Category Archives: Forensic

Can the police search your phone?

Enterprises work hard to protect company secrets. Here’s why the biggest threat may be law enforcement.

Can the police search your phone?

The answer to that question is getting complicated.

But it’s an important thing to know. The reason is that your phone, and the phones of every employee at your company, almost certainly contain company secrets — or provide access to those secrets.

Phones can provide access to passwords, contact lists, emails, phone call metadata, photos, spreadsheets and other company documents, location histories, photos and much more.

Proprietary data — including information that would enable systematic hacking of company servers for sabotage, industrial espionage and worse — is protected from legal exposure by a complex set of well-understood laws and norms in the United States. But that same data is accessible from company phones.

Can the police simply take that information?  Until recently, most professionals would have said no.

Why? Because business and IT professionals tend to believe that smartphones are covered by the Fourth Amendment’s strictures against “unreasonable searches and seizures,” a protection recently reaffirmed by the Supreme Court. And smartphones are also protected by the Fifth Amendment, many would say, because divulging a passcode is akin to being “compelled” to be a “witness” against yourself.

Unfortunately, these beliefs are wrong.

The trouble with passcodes

Apple last year quietly added a new feature to iPhones designed to protect smartphone data from police searches. When you quickly press the on/off button on an iPhone five times, it turns off Touch ID and Face ID.

The thinking behind the so-called cop button is that, because police can compel you to use biometrics, but not a passcode, to unlock your phone, the feature makes it impossible for the legal system to force you to hand over information.

Unfortunately, this belief has now been undermined.

We learned this week that a Florida man named William John Montanez was jailed for six months after claiming that he forgot the passcodes for his two phones.

Montanez was pulled over for a minor traffic infraction. Police wanted to search his car. He refused. The police brought in dogs, which found some marijuana and a gun. (Montanez said the gun was his mother’s.) During the arrest, his phone got a text that said, “OMG, did they find it,” prompting police to get a warrant to search his phones. That’s when Montanez claimed he didn’t remember the passcodes, and the judge sentenced him to up to six months in jail for civil contempt.

As a precedent, this cascading series of events changes what we thought we knew about the security of the data on our phones. What started as an illegal turn ended up with jail time over the inability or unwillingness to divulge what we thought was a constitutionally protected bit of information.

We’ve also learned a lot recently about the vulnerability of location data on a smartphone.

The solution for individual users who want to keep location and other data private is to simply switch off the feature, such as the Location History feature in Google’s Android operating system. Right?

Not really. It turns out Google has been storing location data even after users turn off Location History.

The fiasco was based on false information that used to exist on Google’s site. Turning off Location History, the site said, meant that “the places you go are no longer stored.” In fact, they were stored, just not in the user-accessible Location History area.

Google corrected the false language, adding, “Some location data may be saved as part of your activity on other services, like Search and Maps.”

Stored data matters.

The FBI recently demanded from Google the data about all people using location services within a 100-acre area in Portland, Maine, as part of an investigation into a series of robberies. The request included the names, addresses, phone numbers, “session” times and duration, log-in IP addresses, email addresses, log files and payment information.

The order also said that Google could not inform users of the FBI’s demand.

Google did not comply with the request. But that didn’t keep the FBI from pushing for it.

In fact, police are evolving their methods, intentions and technologies for searching smartphones.

Police data-harvesting machines

A device called GrayKey, from a company called GrayShift, can unlock any iPhone or iPad.

GrayShift licenses the devices for $15,000 per year and up to 300 phone cracks.

It’s a turnkey system. Each GrayKey has two Lightning cables. Police need only plug in a phone, and eventually the phone’s passcode appears on the phone’s screen, giving full access.

That may be why Apple introduced in the fall a new “USB Restricted Mode” for iPhones. That mode makes it harder for police (or criminals) to crack a phone via the Lightning port.

The mode is activated by default, which is to say that the “switch” in settings for USB Accessories is turned off. With that switch off, the Lightning port won’t connect to anything after an hour of the phone being locked.

