Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers by Joseph Cox.

From the post:

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client’s computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he continued.

Fieman is defending Jay Michaud, a Vancouver public schools administration worker. Michaud was arrested after the FBI seized ‘Playpen’, a highly popular child pornography site on the dark web, and then deployed a network investigative technique (NIT)—the agency’s term for a hacking tool.

This NIT grabbed suspects’ real IP address, MAC address, and pieces of other technical information, and sent them to a government controlled server.

The case has drawn widespread attention from civil liberties activists because, from all accounts, one warrant was used to hack the computers of unknown suspects all over the world. On top of this, the defense has argued that because the FBI kept the dark web site running in order to deploy the NIT, that the agency, in effect, distributed child pornography. Last month, a judge ruled that the FBI’s actions did not constitute “outrageous conduct.”
…

If that sounds like a victory for those trying to protect users from government overreaching, consider the Department of Justice response to questions about the ruling:

…
“The court has granted the defense’s third motion to compel, subject to the terms of the protective order currently in place,” Carr wrote to Motherboard in an email.

I’m just guessing but I suspect “…the terms of the protective order currently in place,…” means that post-arrest the public may find out about the FBI hack but not before.

If you are spending Saturday night alone, take a look at More IoT insecurity: The surveillance camera that anyone can log into by Paul Ducklin.

It won’t help your social life but you are likely to see people who do have social lives.

The message here should be clear:

Your security is your responsibility, no one else’s.

Cybersecurity is slowing down my business, say majority of chief execs by Kat Hall.

From the post:

Cisco Live Chief execs polled in a major survey have little time for their cybersecurity folk and believe complying with security regulations hampers business.

Some 71 per cent of 1,000 top bosses surveyed by Cisco feel that efforts to shore up IT defences slows the pace of commerce. The study is due to be published next month.

Big cheeses cheesed off with security staff getting in the way of profit may well rid themselves of their troublesome priests, though: Craig Williams, senior technical leader at Cisco’s security biz Talos, believes quite a few bods working in computer security will not be in the sector in the next five years.
…

The profit motive is responsible for vulnerable software. Fitting the profit motive is responsible for a lack of effective efforts to protect against vulnerable software.

Does it seem odd that the business community views cybersecurity, both in terms of original software vulnerabilities and efforts to guard against them in the balance sheet of profit and loss?

That is even though data breaches can and do occur, if they are reasonable in scope and cost, it is easier to simply roll on and keep making a profit.

If you think about it, only the government and the uninformed (are those different groups?) think cybersecurity should be free and that it should never fail.

Neither one of those is the case nor will they ever be the case.

Security is always a question of how much security can you afford and for what purpose?

At the next report of a data breach, ask how do the costs of the breach compare to the cost to prevent the breach?

And to who? If a business suffers a data breach but the primary cost is to its customers, how does ROI work in that situation for the business? Or for the consumer? Am I going to move because the State of Georgia suffers data breaches?

I don’t recall that question ever being asked. Do you?

I read with disappointment John McAfee’s JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product.

McAfee writes:

…
So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.
…

I don’t object to McAfee breaking the security on the San Bernardino phone, but I do object to him doing it for free.

McAfee donating services to governments with budgets in the $trillions sets a bad precedent.

First, it enables and encourages the government to continue hiring from the shallow end of the talent/gene pool for technical services. When it is stymied by ROT-13, some prince or princess will come riding in to save the day.

Second, we know the use of unpaid interns damage labor markets, Unpaid internships: A scourge on the labor market.

Third, and perhaps most importantly, “free” services cause governments and others to value those services as of little or no value. “Free” services degrade the value of those services in the future.

McAfee’s estimate of breaking the encryption on the San Bernardino phone in three weeks seems padded to me. I suspect there will be eighteen days of drunken debauchery concluded by three (3) actual days of work when the encryption is broken. For a total of twenty-one (21) days.

Open request to John McAfee: Please withdraw your offer to break the encryption on the San Bernardino phone for free. Charge at least $1 million on the condition that it is tax free. The bar you set for the hacker market will benefit everyone in that market.

The FBI interest in breaking encryption on the San Bernadino phone has nothing to do with that incident. Both the shooters in a spur of the moment incident are dead and no amount of investigation is going to change that. What the FBI wants is a routine method of voiding such encryption in the future.

