Thursday, January 05, 2017
For my Computer Security students.
If you are following what’s happening with hackers attacking misconfigured MongoDB databases, wiping the data, and then demanding ransom for its return, then you’ll know that although this problem seemed to start on or around December 21 with an actor known as “Harak1r1,” within days of it garnering media attention, we saw almost identical warning messages from another actor “0wn3d” with a different bitcoin wallet.
By this morning there was a third actor, “0704341626asdf,” with yet a third bitcoin wallet
… This third actor, who Victor reports had struck 221 databases by early this morning, took the opportunity to educate and insult victims:
Your database has been pwned because it was publicly accessible at port 27017 with no authentication (wtf were you thinking?)
The full warning, more verbose than the other two warnings, and written in upper and lowercase with proper grammar and spelling, gives victims 72 hours to email the attacker(s) that the ransom has been sent to the bitcoin wallet. The ransom amount is .15BTC
So are the second and third actors copycats or just different aliases of one attacker or group? And if they are copycats, as they seem to be, how many more will we see? The problem seems to be rapidly escalating.
Of note, since these MongoDB installations are often backup or test environments, how many victims will not even notice that they’ve been attacked before the 72-hour window expires?
As of the time of this posting, there have been 18 payments to the first bitcoin wallet, but none (yet) to the second and third bitcoin wallets.
Expect to see a lot more on this type of attack as word spreads.
Interesting ‘not-the-best practices’ for my Computer Forensics students.
R. Scott Moxley writes:
FBI agents and prosecutors usually strut inside Santa Ana’s Ronald Reagan Federal Courthouse, knowing they’ve focused the wrath of the criminal-justice system on a particular criminal. But an unusual child-pornography-possession case has placed officials on the defensive for nearly 26 months. Questions linger about law-enforcement honesty, unconstitutional searches, underhanded use of informants and twisted logic. Given that a judge recently ruled against government demands to derail a defense lawyer’s dogged inquiry into the mess, United States of America v. Mark A. Rettenmaier is likely to produce additional courthouse embarrassments in 2017.
Read more on OC Weekly.
(Related). Is this normal?
The FBI Never Asked For Access To Hacked Computer Servers
The FBI did not examine the servers of the Democratic National Committee before issuing a report attributing the sweeping cyberintrusion to Russia-backed hackers, BuzzFeed News has learned.
Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.
“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.
The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News.
… It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s common practice when the bureau investigates the cyberattacks against private entities by state actors, like when the Sony Corporation was hacked by North Korea in 2014.
BuzzFeed News spoke to three cybersecurity companies who have worked on major breaches in the last 15 months, who said that it was “par for the course” for the FBI to do their own forensic research into the hacks.
What were they (not) thinking? Free power for my Ethical hacking students?
Smart Meters Pose Security Risks to Consumers, Utilities: Researcher
… Between 2010 and 2012, several experts detailed the security and privacy implications of using smart meters, and SecureState even released an open source framework designed for finding vulnerabilities in such devices.
However, according to Netanel Rubin, who recently founded Vaultra, a company that develops security solutions for the smart industry, smart meters continue to lack proper security mechanism, allowing malicious actors to use these devices to target both consumers and utilities.
… The protocols used by smart meters include ZigBee, which is used for communicating with smart appliances in the consumer’s home, and GSM, which is used for communications between the meter and the electric utility. Both ZigBee and GSM have been known to contain serious vulnerabilities, and they have been poorly implemented in smart meters.
In the case of GSM, many electric utilities still haven’t implemented any form of encryption, despite being warned of the risks several years ago. Those that do use encryption, rely on the A5 algorithm, which is known to be vulnerable to attacks.
… According to the expert, a malicious actor who manages to hack a smart meter could obtain information on the targeted user’s power consumption and potentially determine when the victim is at home, or they could inflate [Or deflate? Bob] the electricity bill. The expert pointed to an incident in Puerto Rico, where an electric utility reported hundreds of millions of dollars in losses due to smart meter fraud conducted via hacking and other methods.