Unfortunately for iPhone users, “USB Restricted Mode” is easily defeated with a widely available $39 dongle.

And the U.S. isn’t the only country with police data-harvesting machines.

A world of trouble for smartphone data

Chinese authorities have their own technology for harvesting the data from phones, and that technology is now being deployed by police in the field. Police anywhere in the country can demand that anyone hand over a phone, which is then scanned by a device, the use of which is reportedly spreading across China.

Chinese authorities have both desktop and handheld scanner devices, which automatically extract and process emails, social posts, videos, photos, call histories, text messages and contact lists to aid them in looking for transgressions.

Some reports suggest that the devices, which are made by both Israeli and Chinese companies, are unable to crack newer iPhones but can access nearly every other kind of phone.

Another factor to be considered is that the protections of the U.S. Constitution end at the border — literally at the border.

As I’ve detailed here in the past, U.S. Customs is a “gray area” for Fifth Amendment constitutional protections.

And once abroad, all bets are off. Even in friendly, pro-privacy nations such as Australia.

The Australian government on Tuesday proposed a law called the Assistance and Access Bill 2018. If it becomes law, the act would require people to unlock their phones for police or face up to ten years in prison (the current maximum is two years).

It would empower police to legally bug or hack phones and computers.

The bill would force carriers, as well as companies such as Apple, Google, Microsoft and Facebook, to give police access to the private encrypted data of their customers if technically possible.

Failure to comply would result in fines of up $7.3 million and prison time.

Police would need a warrant to crack, bug or hack a phone.

Police would need a warrant to crack, bug or hack a phone.

The bill may never become law. But Australia is just one of many nations affected by a new political will to end smartphone privacy when it comes to law enforcement.

If you take anything away from this column, please remember this: The landscape for what’s possible in the realm of police searches of smartphones is changing every day.

In general, smartphones are becoming less protected from police searches, not more protected.

That’s why the assumption of every IT department, every enterprise and every business progressional — especially those of us who travel internationally on business — must be that the data on a smartphone is not safe from official scrutiny.

It’s time to rethink company policies, training, procedures and permissions around smartphones.

Cybersecurity for Executives


Looking forward to another local speaking event here in Sacramento:

By invitation only, DSA Technologies is hosting FBI expert Kurt Pipal and licensed Computer Forensics Investigator Michael Reese to discuss the current state of Cybercrime in the Northern California & Sacramento Area. Executives who are responsible for the public perception for their organizations should attend.
This event will feature several security topics frequently seen in the news today, including:
• Financial Fraud
• Intellectual Property Threats
• Ransomware
• Identity Theft
• Phishing/Social Engineering scams
• Attacks on Critical Infrastructure
Where: Morton’s Steakhouse
621 Capitol Mall, Sacramento, CA 95814
When: April 19th @ 11:30AM
Event Partners: FBI, Palo Alto Networks

https://info.dsatechnologies.com/cybersecurity-executives?utm_medium=email&_hsenc=p2ANqtz-87pG_MltR6-NVDUCbEqHXmas6WEnVdPihwf6CQZKXnI7oZBdlSlwOQD-on1JuQWymhLINfPsaZYxcDFufz1yiaEKOklqJGsr8ZnhofQ5pdK4P60aQ&_
hsmi=61681952&utm_content=61681952&utm_source=hs_email&hsCtaTracking=00e12be2-db07-4fe5-8ea2-5a7a5ab18189%7C9cb78923-d767-46b3-bc62-b8a4d0c88fa6

 

Hackers are aggressively targeting law firms’ data

Behind every splashy headline is a legal industry that’s duking it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence.

For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca.”

This was devastating, but it is only one example among many. Just a few weeks ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cyber-security challenge. And solving this problem starts with helping firms realize they’ve been victims.

40% of firms did not know they were breached in 2016

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most firms. Instead they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available.

