Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

Social experiment: 200 USB flash drives left in public locations

From the post:

Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer, a recent experiment conducted on behalf of CompTIA revealed.

…

In a social experiment, 200 unbranded USB flash drives were left in high-traffic, public locations in Chicago, Cleveland, San Francisco and Washington, D.C. In about one in five instances, the flash drives were picked up and plugged into a device. Users then proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

“These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal,” Thibodeaux noted.
…

What I found missing from this article was any mention of the consequences for the employees who “found” USB drives and then plugged them into work computers.

Social experiment or not, the results indicate that forty people are too risky to be allowed to use their work computers.

If there are consequences for security failures, sharing passwords with Edward Snowden comes to mind, they are rarely reported in the mass media.

It is hardly surprising that cybersecurity is such a pressing issue when there are no consequences for distribution of deeply flawed software, no consequences for user-related breaches of security and almost always failing to capture and punish hackers for breaching your security.

Where are the incentives to improve cybersecurity?

DoJ to Apple: your software is licensed, not sold, so we can force you to decrypt by Cory Doctorow.

Cory summarizes the latest diseased imaginings from the minds at the DoJ in their effort to compel Apple to assist in bypassing the security of an iPhone.

The basis for pwning every software vendor with a “license” EULA has been posed by the Department of Justice in IN RE ORDER REQUIRING APPLE INC. TO ASSIST IN THE EXECUTION OF A SEARCH WARRANT ISSUED BY THE COURT No. 15-MC-1902 (JO)

From the brief:

First, Apple is not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.” Apple designed, manufactured, and sold the Target Phone that is the subject of the search warrant. But that is only the beginning of Apple’s relationship to the phone and to this matter. Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant. Apple’s software licensing agreement specifies that iOS 7 software is “licensed, not sold” and that users are merely granted “a limited non-exclusive license to use the iOS Software.” See “Notices from Apple,” Apple iOS Software License Agreement ¶¶ B(1)-(2), attached hereto as Exhibit C. Apple also restricts users’ rights to sell or lease the iOS Software: although users may make a “one-time permanent transfer of all” license rights, they may not otherwise “rent, lease, lend, sell, redistribute, or sublicense the iOS Software.” Ex. C, ¶ B(3). Apple cannot reap the legal benefits of licensing its software in this manner and then later disclaim any ownership or obligation to assist law enforcement when that same software plays a critical role in thwarting execution of a search warrant.

Apple does not dispute that the iPhone’s passcode mechanism is in part software-based; Apple notes that each device “includes both hardware and software security features.” Apple Br. at 2. Apple’s software impedes the execution of the search warrant in at least two ways. First, it includes the passcode feature that locks the Target Phone and prevents government access to stored information without further assistance from Apple. Second, Apple’s software includes an “erase data” feature which, if enabled by the user, will render the data on the iPhone inaccessible after multiple failed passcode attempts. See “Use a passcode with your iPhone, iPad, or iPod touch,” Apple, https://support.apple.com/en-us/HT204060 (last visited Oct. 22, 2015), attached hereto as Exhibit D. This feature effectively prevents the government from attempting to execute the search warrant without Apple’s assistance. In addition, through the iOS software, Apple provides other ongoing services to device owners, including one that may be used to thwart the execution of a search warrant: “erase your device” which allows a user to send a command remotely to erase data on an iPhone. See “iCloud: Erase your device,” https://support.apple.com/kb/PH2701 (last visited Oct. 22, 2015), attached hereto as Exhibit E. As described above, in this case, someone sent an erase command to the Target Phone after the government seized the phone. Had the phone obtained a network connection while agents examined it, that erase command could have resulted in the data on the phone becoming permanently inaccessible. Given the role Apple’s software plays in thwarting execution of the warrant, by preventing access and permitting post-seizure deletion of data, Apple is not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.”

Vendor licensing of software leaves them connected to it enough to compel them to assist the DoJ.

How’s that for unexpected liability from a licensing agreement? I wonder if it is now legal malpractice to recommend licensing agreements to vendors for software? If not, it will be soon enough.

Bear in mind this argument would extend to the Internet of Things.

Tell me, how does it feel to be at the beck and call of the DoJ?

If that weren’t bad enough news, the government’s brief summarizes all the times Apple has cheerfully helped law enforcement to invade the privacy of its users.

Apple has an established track record of assisting law enforcement agents by extracting data from passcode-locked iPhones pursuant to court orders issued under the All Writs Act. The government has confirmed that Apple has done so in numerous federal criminal cases around the nation, and the vast majority of these cases have been resolved without any need for Apple to testify. In the course of handling these requests, Apple has, on multiple occasions, informed the government that it can extract data from a passcode-locked device and provided the government with the specific language it seeks in the form of a court order to do so.

