Thursday, September 14, 2017
To Manage or not to Manage…
Equifax identity-theft hackers exploited flaw experts flagged in March
Security workers discovered, and created a fix for, the vulnerability that allowed attackers into the Equifax network two months before the company was hit by hackers.
Equifax told USA TODAY late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
The fix for that flaw was first released March 10, though it was later modified, according to the National Vulnerability Database.
Equifax said that the unauthorized access began in mid-May. That's a period of two months in which the company could have, and should have, say experts, dealt with the problem.
… "Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," the company said late Wednesday.
The company also indicated that it had not yet had determined the full impact of the breach.
(Related). Poor management everywhere.
Ayuda! (Help!) Equifax Has My Data!
… Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
Thank You for Calling Equifax. Your Business Is Not Important to Us
Our government, always watching out for our security, has noticed (after only 20 years!) that Kaspersky Lab is a Russian Company! (Perhaps they read it on their website.) They also noticed that like all the US anti-virus vendors, they work with the government.
Kaspersky Lab Has Been Working With Russian Intelligence
Russian cybersecurity company Kaspersky Lab boasts 400 million users worldwide. As many as 200 million may not know it. The huge reach of Kaspersky’s technology is partly the result of licensing agreements that allow customers to quietly embed the software in everything from firewalls to sensitive telecommunications equipment—none of which carry the Kaspersky name.
That success is starting to worry U.S. national security officials concerned about the company’s links to the Russian government. In early May six U.S. intelligence and law enforcement agency chiefs were asked in an open Senate hearing whether they’d let their networks use Kaspersky software, often found on Best Buy shelves. The answer was a unanimous and resounding no.
… Most major cybersecurity companies maintain close ties to home governments, but the emails are at odds with Kaspersky Lab’s carefully controlled image of being free from Moscow’s influence.
(Related). Note that they never say Kaspersky is doing anything other than what they say they do (protect against viruses, etc.). Also note that this is the first Directive of 2017 – I find that curious.
DHS Statement on the Issuance of Binding Operational Directive 17-01
Social Media as a weapon?
NYT – How the Kremlin built one of the most powerful information weapons of the 21st century
by Sabrina I. Pacifici on Sep 13, 2017
RT, Sputnik and Russia’s New Theory of War How the Kremlin built one of the most powerful information weapons of the 21st century — and why it may be impossible to stop. Jim Rutenberg. September 13, 2017.
“…After RT [Russia’s state-financed international cable network] and Sputnik gave platforms to politicians behind the British vote to leave the European Union, like Nigel Farage, a committee of the British Parliament released a report warning that foreign governments may have tried to interfere with the referendum. Russia and China, the report argued, had an “understanding of mass psychology and of how to exploit individuals” and practiced a kind of cyberwarfare “reaching beyond the digital to influence public opinion.” When President Vladimir V. Putin of Russia visited the new French president, Emmanuel Macron, at the palace of Versailles in May, Macron spoke out about such influence campaigns at a news conference. Having prevailed weeks earlier in the election over Marine Le Pen — a far-right politician who had backed Putin’s annexation of Crimea and met with him in the Kremlin a month before the election — Macron complained that “Russia Today and Sputnik were agents of influence which on several occasions spread fake news about me personally and my campaign…. RT might not have amassed an audience that remotely rivals CNN’s in conventional terms, but in the new, “democratized” media landscape, it doesn’t need to. Over the past several years, the network has come to form the hub of a new kind of state media operation: one that travels through the same diffuse online channels, chasing the same viral hits and memes, as the rest of the Twitter-and-Facebook-age media. In the process, Russia has built the most effective propaganda operation of the 21st century so far, one that thrives in the feverish political climates that have descended on many Western publics…”
(Related). We broke up the USSR, Russia wants to break up the US?
… One other arena these actors may have targeted: secession movements within the U.S. At this point, it’s little secret that a number of American secession movements — including Puerto Rico, Hawaii, and both white and black nationalists — have constructed links with Russian actors, including those funded by the Kremlin. Tracing these links has become an unexpected hobby of mine, and I’ve written on the topic a handful of times, from The Diplomat to Slate to The Daily Beast.