An evolving threat matrix

Real-time industry expertise is an important part of the solution – something software alone can’t handle.

Today’s hackers hold a strategic advantage because of the growing numbers of devices and associated vulnerabilities. Every access point is a potential breach. A knowledgeable, sophisticated team can create security solutions specially crafted to meet the challenges that law firms face.

One of the greatest challenges in modern security is the Internet of Things (IoT). Everything from the appliances in the breakroom to the smartphones in the pockets of employees create dynamic networks – communicating information in a way that opens up opportunities to hackers.

The threat goes beyond teams. An individual attorney uses a plethora of electronic devices, all networked together to provide a more streamlined work environment. And human intelligence, served up to hackers through social media, only makes targeted cyber-attacks easier.

Preparing for data breaches

There are things attorneys and other legal professionals can do to start upping their defenses.

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber-attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks.
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the Firm’s reputation.

It’s my hope that companies will wake up to the realities of cyberthreats.  I’ve witnessed the horrible pain and anguish that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

 

 

How to practice cybersecurity (and why it’s different from IT security)

Cybersecurity isn’t about one threat or one firewall issue on one computer. It’s about zooming out and getting a bigger perspective on what’s going on in an IT environment.

Credit: Thinkstock

Keeping companies safe from attackers is no longer just a technical issue of having the right defensive technologies in place. To me, this is practicing IT security, which is still needed but doesn’t address what happens after the attackers infiltrate your organization (and they will, despite your best efforts to keep them out).

I’m trying to draw attention to this topic to get security teams, businesses executives and corporate boards to realize that IT security will not help them once attackers infiltrate a target. Once this happens, cybersecurity is required.

In cybersecurity, the defenders acknowledge that highly motivated and creative adversaries are launching sophisticated attacks. There’s also the realization that when software is used as a weapon, building a stronger or taller wall may not necessarily keep out the bad guys. To them, more defensive measures provide them with additional opportunities to find weak spots and gain access to a network.

This mentality goes against the fundamental principle in IT security of erecting multiple defensive layers around what you’re trying to protect. By separating what you’re trying to protect from the outside world, you’re keeping it safe—at least in theory. While this works in physical security, where IT security has its roots, it doesn’t really work when you’re facing enemies who need to be successful just once to carry out their mission. Defenders, unfortunately, don’t have this luxury. They need to catch every attack, every time. Don’t take this statement as a knock against these antivirus software, firewalls and other defensive technologies; they’re still needed in conjunction with cybersecurity.

Cybersecurity means looking for attacker footholds, not malware

IT security and cybersecurity also differ on what action to take after an attacker breaks through your defenses. In IT security, when a problem is detected on one computer, it’s considered an isolated incident and the impact is limited to that machine.

Here’s how that scenario typically plays out: Malware is discovered on the controller’s computer, for example. An IT administrator or maybe a junior security analyst removes the machine from the network and perhaps re-images it. Maybe there’s an investigation into how the computer was infected and a misconfigured firewall is identified as the culprit. So, the firewall configuration is changed, the threat is neutralized, the problem is solved, and a ticket is closed. In IT security, where the quick resolution of an incident is required, this equals success.

Now, here’s how that same incident would be handled from a cybersecurity perspective. The team looking into the incident wouldn’t assume the malware infection is limited to one computer. And they wouldn’t be so quick to wipe the machine clean. They may let the malware run for a bit to see where it phones home and how it acts.

Most important, the incident wouldn’t be seen as a random, one-off event. When you apply a cybersecurity lens to incidents, the belief is that every incident is part of a larger, complex attack that has a much more ambitious goal besides infecting machines with malware. If you close a ticket without asking how an incident or incidents are linked (remember, attacks have many components and adversaries commonly carry out lateral movement) or where else attackers could have gained a foothold, you’re not doing your job.

