Skip to content

Nick L

Report: Apple designing its own servers to avoid snooping

Apple suspects that servers are intercepted and modified during shipping.

 

Quote

Apple has begun designing its own servers partly because of suspicions that hardware is being intercepted before it gets delivered to Apple, according to a report yesterday from The Information.

“Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter,” the report said. “At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.”

 

Researchers detect surge in Samsam ransomware that spreads via vulnerabilities

Quote

A ransomware campaign with an unusual method of propagation—infecting servers via unpatched vulnerabilities, then spreading laterally across the local network—experienced a marked spike in activity Monday, according to researchers at Talos. While the m.o. is uncommon for ransomware, the primary target is not: the healthcare industry.

Whereas most ransomware spreads through phishing campaigns, malvertising and exploit kits, this particular malware, dubbed Samas or Samsam, spreads through unpatched vulnerabilities in both JBoss application servers and REGeorg, an open-source framework that creates socks proxies. In other words, users don’t have to perform an action like clicking on a malicious link to download the ransomware; instead, bad actors can trigger SamSam remotely through software flaws.

The adversaries behind this campaign are specifically scanning for and targeting machines containing these vulnerabilities. Consequently, SamSam ransomware campaigns are smaller in scope than conventional CryptoLocker, Locky or TeslaCrypt campaigns, but they also achieve much higher rates of successful infection.

“I think this is really the next evolution of the ransomware game,” said Craig Williams, senior technical leader and security outreach manager at Talos, the research division of Cisco, in an interview with SCMagazine.com.

Hackers giving up on crypto ransomware.

…Now they just lock up device, hope you pay

Quote

Malware slingers have gone back to basics with the release of a new strain of ransomware malware that locks up compromised devices without encrypting files.

The infection was discovered on a porn site that redirects users to an exploit kit that pushes the ransom locker malware. Researchers at Cyphort Labs who discovered the threat said it was the first of its kind that they had seen in some time.

The success of file-encrypting ransomware such as CryptoLocker, CryptoWall, Locky has rendered earlier system locker malware unfashionable if not obsolete. Ransom lockers can be normally be cleaned by using “rescue discs”, unlike file-scrambling malware strains.

The latest strain represents an advancement of ransom locker malware as it is using Tor to communicate to its command and control servers. The Windows nasty prevents users from booting in safe mode.

“Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilise your system for bitcoin payments or other malicious activity,” Kimayong added.

Tracking Iowa caucus-goers via their phones

Quote

On Thursday morning, I listened to an interview with the CEO of “a big data intelligence company” called Dstillery; it “demystifies consumers’ online footprints” to target them with ads. The CEO told public radio program Marketplace something astounding: his company had sucked up the mobile device ID’s from the phones of Iowa caucus-goers to match them with their online profiles.

Via Marketplace:

“We watched each of the caucus locations for each party and we collected mobile device ID’s,” Dstillery CEO Tom Phillips said. “It’s a combination of data from the phone and data from other digital devices.”

Dstillery found some interesting things about voters. For one, people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa, according to Phillips.

..

What really happened is that Dstillery gets information from people’s phones via ad networks. When you open an app or look at a browser page, there’s a very fast auction that happens where different advertisers bid to get to show you an ad. Their bid is based on how valuable they think you are, and to decide that, your phone sends them information about you, including, in many cases, an identifying code (that they’ve built a profile around) and your location information, down to your latitude and longitude.

Yes, for the vast majority of people, ad networks are doing far more information collection about them than the NSA–but they don’t explicitly link it to their names.

So on the night of the Iowa caucus, Dstillery flagged all the auctions that took place on phones in latitudes and longitudes near caucus locations. It wound up spotting 16,000 devices on caucus night, as those people had granted location privileges to the apps or devices that served them ads. It captured those mobile ID’s and then looked up the characteristics associated with those IDs in order to make observations about the kind of people that went to Republican caucus locations (young parents) versus Democrat caucus locations. It drilled down farther (e.g., ‘people who like NASCAR voted for Trump and Clinton’) by looking at which candidate won at a particular caucus location….

For most ads you see on web browsers and mobile devices, there is an auction among various programmatic advertising firms for the chance to show you an ad. We are one of those buyers, and we are sent a variety of anonymous data, including what kind of phone you have, what app you are using, what operating system version you’re running, and sometimes – crucially for this study – your latitude and longitude (lat/long).
We identified the caucusing locations prior [to] the Iowa caucus and told our system to be on the lookout for devices that report a lat/long at those locations during the caucus.