Perhaps they will issue another Directive?
Homeland Security hit with lawsuit over phone, laptop searches
The American Civil Liberties Union and the Electronic Frontier Foundation sued the Department of Homeland Security on Wednesday for searching the phones and laptops of 11 plaintiffs at the US border without a warrant.
The group of plaintiffs includes 10 US citizens and one lawful permanent resident, several of whom are Muslims or people of color. Among the group are journalists, a veteran and a NASA engineer. All were reentering the US following business or personal travel. Some plaintiffs had their devices confiscated for weeks or months. None were accused of wrongdoing following the searches.
… CBP, which is a Department of Homeland Security agency, states on its website that "no court has concluded that the border search of electronic devices requires a warrant." But many travelers, including the plaintiffs in this case, have cited concerns about officers reading private emails and messages on their phones and laptops.
Something strange here? What kind of “progress” would make secrecy no longer useful?
The Government Has Dropped Its Demand That Facebook Not Tell Users About Search Warrants
… According to court papers filed jointly by Facebook and the US attorney's office in Washington on Wednesday, prosecutors determined that the underlying investigation that prompted the search warrants — the details of which are under seal — had "progressed ... to the point where the [nondisclosure orders] are no longer needed."
The announcement came less than 24 hours before an appeals court in Washington, DC, was set to hear arguments in the case. According to the joint filing, a lower court judge vacated the nondisclosure orders at the government's request, making Facebook's appeal of those orders moot.
How many people should have access to your social media accounts and what training should they receive? I’m going to suggest my Computer Security class for starters. (If no one on the staff was required/asked to take the blame, I’m guessing it was not a staffer who hit like.)
Sen. Ted Cruz’s (R-Texas) Twitter mishap late Monday night involving a pornographic account is nightmare fuel for congressional staffers who are increasingly tasked with managing social media for their bosses.
Twitter and Facebook have become crucial communication tools for members of Congress, helping them stake out their positions, interact with constituents and attract media attention. As a result, staffers spend many of their work hours managing and cultivating lawmakers’ social media presences.
But in an era where an inadvertent retweet or insensitive Facebook comment can balloon into controversy, the task can be perilous. And smartphone apps have only further blurred the line between work and personal accounts.
… Cruz this week began trending on social media after his official political Twitter account “liked” a two-minute pornographic video. The Texas Republican blamed the incident on a “staffing issue,” with many speculating the failure to switch from an official account to a personal one could be responsible for the action.
“There are a number of people on the team that have access to the account, and it appears that someone inadvertently hit the like button,” Cruz told reporters on Tuesday.
Ooh! All kinds of nifty science-fictiony kinds of scenarios leap to mind. If I can make one of those ‘Mission Impossible’ face masks, I could drain your bank account, steal your car, drive to your house and unlock the front door, etc. Thanks Apple!
What happens if a cop forces you to unlock your iPhone X with your face?
Imagine you've been detained at customs, waiting to cross the border. Or maybe you've been pulled over for a traffic violation. An officer waves your cellphone at you.
“Look at this. Is this yours?” he asks.
Before you can respond, a tiny infrared sensor in the phone has scanned your face. Matching those readings against the copy of your face that is stored in its archive, the phone concludes that its owner is trying to unlock it. The device lowers its defenses, surrendering its contents in moments to the law enforcement officer holding your phone. [Would that then be considered “in plain sight?” Bob]
Tips for my Computer Security students.
Online translation applications may pose security risk
by Sabrina I. Pacifici on Sep 13, 2017
Quartz: “…On Sept. 3, the Norwegian news agency NRK reported that sensitive Statoil information—contracts, workforce reduction plans, dismissal letters, and more—were available online because employees had used the free translation service Translate.com, which stored the data in the cloud. The news traveled fast in Scandinavian countries. In response, the Oslo Stock Exchange even blocked employee access to Translate.com and Google Translate…”
For my Computer Security students.
If you don’t already use Keybase, you will have to go through a few initial steps to get the app up and running for use on Facebook, Twitter, Reddit, Github, and HackerNews.
Something for continuing education?
Google’s Inside Search offers two training modules: Power Searching with Google and Advanced Power Searching.