To practice cybersecurity, zoom out

Practicing cybersecurity begins with security teams changing their mindset around how they handle threats. To start, they need to be encouraged to not quickly close tickets and spend time looking for a full-blown attack in their environment. They also need to understand that cybersecurity isn’t about one threat or one firewall issue on one computer. That view is much too myopic. Zoom out for a bigger view.

I admit this approach is a radical departure from how most organizations currently handle security. Further complicating this perspective is the fact that what I’m proposing can’t be learned in classrooms or professional development courses. The notion of experience being the best teacher applies to figuring out cybersecurity. Step one is thinking like a detective and asking questions about the incident like why was this attack vector used, are there any strange activities (however minor) occurring elsewhere in my IT environment, and why would attackers target our organization.

It’s this big picture thinking that separates cybersecurity from IT security. And it’s big picture thinking that will help companies detect and stop adversaries after they make their way into an organization.

 

Yahoo Says 1 Billion User Accounts Were Hacked

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.

Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core business to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

Ex-NSA Contractor Stole 50 TB of Classified Data; Includes Top-Secret Hacking Tools

nsa

Almost two months ago, the FBI quietly arrested NSA contractor Harold Thomas Martin III for stealing an enormous number of top secret documents from the intelligence agency.

Now, according to a court document filed Thursday, the FBI seized at least 50 terabytes of data from 51-year-old Martin that he siphoned from government computers over two decades.

The stolen data that are at least 500 million pages of government records includes top-secret information about “national defense.” If all data stolen by Martin found indeed classified, it would be the largest NSA heist, far bigger than Edward Snowden leaks.

According to the new filing, Martin also took “six full bankers’ boxes” worth of documents, many of which were marked “Secret” and “Top Secret.” The stolen data also include the personal information of government employees. The stolen documents date from between 1996 through 2016.

“The document appears to have been printed by the Defendant from an official government account,” the court documents read. “On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.”

Former NSA Insider Could Be Behind The Shadow Brokers

It’s not clear exactly what Martin allegedly stole, but The New York Times reported Wednesday that the stolen documents also included the NSA’s top secret hacking tools posted online by a supposed hacking group, calling itself Shadow Brokers, earlier this year.

Earlier this summer, Shadow Brokers claimed to have infiltrated NSA servers and stolen enormous amounts of data, including working exploits and hacking tools.

The NY Times report suggests that the FBI has found forensic evidence that the hacking tools and cyber-weapons posted online by the alleged hacking group had actually been on a contractor’s machine.

NSA Contractor to Face Espionage Charges

Martin, a former Booz Allen Hamilton staffer like NSA whistleblower Snowden, should remain locked up and the government also plans to charge him with violations of the Espionage Act, Prosecutors said.

If convicted, one can face the death penalty.

Martin has “obtained advanced educational degrees” and has also “taken extensive government training courses on computer security,” including in the areas of encryption as well as secure communications.

A former US Navy veteran, Martin allegedly used a sophisticated software that “runs without being installed on a computer system and provides anonymous Internet access, leaving no digital footprint on the Machine.”

It’s believed that Martin was using TAILS operating system or another USB-bootable operating system in conjunction with Tor or a VPN that would not leave any forensic evidence of his computer activities.

Martin’s motives are still unclear, but among the seized documents, investigators uncovered a letter sent to Martin’s colleagues in 2007, in which he criticized the information security practices of government and refers to those same co-workers as “clowns.”

The letter reads: “I will leave you with this: if you do not get obnoxious, obvious, and detrimental to my future, then I will not bring you; into the light, as it were. If you do, well, remember that you did it to yourselves.”

Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Friday in Baltimore.

 

Do you connect your mobile phones to rental cars?

One huge mistake people make when renting cars
Rental_Bluetooth

There are plenty of reasons to rent a car, from leaving a less reliable or gas-guzzling car behind on a long trip to getting around a city on a business trip or while your car is being repaired. It’s not necessarily cheap, but if you need to move around a lot, or go any substantial distance, it isn’t any worse than taking a cab or calling for an Uber, and it might be more convenient.