Much ado about something? Guidance for my Ethical Hacking students?
On Thursday, Senator McCain will hold hearings of the Armed Services Committee on the Russian election hacking. Several aspects of Russia’s election interference raise issues involving the international law of cyber operations. For a quick tutorial, I recommend most highly an earlier Just Security post by Sean Watts, “International Law and Proposed U.S. Responses to the D.N.C. Hack.” I thought to provide readers with a few additional points in light of more recent developments.
An interesting question for the technical age… Are Congressional ‘selfies’ illegal?
GOP approves new fines for livestreaming protests on House floor
Republicans barreled ahead with a plan to fine members who use their phones to broadcast future floor protests, approving rules for the new Congress Tuesday that codify the penalties despite last-minute objections from Democrats.
(Related). How about Tweets from the White house?
When Donald Trump Tweets, It Is News to Sean Spicer
Donald Trump’s incoming White House press secretary said Wednesday the president-elect would continue his prolific use of Twitter when in office, adding that even he and other communication advisers aren’t consulted before a tweet is sent out.
Perhaps other tech companies could spend some pocket change for the same reason? (Do they really care that mich?)
Amazon's rumored bid for American Apparel could solve its Trump problem in one master stroke
The rumored deal immediately raised speculation about Amazon's growing ambitions in the fashion business.
But an acquisition of the struggling clothing retailer could also help Amazon by solving one of the biggest problems it currently faces: tension with president-elect Donald Trump.
Trump, who frequently criticized Amazon during his campaign, won his way to the White House in large part by promising to keep US manufacturing jobs in the country. He claims some of his recent deals with Carrier and Ford helped save thousands of jobs from moving overseas.
American Apparel, best known for its "Made in the U.S.A" slogan, says it's the largest clothing manufacturer in North America. With 4,500 workers employed, it also calls itself the "largest sewing facility in North America."
That means by acquiring American Apparel, Amazon would get to save thousands of US manufacturing jobs, while helping Trump continue to play up the "keep jobs in the US" rhetoric — and also win Trump's support in one master stroke.
And given that the starting price to buy part of American Apparel is currently $66 million, according to Reuters, Amazon could score a big win by spending a relative pittance (Amazon had roughly $12 billion in cash on its balance sheet at the end of the last quarter).
Useful tool or major distraction? Will my car offer me ‘bargains’ as I drive?
Amazon's Alexa is officially coming to Ford cars
… The integration will let Ford users with SYNC 3 access Alexa, Amazon's cloud-based voice service, inside the car to do things like check the weather, play audiobooks, add items to shopping lists, and even control Alexa enabled smart home devices.
For example, you could tell Alexa to set your smart thermometer to a certain temperature or turn on the lights at your house while you're driving.
(Related). Yeah, it needs a bit of work.
Alexa can now order takeaway from Amazon Restaurants
We’re only five days into 2017, but Amazon is on a tear with new updates and support for its digital assistant Alexa. The latest lets you order food through the retailer’s own takeaway service Amazon Restaurants, which itself launched all the way back in 2014.
… Unfortunately, voice commands are terrible for ordering takeaway. Abysmal, even. No one wants to listen to a list of dishes and prices, and so Amazon, sensibly enough, only lets you reorder meals you’ve had in the past.
“ZUCK 2020?” (Copyright that T-shirt NOW!)
Zuckerberg could run Facebook while serving in government forever
Mark Zuckerberg is not limited to just two years working in the government while still controlling Facebook, as has been widely misreported. A closer examination of SEC documents reveals Zuck only needs to still own enough Facebook stock or have the board’s approval to be allowed to serve in government indefinitely.
Combined with Zuckerberg’s announcement yesterday that his 2017 personal challenge is to meet and listen to people in all 50 states, this fact lends weight to the idea that Zuckerberg may be serious about diving into politics.
A resource for my geeks.