So when we received an ad bid request that our system recognized as being at one of the caucus sites, our system flagged that request and captured that device ID so we could use it for this.

This is roughly equivalent to exit polling for the smart phone age.

Turn off GPS unless using it, turn on add blockers, and use a VPN.

Amazon Quietly Removes Encryption Support from its Gadgets

Quote

While Apple is fighting the FBI in court over encryption, Amazon quietly disabled the option to use encryption to protect data on its Android-powered devices.

The tech giant has recently deprecated support for device encryption on the latest version of Fire OS, Amazon’s custom Android operating system, which powers its tablets and phones. In the past, privacy-minded users could protect data stored inside their devices, such as their emails, by scrambling it with a password, which made it unreadable in case the device got lost or stolen. With this change, users who had encryption on in their Fire devices are left with two bad choices: either decline to install the update, leaving their devices with outdated software, or give up and keep their data unencrypted. …“This is a terrible move as it compromises the safety of Kindle Fire owners by making their data vulnerable to all manner of bad actors, including crackers and repressive governments,” Aral Balkan, a coder, human rights activist, and owner of a Kindle Fire, told Motherboard. “It’s clear with this move that Amazon does not respect the safety of its customers.”

Balkan also highlighted the hypocrisy of Amazon using encryption to protect its copyright with digital rights management or DRM technology.

Some Amazon Fire customers complained about the change it in support forums.

“How can we keep using these devices if we can’t actually secure the large amount of personal data that ends up on them?” asked a user rhetorically.

Hijack Your Wireless Mice to Hack Computers from Afar

wireless keyboard mice hacked

Quote

A flaw in the way several popular models of wireless mice and their corresponding receivers, the sticks or “dongles” that plug into a USB port and transmit data between the mouse and the computer, handle encryption could leave “billions” of computers vulnerable to hackers, security firm Bastille warned on Tuesday.

In short, a hacker standing within 100 yards of the victim’s computer and using a $30 long-range radio dongle and a few lines of code could intercept the radio signal between the victim’s mouse and the dongle plugged into the victim’s computer. Then this hacker could replace the signal with her own, and use her own keyboard to control victim’s computer.

….

For Rouland, these vulnerabilities, which affect non-Bluetooth mice produced by Logitech, Dell, Lenovo and other brands, are a harbinger of the near future of the Internet of Things when both companies and regular consumers will have hackable radio-enabled devices in their offices or homes. It’s worth noting that Bastille specializes in Internet of Things (IoT) security, and sells a product for corporations that promises to “detect and mitigate” threats from IoT devices across all the radio spectrum. That obviously means the firm has a vested interest in highlighting ways companies could get hacked.

This attack in particular, which Bastille has branded with the hashtag-friendly word “MouseJack,” builds on previous research done on hacking wireless keyboards. But in this case, the issue is that manufacturers don’t properly encrypt data transmitted between the mouse and the dongle, according to Bastille’s white paper.

Bill Gates Is Backing the FBI in Its Case Against Apple

Or is he?
Quote

Microsoft co-founder and billionaire philanthropist Bill Gates is backing the Federal Bureau of Investigation in its legal battle against Apple over encryption in an iPhone used by one of the shooters in December’s San Bernardino attacks.

In an interview with the Financial Times published late Monday night, Gates dismissed the idea that granting the FBI access would set a meaningful legal precedent, arguing that the FBI is “not asking for some general thing, [it is] asking for a particular case.”

Gates goes on:

“It is no different than [the question of] should anybody ever have been able to tell the phone company to get information, should anybody be able to get at bank records. Let’s say the bank had tied a ribbon round the disk drive and said ‘don’t make me cut this ribbon, because you’ll make me cut it many times.’”

….

[BUT] In an interview with Bloomberg’s TV network this morning, Gates takes issue with the FT story, but it’s not entirely clear whether he he is walking back his comments, or simply doesn’t like the headline and other packaging around them. After a Bloomberg anchor suggests that Gates was “blindsided” by the FT headline, Gates says the following:

“I was disappointed, because that doesn’t state my view on this. I do believe that with the right safeguards, there are cases where the government, on our behalf — like stopping terrorism, which could get worse in the future — that that is valuable. But striking that balance — clearly the government [has] taken information, historically, and used it in ways that we didn’t expect, going all the way back, say to the FBI under J. Edgar Hoover. So I’m hoping now we can have the discussion. I do believe there are sets of safeguards where the government shouldn’t have to be completely blind.”

And in a response to a follow-up question about the specifics of the FBI/Apple dispute, Gates offered this: “The courts are going to decide this. … In the meantime, that gives us this opportunity to get the discussion. And these issues will be decided in Congress.”