Is your company leadership connecting to rental cars with company phones and leaving text messages, contacts, call logs? Is there deal information or IP in those text messages?

There is a hidden danger, though, that not a lot of people realize. Rental companies upgrade their fleets regularly with newer-model cars, which means your rental has new technology, including a high-tech infotainment system. That’s not the bad part.

Newer infotainment systems let you pair up your smartphone via Bluetooth so you can take calls over the car’s audio system, dial from the center console or stream your music. Others include USB so you can get everything I just mentioned and charge your phone at the same time.

That’s also not the bad part, as long as you own the car. When you’re renting, however, it can be a danger.

When you connect up to a car with Bluetooth, the car stores your phone number to make it easier to connect later. It also stores your call logs, and possibly even your contacts. This isn’t something you want sitting around for the next renter.

Go into the settings (it will vary for every car model) and delete your smartphone from the list of previously paired Bluetooth gadgets. That should wipe your call log and contacts as well. If it doesn’t, look for an option to clear user data or do a factory reset. Talk to the employees at the car rental place if you can’t find these options.  Like any hard drive, you can possibly still recover data after it is wiped.

If you used the car’s navigation system to get around, be sure to go in and clear your location history. You don’t want the next person knowing where you’ve gone, or where you live. If you own the car and are selling it, you’ll want to do this kind of wiping as well.

Aside from privacy concerns, there’s a security concern, too. We now know that cars can be hacked, and as they get more advanced the chance that a car can get infected with a virus increases. If the car’s system was compromised by a hacker or previous renter, hooking up your phone would give a hacker access to everything on it.

The obvious solution is to not pair your phone with the car’s systems at all. If you want to listen to music, use an auxiliary cable to connect the headphone port on your phone to the audio system directly.  For charging, use the cigarette lighter instead of the USB port.

If you want to do hands-free calling, you can purchase a third-party Bluetooth audio kit that does the job.  It’s also great for adding this feature to an older car with a less advanced infotainment system.

Hopefully, the privacy concern with car infotainment systems should be going away in the future as Android Auto, Apple CarPlay and similar systems become standard on more cars. These systems don’t store any information, they just read it off your smartphone. So when you take your smartphone out of the car, none of your information stays.

Of course, it will be years or even decades until cars with less secure infotainment systems are off the market or no longer in used car lots. And you never know what other systems will come out in the future and how secure they’ll be.

Please share this information with everyone.

 

Wendy’s Hack Bigger Than Originally Thought

wendys

Wendy’s, the famous fast food chain from Dublin, Ohio, originally announced in January that it was investigating a potential hack resulting in a breach of customers’ credit and debit card information. In May, Wendy’s company leaders stated that less than 300 restaurants were affected by the infiltration. However, this past week, Wendy’s officials announced over 1,000 restaurants nationwide were subject to this theft.

With over 5,700 restaurants in the United States, it is safe to say that
if you have visited a Wendy’s in the past year and used a credit or debit card it would be wise to check your accounts to make sure no fraudulent purchases were made. To see which Wendy’s locations were affected, check their website here. Wendy’s has stated it will offer free credit monitoring for one year for those who used a card at any of those restaurants.
“We are committed to protecting our customers and keeping them informed. We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyber attacks involving some Wendy’s restaurants,” said Todd Penegor, President, and Chief Executive Officer. “We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures.”

How Did This Occur?
The variant of malware that caused the breach occurred due to Wendy’s service providers’ access credentials being compromised. This allowed criminals access to the
point-of-sale system at many locations. When this access was gained by the criminals, they were allowed to place a string of malware capable of removing customers’ personal card numbers.
The scariest thing is that most companies could not have prevented this type of attack.
Without Deception Technology and advanced forensic collection there would be no way to know that these attackers were on the network with trusted credentials.