To that extent, sell the FBI the decrypted phone and not the decryption method. So you can maintain a market for phone decryption on a case by case basis. Coupled with a high enough price for the service, that will help keep FBI intrusions into iPhones to a minimum.

Tim Cook’s open letter summarizes the demand being made on Apple by the FBI:

…
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
…

That’s insane.

First, unless it has gone unreported, the FBI hasn’t offered to pay Apple for such an operating system. Last time I looked, involuntary servitude was prohibited by the US constitution.

Second, Apple is free to choose the products it wishes to create and cannot be forced to create any particular product, even if paid.

The FBI’s position runs counter to any principled notion of liberty. The FBI would have our liberty subject to the whim and caprice of law enforcement agencies.

I don’t use any Apple products but if a defense fund for Apple is created to resist this absurdity, I will certainly be in line to contribute to it.

So should we all.

Sorry! After my report of Nathan’s Million to One Shot, Doc post, I could not resist titling this post with “Breach Fatigue.”

Sarah Kuranda reports expected lower spending on security with this quote:

Wright said some customers interviewed by Technology Business Research also cited what some are calling “breach fatigue” as a reason behind lower security spending. Year after year of mega breaches have caused massive jumps in reactionary security spending, Wright said companies are now saying, “There’s not much more I can do.” (emphasis added) [Is The Security Spending Party Over?]

“…[M}assive jumps in reactionary security spending…” have benefited the security services/software vendors but not appreciably increased enterprise security. That much is known.

What remains unknown is why companies say:

There’s not much more I can do.

Post this scenario to your nearest business manager/executive:

Assume that all the locks are broken on your new Lexus and it isn’t possible to remove the ignition key:

Here are the options enterprises have followed to protect the Lexus:

1. Surround the Lexus with a chain-link fence, with missing sections. (defective security software)
2. Surround the Lexus with a chain-link fence, with a gate-lock with the key in it. (defective security software design)
3. Staff the gate with personnel who can’t recognized authorized users. (poor security training)
4. Purchase broken/insecure solutions to protect a broken/insecure vehicle. (poor strategy)

No doubt, enterprises can continue to throw money at defective software to protect defective software, with continuing mega-breach results.

To that extent, realizing throwing good money after bad is a positive sign. Sort of.

What more enterprises can do: Invest/require secure software. More costly but layering broken software on top of broken software has failed.

Why not try something more plausible?

iOS bug warning: Setting this date on your iPhone or iPad will kill your device permanently by Justin Ferris.

From the post:

No one is quite sure yet why this happens, and Apple is still looking into it. However, the best guess is that iOS sees the date January 1, 1970, as either zero or a negative number, and that causes some or all of the iOS functions that require a date to crash.

Now, you might be thinking this isn’t a big deal, because you’d never set your gadget to this date. And it actually is a long process to do it. However, maybe you have a friend who’s a prankster or an ex-friend with a grudge that has access to your gadget. Or it could be done remotely, in the right circumstances.
…

Not all iOS devices, see: http://www.komando.com/happening-now/347426/ios-date-bug-kills-iphone-and-ipad for the models affected.

Imagine that, bricking an iOS device with a date setting.

What will Apple think of next?

It may be the case that no one could have guessed this would be an issue.

However, entry of January 1, 1970 that bricks any device sold after 12 February 2016, should be treated as a case of strict liability against the manufacturer. At a minimum.

The 2016 cyber security roadmap by Chloe Green.

From the post:

2014 was heralded as the ‘year of the data breach’ – but we’d seen nothing yet. From unprecedented data theft to crippling hacktivism attacks and highly targeted state-sponsored hacks, 2015 has been the bleakest year yet for the cyber security of businesses and organisations.

High profile breaches at Ashley Madison, TalkTalk and JD Wetherspoons have brought the protection of personal and enterprise data into the public consciousness.

In the war against cybercrime, companies are facing off against ever more sophisticated and crafty approaches, while the customer data they hold grows in value, and those that fail to protect it find themselves increasingly in the media and legislative spotlight with nowhere to hide.

We asked a panel of leading industry experts to highlight the major themes for enterprise cyber security in 2016 and beyond.
…

There isn’t a lot of comfort coming from industry experts these days. Some advice on mitigating strategies and a warning that ransomeware is about to come into its own in 2016. I believe the phrase was “…corporate and not consumer rates…” for ransoms.

