Thus, the plaintiffs’ allegations were not improper speculative allegations of possible future injury. Notably, the plaintiffs’ complaints in Galaria did not allege that any fraud actually occurred. (Although one plaintiff sought to amend the complaint after the trial court had dismissed the action claiming that he had discovered fraudulent attempts to open credit accounts in his name, the appellate court’s conclusion that standing exists is not premised upon the plaintiff’s later factual allegations.)

The Sixth Circuit’s decision followed the outcome in two recent data breach cases where the Seventh Circuit found standing based on allegations that fraud occurred after the breach. For example, in Remijas v. Neiman Marcus Group, LLC, hackers stole approximately 350,000 credit card numbers from a luxury retailer, and fraud was discovered on approximately 9,200 of those cards. 794 F.3d 688, 689 (7th Cir. 2015). In Lewert v. P.F. Chang’s China Bistro, Inc., one class representative experienced fraudulent charges on his credit card. In addition, Although the Sixth Circuit cited the Supreme Court’s recent Spokeo v. Robins decision in its Article III standing analysis, it did so only nominally, relying primarily on older standing decisions.

Interestingly, the appellate court referred to Nationwide’s breach notification letter to support its conclusion that the plaintiffs suffered an injury. According to the court, “Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” In addition, the court said that it would be unreasonable to expect the plaintiffs to wait for actual misuse of their information “before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking those steps.” (emphasis added).  Yet, state breach notification laws often require companies to inform individuals of mitigation steps that they can take, such as by providing instructions on how to place a fraud alert or security freeze with a credit bureau, and by advising individuals to monitor their free credit reports.

The court also noted that Nationwide recommended but did not cover the cost of credit freezes. Thus, the costs constitute a “concrete injury suffered to mitigate an imminent harm” and satisfy the injury requirement of Article III standing.”

Fairly Traceable
The court concluded that the plaintiffs’ allegations that Nationwide failed to implement appropriate safeguards to ensure the security and confidentiality of data was sufficient to allege traceability. The court added that, although hackers were the direct cause of the plaintiffs’ injuries, they were able to access the plaintiffs’ data “only because Nationwide allegedly failed to secure” the data.

Redressability
The court concluded that the plaintiffs sought compensatory damages for their injuries, and that a favorable verdict would provide redress.

Our Take
The Galaria decision may make it more difficult for companies defending against data breach cases to eliminate cases at the pleading stage based on a lack Article III standing. However, the case may not affect all types of data breach cases, particularly those where the facts do not demonstrate that criminals actually targeted personal information (e.g., in cases of lost or stolen computers or storage devices). Nonetheless, this appears to be one of the first appellate decisions decided since the Supreme Court’s 2013 Clapper decision that found standing despite the plaintiff’s failure to allege  experiencing any fraud or identity theft (aside from the post-dismissal attempt to amend the complaint). It will be interesting to see whether Nationwide will appeal to the Supreme Court on grounds that the case is inconsistent with Clapper and Spokeo. Companies that suffer a data breach may also wish to consider the inferences that the court drew regarding Nationwide’s letter when deciding how to draft their own breach notification letters.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

Hackers take Remote Control of Tesla’s Brakes and Door locks from 12 Miles Away

Posted on September 21, 2016 | Leave a comment

Hack-Tesla

Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

“We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode,” Keen writes in a blog post. “We used an unmodified car with the latest firmware to demonstrate the attack.”
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars.”

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.

The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car’s web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s “proactive attitude” towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.

 

 

Leave a comment

Posted in Cyber Security, Hacking, Security, Technology

Tagged , , ,

FBI Director — You Should Cover Your Webcam With Tape

Posted on September 15, 2016 | Leave a comment

Webcam
Should you put a tape or a sticker over the lens of your laptop’s webcam?

Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.

Covering your laptop’s webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.

In fact, Comey recently came out defending his own use of tape to cover his personal laptop’s webcam.

People Are Responsible for Their Safety, Security & Privacy

During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied:

“Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine.”

Comey went on to explain that it was common practice at the FBI and other government offices to cover computers and laptops’ webcams with tape or any physical cover.