What Can Consumers Do to Prevent This?
Free credit monitoring is available from companies like Credit Sesame, Credit Karma, and WalletHub. These sites offer credit scores, credit reports, and most important to this discussion, 24/7 monitoring. When abnormalities in spending occur, you will be notified.
Sadly, there is not much more you can do to completely stop a hack like this, other than not using credit and debit cards altogether. I know, I know, this sounds like torture to
some; we are all enamored with the bonus points, free miles, cheaper hotel rooms and other perks of credit cards as well as the ease of not carrying cash around. But the potential of having your accounts hijacked really should cause some pause when using such cards.
The key to it all is this – if you are going to use your cards, make sure you are checking your accounts frequently to make sure no fraudulent purchase are being made. And change your passcodes regularly.

Thoughts on Emailgate.

Department of State

Note: not a political post, just adding some Infosec commentary to what we were told yesterday.

Last night, I sat back and watched FBI Director James Comey’s press conference on the Hilary Clinton email saga through my technical and investigative eyes.

I think it was the first mainstream press conference I’d seen with so much mention of slack space, a digital forensics term for the portions of the hard drive not currently used, but filled with fragments of previously deleted files. It was like when you see someone you knew from growing up on the local news and thinking, “oh, I used to sit next to that person in math class!”

The overview of how the FBI had reconstructed years worth of “shadow IT” usage by the former Secretary of State and her staff, spoke of a classic unwinding of the spaghetti exercise. Where a path that lead to an end state is crisscrossed by avenues that may or may not be of relevance, but nevertheless must be investigated.

James Comey then went on to list the findings of the investigation, and painted a picture, which is unfortunately a picture that I’ve personally seen painted over and over again through my work in information security and digital forensics.

A culture existed at the State Department that allowed Mrs. Clinton and her staff to operate outside the boundaries of the policies, procedures and regulations that were in place to protect information and people. In this case of course, that is all the more concerning, because we’re talking about highly sensitive national security information which is protected by law.

In Comey’s words, Clinton and her staff were “Extremely Careless” in their information handling.  He was right, they were, there can be no denying that. As he went into detail on some of Mrs. Clinton’s email practices, I was reminded of a few similar cases I’d personally worked on.

  • While conducting a security review of a semiconductor’s perimeter IP address range, I found evidence that FTP sites were being hosted on an unofficial server within the range. As it turned out, one of the network administrators had punched a hole through the firewall to a server that was hidden in the data center, attached to the internal network, and he made money hosting data for others with zero overhead costs. I was shocked to discover that this was a known activity when it was raised in the report, although, when I explained the risk in more detail the sites did go away, and the network administrator was reprimanded and eventually lost their job.
  • I once stumbled across an undocumented SSH entry point to a hosting environment, set up by a team to bypass a corporate two-factor requirement. It had been “approved” by a couple of layers of management.
  • I conducted an audit of an on-premises corporate Exchange deployment and found that a senior member of an organization was forwarding every single email received to a personal Gmail account, because they preferred the Gmail UI. The idea had been suggested by another person within the company.
  • Anecdotally, I have a thousand stories of siloed groups within organizations using “cloud services” and tools dangerously “under the radar”.

In all of the cases above, a culture existed in which, for whatever reason, people were empowered to do extremely careless things, which put the safety of information at risk. Much like at the State Department in regards to email.

The problem is, the end result doesn’t really care if it is born of malice, extreme carelessness or ignorance. It’ll still be the same. And if the end result is a breach, well, we’ve all seen that one play out many times.

In the end, the FBI will not be recommending charges against Mrs. Clinton or her staff. I’m not going into any more detail on whether I think that is right or wrong. To use one of those most horrific of terms, “it is what it is, and we can’t change that.”

Given this fact, I hope if anything positive comes out of this case, it’s the following:

  • The case highlights that security cultures everywhere, especially in government agencies charged with keeping us all safe, that empower this type of behavior, get an overhaul.
  • It encourages more productive and positive conversations between IT teams, Security teams and end users about things that they find restrictive or cumbersome in their working lives, so a mutually acceptable solution can be found.
  • It reinforces that no one within an organization should be above the rules when it comes to information security. Leaders should set an example.
  • That security teams are reminded that not all threats come in the form of IDS alerts from Chinese IP addresses. Some of your biggest risks might be right under your nose, in the form of Shadow IT lurking in broad daylight. Get visibility, now.