A surge in rasonware may be a good thing for the software industry. It would fix a cost for insecure software and practices.

When ransomware extracts commercially unacceptable costs from users of software, users will demand better software from developers.

Financial incentives all the way around. Incentives for hackers to widely deploy ransomeware, incentives for software users to watch their bottom line and last but not least, incentives for developers to implement more robust testing and development processes.

Ransomware may do what reams of turgid prose in journals, conference presentations, books and classrooms have failed to do. Ransomware can create financial incentives for software users to demand better software engineering and testing. Not to mention liability for defects in software.

Faced with financial demands, the software industry will be forced to adopt better software development processes. Those unable to produce sufficiently secure (no software being perfect) software will collapse under the weight of falling sales or liability litigation.

Hackers will be forced to respond to improvement in software quality, for their own financial gain, creating a virtuous circle of immproving software security.

Comodo Chromodo browser does not enforce same origin policy and is based on an outdated version of Chromium

From the overview:

Comodo Chromodo browser, version 45.8.12.392, 45.8.12.391, and possibly earlier, does not enforce same origin policy, which allows for the possibility of cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated release of Chromium with known vulnerabilities.

…

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.

Disable JavaScript

Disabling JavaScript may mitigate cross-domain scripting attacks. For instructions, refer to Comodo’s help page.

Note that disabling JavaScript may not protect against known vulnerabilities in the version of Chromium on which Chromodo is based. For this reason, users should prioritize implementing the following workaround.

Discontinue use

Until these issues are addressed, consider discontinuing use of Chromodo.
…

Discontinue use is about as extreme a workaround as I can imagine.

Too bad the Comodo site doesn’t say anything about refunds and/or compensation for damaged customers.

Would you say that without any penalty, there is no incentive for Comodo to produce better software?

Or to put it differently, where is the downside to Comodo producing buggy software?

Where does that impact their bottom line?

I first saw this in a tweet by SecuriTay.

SQL Injection Hall-Of-Shame by Arthur Hicken.

From the webpage:

In this day and age it’s ridiculous how frequently large organizations are falling prey to SQL Injection which is almost totally preventable as I’ve written previously.

Note that this is a work in progress. If I’ve missed something you’re aware of please let me know in the comments at the bottom of the page.

Don’t let this happen to you! For some simple tips see the OWASP SQL Injection Prevention Cheat Sheet. For more security info check out the security resources page and the book SQL Injection Attacks and Defense or Basics of SQL injection Analysis, Detection and Prevention: Web Security for more info.

IOT HALL-OF-SHAME

With the rise of internet enabled devices in the Internet of Things or IoT the need for software security is becoming even more important. Unfortunately many device makers seem to put security on the back burner or not even understand the basics of cybersecurity.

I am maintaining here a list of known hacks for “things”. The list is short at the moment but will grow, and is often more generic than it could be. It’s kind of in reverse-chronological order, based on the date that the hack was published. Please assist – if you’re aware of additional thing-hacks please let me know in the comments at the bottom of the page.

I assume you find “wall-of-shame” efforts as entertaining as I do.

I am aware of honor-shame debates from a biblical studies perspective, on which see: Complete Bibliography of Honor-Shame Resources

“Complete” is a relative term when used regarding any bibliography in biblical studies and this appears to have at least one resource from 2011, but none later. You can run the references forward to collect more recent literature.

But the question with shaming techniques is are they effective?

As a case in point, consider Researchers find it’s terrifyingly easy to hack traffic lights where the post points out:

In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it “has followed the accepted industry standard and it is that standard which does not include security.”

We can entertain ourselves by shaming vendors all day but only the “P” word will drive greater security.

“P” as in penalty.

Vormetric found that to be the case in What Drives Compliance? Hint: The P Word Missing From Cybersecurity Discussions.

Be entertained by wall-of-shame efforts but lobby for compliance enforced by penalties. (Know to anthropologists as a fear culture.)

If you remember my posts, “Cybersecurity Sprint or Multi-Year Egg Roll?” from last June (2015), and Fed Security Sprint – Ans: Multi-Year Egg Roll (Nov. 2015), there is further confirmation of the projected duration of the egg roll from the GAO.