I never trust anything Bill Gates says given his legacy.

The former head of the NSA has a surprising stance on Apple’s battle with the FBI

Quote

Apple has found an unlikely ally in its fight against iPhone backdoors: the former head of the office responsible for spying.

Michael Hayden, who at different times was the head of the NSA and CIA, told USA Today’s Susan Page that he’s against legislation that would require tech companies to create so-called “backdoors” that would make it easier for law enforcement to access devices like smartphones and computers.

Apple has found an unlikely ally in its fight against iPhone backdoors: the former head of the office responsible for spying.

Michael Hayden, who at different times was the head of the NSA and CIA, told USA Today’s Susan Page that he’s against legislation that would require tech companies to create so-called “backdoors” that would make it easier for law enforcement to access devices like smartphones and computers.

This is Why People Fear the ‘Internet of Things’

IoT Spy

Quote

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

I first became aware of this bizarre experiment in how not to do IoT last week when a reader sent a link to a lengthy discussion thread on the support forum for Foscam, a Chinese firm that makes and sells security cameras. The thread was started by a Foscam user who noticed his IP camera was noisily and incessantly calling out to more than a dozen online hosts in almost as many countries.

Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed do say “P2P” in the product name, others do not).

But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below).

This is a concern because the P2P function built into Foscam P2P cameras is designed to punch through firewalls and can’t be switched off without applying a firmware update plus an additional patch that the company only released after repeated pleas from users on its support forum.
Yeah, this setting doesn’t work. P2P is still enabled even after you uncheck the box.

One of the many hosts that Foscam users reported seeing in their firewall logs was iotcplatform.com, a domain registered to Chinese communications firm ThroughTek Co., Ltd. Turns out, this domain has shown up in firewall logs for a number of other curious tinkerers who cared to take a closer look at what their network attached storage and home automation toys were doing on their network.

In January 2015, a contributing writer for the threat-tracking SANS Internet Storm Center wrote in IoT: The Rise of the Machines that he found the same iotcplatform.com domain called out in network traffic generated by a Maginon SmartPlug he’d purchased (smart plugs are power receptacles into which you plug lights and other appliances you may wish to control remotely).

….

“The details about how P2P feature works which will be helpful for you understand why the camera need communicate with P2P servers,” Qu explained. “Our company deploy many servers in some regions of global world.” Qu further explained:

1. When the camera is powered on and connected to the internet, the camera will log in our main P2P server with fastest response and get the IP address of other server with low load and log in it. Then the camera will not connect the main P2P server.

2. When log in the camera via P2P with Foscam App, the app will also log in our main P2P server with fastest response and get the IP address of the server the camera connect to.

3. The App will ask the server create an independent tunnel between the app and the camera. The data and video will transfers directly between them and will not pass through the server. If the server fail to create the tunnel, the data and video will be forwarded by the server and all of them are encrypted.

4. Finally the camera will keep hearbeat connection with our P2P server in order to check the connection status with the servers so that the app can visit the camera directly via the server. Only when the camera power off/on or change another network, it will replicate the steps above.”

As I noted in a recent column IoT Reality: Smart Devices, Dumb Defaults, the problem with so many IoT devices is not necessarily that they’re ill-conceived, it’s that their default settings often ignore security and/or privacy concerns. I’m baffled as to why such a well-known brand as Foscam would enable P2P communications on a product that is primarily used to monitor and secure homes and offices.

Apparently I’m not alone in my bafflement. Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), called the embedded P2P feature “an insanely bad idea” all around.

“It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network,” Weaver said.

Windows 10 forced update KB 3135173 changes browser and other defaults

Quote

“The cumulative update not only knocks out PCs’ default settings, it prevents users from resetting them”

If you have Chrome as the default browser on your Windows 10 computer, you’d better check to make sure Microsoft didn’t hijack it last week and set Edge as your new default. The same goes for any PDF viewer: A forced cumulative update also reset PDF viewing to Edge on many PCs.

Do you use IrfanView, Acdsee, Photoshop Express, or Elements? The default photo app may have been reset to — you guessed it — the Windows Photos app. Music? Video? Microsoft may have swooped down and changed you over to Microsoft Party apps, all in the course of last week’s forced cumulative update KB 3135173 .
….
How many times does this have to happen before Microsoft separates security and non-security patches, and give us tools to block or delay patches? As long as Microsoft’s patching bugs are relatively minor, there’s little incentive to give us the tools we need. The day we get a really bad, crippling patch, there’ll be tar and feathers.

Better IDEA: Just saw NO to Windows 10