 

The US government is touting cyber as the next theatre of warfare. If the US wants to be seen as a leader in cybersecurity, a top down order to discover and address the doubtless many Emailgates that are occurring right now must surely be forthcoming.

Clinton Foundation said to be breached by Russian hackers

HClinton

The Bill, Hillary and Chelsea Clinton Foundation was among the organizations breached by suspected Russian hackers in a dragnet of the U.S. political apparatus ahead of the November election, according to three people familiar with the matter.

The attacks on the foundation’s network, as well as those of the Democratic Party and Hillary Clinton’s presidential campaign, compound concerns about her digital security even as the FBI continues to investigate her use of a personal e-mail server while she was secretary of state.

Clinton Foundation officials said the organization hadn’t been notified of the breach and declined to comment further. The compromise of the foundation’s computers was first identified by government investigators as recently as last week, the people familiar with the matter said. Agents monitor servers used by hackers to communicate with their targets, giving them a back channel view of attacks, often even before the victims detect them.

Before the Democratic National Committee disclosed a major computer breach last week, U.S. officials informed both political parties and the presidential campaigns of Clinton, Donald Trump and Bernie Sanders that sophisticated hackers were attempting to penetrate their computers, according to a person familiar with the government investigation into the attacks.

The hackers in fact sought data from at least 4,000 individuals associated with U.S. politics — party aides, advisers, lawyers and foundations — for about seven months through mid-May, according to another person familiar with the investigations.

Thousands of Documents

The thefts set the stage for what could be a Washington remake of the public shaming that shook Sony in 2014, when thousands of inflammatory internal e-mails filled with gossip about world leaders and Hollywood stars were made public. Donor information and opposition research on Trump purportedly stolen from the Democratic Party has surfaced online, and the culprit has threatened to publish thousands more documents.

A hacker or group of hackers calling themselves Guccifer 2.0 posted another trove of documents purportedly from the DNC on Tuesday, including what they said was a list of donors who had made large contributions to the Clinton Foundation.

The Republican Party and the Trump campaign have been mostly silent on the computer attacks. In an earlier statement, Trump said the hack was a political ploy concocted by the Democrats.

Information about the scope of the attacks and the government warnings raises new questions about how long the campaigns have known about the threats and whether they have done enough to protect their systems.

The Clinton campaign was aware as early as April that it had been targeted by hackers with links to the Russian government on at least four recent occasions, according to a person familiar with the campaign’s computer security.

U.S. Inquiries

The U.S. Secret Service, Federal Bureau of Investigation and National Security Agency are all involved in the investigation of the theft of data from the political parties and individuals over the last several months, one of the people familiar with the investigation said. The agencies have made no public statements about their inquiry.

The FBI has been careful to keep that investigation separate from the review of Clinton’s use of private e-mail, using separate investigators, according to the person briefed on the matter. The agencies didn’t immediately respond to requests for comment.

Clinton spokesman Glen Caplin said that he couldn’t comment on government briefings about cyber security and that the campaign had no evidence that its systems were compromised.

“We routinely communicate and cooperate with government agencies on security-related matters,” he said. “What appears evident is that the Russian groups responsible for the DNC hack are intent on attempting to influence the outcome of this election.”

The DNC wouldn’t directly address the attacks but said in a written statement that it believes the leaks are “part of a disinformation campaign by the Russians.”

Trump spokeswoman Hope Hicks didn’t respond to e-mails seeking comment about the government warnings. The Republican National Committee didn’t respond to e-mail messages. A Sanders spokesman, Michael Briggs, said he wasn’t aware of the warnings.