The GAO report, DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System

The executive summary prepares the reader for 61 pages of grim reading:

The Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:

• Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its “signatures” do not address threats that exploit many common security vulnerabilities and thus may be less effective.
• Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.
• Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.
• Information sharing: DHS has yet to develop most of the planned functionality for NCPS’s information-sharing capability, and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit—and agencies did not always provide—feedback on them.

In addition, while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS.

Regarding future stages of the system, DHS has identified needs for selected capabilities. However, it had not defined requirements for two capabilities: to detect (1) malware on customer agency internal networks or (2) threats entering and exiting cloud service providers. DHS also has not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.

Federal agencies have adopted NCPS to varying degrees. The 23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors. However, only 5 of the 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges. Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system.

The brightest part of the report is that DHS “concurred with GAO’s recommendations.”

That’s a far cry from the state of total denial at the Office of Personnel Management last year. DHS is acknowledging its problems. Whether than translates into fixing those problems remains to be seen.

(Do you know the fate of the management incompetents at OPM? Just curious who is being inflicted with their incompetence now.)

I truly hate to say anything nice about the DHS but one must give the devil his due.

Unfortunately for the DHS, elected leaders don’t understand that need, desire, importance, are all non-factors in technical success. You may not like mendelian genetics, but as Stalin discovered, you pursue other models at your own risk.

The same is true for cybersecurity.

Disappointed to read David Bisson advocating security through secrecy in Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project.

From the post:

The author of the Magic ransomware unsuccessfully attempted to blackmail a security researcher into taking down two open-source ‘educational’ malware projects on GitHub.

Magic, a malicious program which is written in C# and which demands 1 Bitcoin from its victims, is the second strain of ransomware discovered in January to have been built on malware that has been made available to the public for ‘educational’ purposes.

The first threat, Ransom_Cryptear.B, is based on an open-source project called Hidden Tear, which is currently hosted by Turkish security researcher Utku Sen on his GitHub page.

…

Whether Sen is able to recover the victims’ files without working with the ransomware author remains to be seen. However, what is abundantly clear is Sen’s foolishness in releasing ransomware code as open-source. Though such a move might have educational motives at heart, this will not stop malicious and inexperienced attackers from co-opting the ransomware code for their own purposes.

Going forward, researchers should never make ransomware code available beyond the labs where they study it. Ordinary users will surely benefit in the long run.

See David’s post for the details. My concern is his advocacy of non-publication of ransomware code.

McAfee Labs 2016 Threats Predictions report makes it clear that “malicious and inexperienced attackers” are not the source of great concern for ransomware.

…..
In 2015 we saw ransomware-as-a-service hosted on the Tor network and using virtual currencies for payments. We expect to see more of this in 2016, as inexperienced cybercriminals will gain access to this service while staying relatively anonymous.

Although a few families—including CryptoWall 3, CTB-Locker, and CryptoLocker—dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities. For example, new variants may start to silently encrypt data. These encrypted files will be backed up and eventually the attacker will pull the key, resulting in encrypted files both on the system and in the backup. Other new variants might use kernel components to hook the file system and encrypt files on the fly, as the user accesses them.
….. (at page 24)

Amateurs aren’t building “ransomware-as-a-service” sites and there’s no reason to pretend otherwise.

Moreover, the “good old boy network” of security researchers hasn’t protected anyone from ransomware if the McAfee Labs and similar reports are to be credited. If concealment of security flaws and malware were effective, there should be some evidence to that effect. Yes?

In the absence of evidence, dare I say “data?,” we should dismiss concealment as a strategy for cybersecurity as utter speculation. Speculation that favors a particular class of researchers. (Can you guess their gender statistics?)

In case you are interested, the Github page for Hidden Tear now reads in part:

This project is abandoned. If you are a researcher and want the code, contact me with your university or company e-mail http://utkusen.com/en/contact.html

Well, no harm done. If you are looking for the master.zip file for Hidden Tear, check the Internet Archive: Wayback Machine, or more directly, the backup of the Hidden Tear project on 26 January 2016.

You can presume that copies have been made of the page and master.zip file, just in case something unfortunate happens to the copies at the Internet Archive: Wayback Machine.

Better software, user education, legal actions against criminals are all legitimate and effective means of combating the known problem of ransomware.

Concealing ransomware code is a form of privilege. As we all know, privilege has an unhappy record in computer programming and society in general. Don’t support it, here or anywhere.