“It’s not crazy that the FBI Director cares about personal security as well,” he continued. “If you go into any government office, we all have our little camera things that sit on top of the screen, they all have a little lid that closes down on them, you do that, so people who do not have authority don’t look at you, I think that’s a good thing.”

Comey believes that putting a cover over webcams is one of the “sensible things” that everyone should be doing to “take responsibility for their own safety and security.”

Edward Snowden Leaks revealed the NSA’s Optic Nerve operation that was carried out to capture webcam images every 5 minutes from random Yahoo users, and in just six months, images of 1.8 Million users’ were captured and stored on the government servers in 2008.

Internet of Things: Security Nightmare

However, putting a tape over the lens of your computer’s webcam would not solve the problem, especially in this era when we are surrounded by so many Internet-connected devices that are a security nightmare.

Due to the insecure implementation, these Internet-connected or Internet of Things (IoTs) devices, including Security Cameras, are so vulnerable that hackers are routinely hijacking them and using them as weapons in cyber attacks.

So, it is far more easy for hackers to hack your security cameras, instead of your laptop’s webcam, to keep track on you and your environment.

 Do you feel the need to use a tape over your webcam? Let us know your comments.

Leave a comment

Posted in Cyber Security, Hacking, Security

Tagged , ,

Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’

Posted on September 13, 2016 | Leave a comment

FederalJudge_Hacking
Courts across the country can’t seem to agree on whether the FBI’s recent hacking activities ran afoul of the law—and the confusion has led to some fairly alarming theories about law enforcement’s ability to remotely compromise computers.

In numerous cases spawned from the FBI takeover of a darkweb site that hosted child abuse images, courts have been split on the legality of an FBI campaign that used a single warrant to hack thousands of computers accessing the site from unknown locations, using malware called a Network Investigative Technique, or NIT.  Some have gone even further, arguing that hacking a computer doesn’t constitute a “search,” and therefore doesn’t require a warrant at all.

But a federal judge in Texas ruled this week that actually, yes, sending malware to someone’s computer to secretly retrieve information from it—as the FBI did with the NIT—is a “search” under the Fourth Amendment.

“[T]he NIT placed code on Mr. Torres’ computer without his permission, causing it to transmit his IP address and other identifying data to the government,” Judge David Alan Ezra of wrote Friday, in a ruling for one of the NIT cases, in San Antonio, Texas.  “That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import.  This was unquestionably a “search” for Fourth Amendment purposes.”

As obvious as that sounds, not everyone agrees.  Previously, another judge in Virginia stunningly ruled that a warrant for hacking isn’t required at all,because a defendant infected with government malware “has no reasonable expectation of privacy in his computer.”

That judgment was a leap from several other rulings, in which judges claimed that users of the Tor anonymity network, where the illegal site was hidden, have  no expectation of privacy in their IP address—even though hiding your IP is the entire point of using Tor. The argument—which the Department of Justice apparently agrees with—states this is because Tor users technically “reveal” their true IP address to another computer when they first enter the Tor network, through an entry point called a “guard node.” (That computer can not determine what sites the user visits, however)

But while the FBI’s use of malware was definitely a search, Judge Ezra of Texas nevertheless denied the defendant’s motion to suppress evidence obtained by the NIT.

That’s because it can’t be proven that the FBI “willfully” violated Rule 41(b), a procedural rule that’s meant to stop judges from authorizing searches outside of their districts. The FBI is now controversially seeking to expand that rule, which would grant them the power to hack computers anywhere—not just within the jurisdictions where the hacking was authorized.

Instead, Judge Ezra wrote that the NIT warrant “has brought to light the need for Congressional clarification regarding a magistrate’s authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user’s identity.”

Leave a comment

Posted in Cyber Security, eDiscovery, Hacking, Security

Tagged , ,

How Hackers Can Disrupt ‘911’ Emergency System and Put Your Life at Risk

Posted on September 13, 2016 | Leave a comment

911_Hack

What would it take for hackers to significantly disrupt the US’ 911 emergency call system?