IDing the Hackers

The government’s investigation is following a similar path as the DNC’s, including trying to precisely identify the hackers and their possible motives, according to people familiar with the investigations. The hackers’ link to the Russian government was first identified by CrowdStrike Inc., working for the Democratic Party.

A law firm reviewing the DNC’s initial findings, Baker & McKenzie, has begun working with three additional security firms — FireEye Inc., Palo Alto Networks Inc. and Fidelis Cybersecurity — to confirm the link, according to two people familiar with the matter, underscoring Democrats’ concerns that the stolen information could be used to try to influence the outcome of the November election.

A spokesman for Baker & McKenzie didn’t immediately respond to requests for comment. DNC spokesman Luis Miranda said the party worked only with CrowdStrike.

If the Democrats can show the hidden hand of Russian intelligence agencies, they believe that voter outrage will probably outweigh any embarrassing revelations, a person familiar with the party’s thinking said.

So far the released documents have revealed little that is new or explosive, but that could change. Guccifer 2.0 has threatened to eventually release thousands of internal memos and other documents.

Line of Attack

Sensitive documents from the Clinton Foundation could have the most damaging potential. The Trump camp has said it plans to make the foundation’s activities a subject of attacks against Clinton; the sort of confidential data contained in e-mails, databases and other digital archives could aid that effort.

An analysis by Fidelis confirmed that groups linked to Russian intelligence agencies were behind the DNC hack, according to a published report.

The government fills a crucial gap in flagging attacks that organizations can’t detect themselves, said Tony Lawrence, a former U.S. Army cyber specialist and now chief executive officer of VOR Technology, a computer security company in Hanover, Maryland.

“These state actors spend billions of dollars on exploits to gather information on candidates, and nine times out of ten [victims] won’t be able to identify or attribute them,” he said.

Google Accounts

Bloomberg News reported Friday that the hackers who hit the DNC and Clinton’s campaign burrowed much further into the U.S. political system than initially thought, sweeping in law firms, lobbyists, consultants, foundations and policy groups in a campaign that targeted thousands of Google e-mail accounts and lasted from October through mid-May.

Data from the attacks have led some security researchers to conclude that the hackers were linked to Russian intelligence services and were broadly successful in stealing reports, policy papers, correspondence and other information. Dmitry Peskov, a spokesman for President Vladimir Putin, denied that the Russian government was involved.

Russia uses sophisticated “information operations” to advance foreign policy, and the target audience for this kind of mission wouldn’t be U.S. voters or even U.S. politicians, said Brendan Conlon, who once led a National Security Agency hacking unit.

“Why would Russia go to this trouble? Simple answer — because it met their foreign policy objectives, to weaken the U.S. in the eyes of our allies and adversaries,” said Conlon, now CEO of Vahna Inc., a cyber security firm in Washington. Publishing the DNC report on Trump “weakens both candidates — lists out all the weaknesses of Trump specifically while highlighting weaknesses of Clinton’s security issues. The end result is a weaker president once elected.”

Russia Link

Russia has an expansive cyber force that it has deployed in complex disinformation campaigns throughout Europe, according to intelligence officials.

BfV, the German intelligence agency, has concluded that Russia was responsible for a 2015 hack against the Bundestag that forced shutdown of its computer systems for several days. Germany is under “permanent threat” from Russian hackers, said BfV chief Hans-Georeg Maassen.

Security software maker Trend Micro said in May that Russian hackers had been trying for several weeks to steal data from Chancellor Angela Merkel’s Christian Democratic Union party, and that they also tried to hack the Dutch Safety Board computer systems to obtain an advance copy of a report on the downing of a Malaysian aircraft over Ukraine in July 2014. The report said the plane was brought down by a Russian-made Buk surface-to-air missile.

The cyber attacks are part of a broader pattern of state-sponsored hacking by Russia focused on political targets, with a goal of giving Russia the upper hand in dealing with other governments, said Pasi Eronen, a Helsinki-based cyber warfare researcher who has advised Finland’s Defense Ministry.