It only takes 6,000 Smartphones.

Yes, you heard it right!

According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.

The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.

However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.

Where does the Problem Lies?

Researchers from Ben-Gurion University of the Negev’s Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller’s identifiers.

In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller’s identity or whether the caller is subscribers to the mobile network.

These identifiers could be a phone’s International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.

How can Attackers Carry Out such Attacks?

All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:

  • By infecting smartphones with malware, or
  • By buying the smartphones needed to launch the TDoS attack.

The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.

The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.

“Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally,” the team notes in the paper.

Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.

This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.

Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina’s 911 network and attacked it instead.

The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.

How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.

However, researchers suggest some countermeasures that can mitigate such attacks, which includes:

  • Storing IMEIs and other unique identifiers in a phone’s trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
  • Implementing a mandatory “Call Firewall” on mobile devices to block DDoS activities like frequent 911 calls.

Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Do you connect your mobile phones to rental cars?

Posted on September 7, 2016 | Leave a comment

One huge mistake people make when renting cars
Rental_Bluetooth

There are plenty of reasons to rent a car, from leaving a less reliable or gas-guzzling car behind on a long trip to getting around a city on a business trip or while your car is being repaired. It’s not necessarily cheap, but if you need to move around a lot, or go any substantial distance, it isn’t any worse than taking a cab or calling for an Uber, and it might be more convenient.

Is your company leadership connecting to rental cars with company phones and leaving text messages, contacts, call logs? Is there deal information or IP in those text messages?

There is a hidden danger, though, that not a lot of people realize. Rental companies upgrade their fleets regularly with newer-model cars, which means your rental has new technology, including a high-tech infotainment system. That’s not the bad part.

Newer infotainment systems let you pair up your smartphone via Bluetooth so you can take calls over the car’s audio system, dial from the center console or stream your music. Others include USB so you can get everything I just mentioned and charge your phone at the same time.

That’s also not the bad part, as long as you own the car. When you’re renting, however, it can be a danger.

When you connect up to a car with Bluetooth, the car stores your phone number to make it easier to connect later. It also stores your call logs, and possibly even your contacts. This isn’t something you want sitting around for the next renter.

Go into the settings (it will vary for every car model) and delete your smartphone from the list of previously paired Bluetooth gadgets. That should wipe your call log and contacts as well. If it doesn’t, look for an option to clear user data or do a factory reset. Talk to the employees at the car rental place if you can’t find these options.  Like any hard drive, you can possibly still recover data after it is wiped.

If you used the car’s navigation system to get around, be sure to go in and clear your location history. You don’t want the next person knowing where you’ve gone, or where you live. If you own the car and are selling it, you’ll want to do this kind of wiping as well.

Aside from privacy concerns, there’s a security concern, too. We now know that cars can be hacked, and as they get more advanced the chance that a car can get infected with a virus increases. If the car’s system was compromised by a hacker or previous renter, hooking up your phone would give a hacker access to everything on it.

The obvious solution is to not pair your phone with the car’s systems at all. If you want to listen to music, use an auxiliary cable to connect the headphone port on your phone to the audio system directly.  For charging, use the cigarette lighter instead of the USB port.

If you want to do hands-free calling, you can purchase a third-party Bluetooth audio kit that does the job.  It’s also great for adding this feature to an older car with a less advanced infotainment system.

Hopefully, the privacy concern with car infotainment systems should be going away in the future as Android Auto, Apple CarPlay and similar systems become standard on more cars. These systems don’t store any information, they just read it off your smartphone. So when you take your smartphone out of the car, none of your information stays.

Of course, it will be years or even decades until cars with less secure infotainment systems are off the market or no longer in used car lots. And you never know what other systems will come out in the future and how secure they’ll be.

Please share this information with everyone.

 

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Forensic, Hacking, Security, Technology

Tagged , ,

It’s a Bird, It’s a Plane . . . No, It’s a Drone. Long Awaited FAA Drone Regulations Finally Take Flight

Posted on September 6, 2016 | Leave a comment
The government is taking more steps to address safety concerns and regulate the aerial vehicles.

The government is taking more steps to address safety concerns and regulate the aerial vehicles.

It’s a bird.

It’s a plane.

No, it’s a drone. Also known as an unmanned aerial vehicle (UAV) or unmanned aircraft (UA).

And, technically, they’ve been around a long time, since at least 1849 when the Australians attacked Italy with unmanned balloons loaded with explosives. Even a young Marilyn Monroe, when she was known simply as “Norma Jean,” worked at a company called Radioplane making unmanned aircrafts during World War II.
13910427marilyn

Since then, as technology has advanced, which, in turn, has made the cost of older technology go down, what was once old, is now new again. Drones are making regular appearances in the movies (Divergent Series: Allegiant). The paparazzi (who are apparently tired of getting punched in the face) are using them. And some day, perhaps very soon, they may just be delivering your packages (Amazon Prime Air).

One of the earliest adopters of drones outside the military, however, has been the construction industry which has used drones to track the progress of construction projects and conduct site surveys such as this one showing the progress of Apple’s new campus in Cupertino:

The increasingly wide-spread use of drones prompted Congress in 2012 to enact the FAA Modernization and Reform Act of 2012. The Act tasked the Federal Aviation Administration (“FAA”) with establishing regulations to “provide for the safe integration of civil unmanned aircraft systems into the national airspace system as soon as practicable, but no later than September 30, 2015.”

The FAA missed its deadline.

However, on June 21, 2016, the FAA released its Small Unmanned Aircraft Systems (“Small UAS”) regulations (14 C.F.R. Part 107) which went into effect late this month on August 29, 2016.

So, what do contractors need to know about the Small UAS regulations? Here’s a summary:

Application of Regulations

  • UAS operations subject to the regulations include “building inspections” and “aerial photography.”

Unmanned Aircraft Requirements

  • Unmanned aircraft must weigh less than 55 lbs. and be registration. A link to the registration site can be found here.
  • Regulations do not apply to model aircraft flown for hobby or recreational purposes.

Unmanned Aircraft Pilot Requirements

  • A remote pilot in command must hold either a remote pilot certificate with a small UAS rating or be under the direct supervision of a person who holds a remote pilot certificate.
  • To qualify for a remote pilot certificate a person must either pass an initial aeronautical knowledge test at an FAA-approved knowledge testing center or hold a part 61 pilot certificate other than student pilot, complete a flight review within the previous 24 months, and complete a small UAS online training course provided by the FAA.
  • Part 61 certificate holders may obtain a temporary remote pilot certificate immediately upon submission of their application for a permanent certificate. Other applicants will obtain a temporary remote pilot certificate upon successful completion of TSA security vetting.

Operational Requirements

  • Unmanned aircraft must remain within the visual line of sight of the remote pilot in command and person manipulating the flight controls.
  • Unmanned aircraft may not operate over any person not directly participating in the operation and may not be operated under a covered structure or inside a covered stationary vehicle.
  • Unmanned aircraft may only be operated during daylight, or civil twilight (30 minutes before official sunrise to 30 minutes after official sunset, local time) with anti-collision lighting.
  • Unmanned aircraft must yield right of way to other aircraft.
  • Unmanned aircraft may not travel faster than 100 mph and may not fly higher than 400 feet above ground level or, if higher than 400 feet, remain within 400 feet of a structure.
  • There must be minimum weather visibility of 3 miles from the control station.
  • Operations in Class B, C, D and E airspace is allowed with air traffic control permission. Operations in Class G airspace is allowed without air traffic control permission.
  • Unmanned aircraft may not be operated from a moving aircraft. Unmanned aircraft may not be operated from a moving vehicle unless the operation is over a sparsely populated area.
  • Unmanned aircraft may not be operated carelessly or recklessly and may not carry hazardous materials.
  • Many of the restrictions above are waivable if an applicant can demonstrate that his or her operations can be safely conducted. A link to the waiver form can be found here.

So there you go. Happy flying. Be safe !!!!

Leave a comment

Posted in Security, Technology

Tagged , ,