You must comply with lawful court orders, or face contempt but no where are you required to volunteer or assist law enforcement beyond the confines of a valid court order.

Every request should be rebuffed until accompanied by a valid court order. No exceptions, no helping.

The privacy that is protected may well be your own.

Adobe issues advisory for Flash vulnerability targeting government agencies by Doug Olenick.

From the post:

Adobe has issued a security advisory for an Adobe Flash Player zero-day exploit being used by the folks behind the Pawn Storm cyber espionage campaign to target foreign ministries worldwide.

The critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player version 19.0.0.207 and earlier for Windows, Macintosh and Linux. The company expects to issue an update for the vulnerability during the week of Oct. 19. Adobe said in its advisory that a successful exploit could allow the attacker to take control of a vulnerable system.

Adobe is aware that the exploit is being used in limited targeted attacks.
…

Depending upon your target(s), don’t take the projected patch date too seriously.

The 2015 NTT Group Global Threat Intelligence Report reports that 76% of the vulnerabilities in its report were over two years old, and 9% were more than ten years old.

I didn’t find data on the application of patches curve for Adobe Flash. Assume a bump on release + thirty days and the curve fall off rather steeply.

If you are defending against this latest in a series of Flash vulnerabilities, disable and then de-install Adobe Flash. That is the only long term “patch” known to cure all known and unknown Flash vulnerabilities. Plus it saves IT resources for some purpose other than patching bugware.

Kemoge: Latest Android Malware that Can Root Your Smartphone by Khyati Jain.

From the post:

Google Android has been a primary concern of the attackers. Counting from a simple text message that could hack an Android phone remotely to the Stagefright bug making Billion users vulnerable.

Now, the latest is the ‘Kemoge Malware’ that has made its debut as an Adware on the Android mobile phones, allowing third-party app stores to fetch your device’s information and take full control of it.

Security researchers from FireEye Labs have discovered that Kemoge malicious adware family is spreading in 20 countries around the globe. Also, the origin of the Adware’s attack is suspected from China.
…

See Khyati’s post for the full details but this is another illustration of why claims of security for the Internet of Things (IoT) should be viewed with suspicion.

What will your exposure be when someone roots your television, refrigerator, freezer, A/C?

Stagefright Bug 2.0 – One Billion Android SmartPhones Vulnerable to Hacking by Mohit Kumar.

From the post:

Attention Android users!

More than 1 Billion Android devices are vulnerable to hackers once again – Thanks to newly disclosed two new Android Stagefright vulnerabilities.

Yes, Android Stagefright bug is Back…

…and this time, the flaw allows an attacker to hack Android smartphones just by tricking users into visiting a website that contains a malicious multimedia file, either MP3 or MP4.
…

For all the talk about better software, better security procedures, etc., nothing seems to be really cost-effective at stopping hacking.

Instead of putting our limited fingers into the increasing number of cyber vulnerabilities, may I suggest we take a page from the history of /robots.txt?

In addition to your robots.txt file at the root of your web server, create a bettertargets.txt file also at the root of your file system.

List other organizations, government agencies, etc. that have more valuable information assets than you and any information you have that could be used to breach those sites.

Hackers should appreciate the assist and the higher quality assets they can obtain at other sites. At the least it will get them to move away from your machine, which is the point of cybersecurity, at least from a personal point of view.

As a suggested format, a plain tab-delimited text file where each line begins with the domain-name tab IP-address tab assets-(summary of information assets) tab vulnerability-(description of vulnerability).

Suggestions for enhancements?

Update Flash now! Adobe releases patch, fixing critical security holes by Graham Cluley.

Graham details the latest in a series of patches for critical flaws in Flash and instead of completely removing Flash from your computer recommends:

Instead, I would suggest that Adobe Flash users consider enabling “Click to Play” in their browser.

Really?

And how are you going to decide if Flash content is malicious or not? Before you “click to play?”

To be honest, I can’t.

Flash on your computer is the equivalent of a public terminal to your network or computer on a street corner.

My recommendation? Remove Flash completely from your computer.

What about Flash content?

If I really want to view something that requires Flash, I write to the source saying I won’t install public access to my computer in order to view their content.

If enough of us do that, perhaps Flash will die the sort of death it deserves.

Tell us how to infect an iPhone remotely, and we’ll give you $1,000,000 USD by Graham Cluley.

From the post:

If there’s something which is in high demand from both the common internet criminals and intelligence agencies around the world, it’s a way of easily infecting the iPhones and iPads of individuals.

The proof that there is high demand for a way to remotely and reliably exploit iOS devices, in order to install malware that can spy upon communications and snoop upon a user’s whereabouts, is proven by a staggering $1 million reward being offered by one firm for exclusive details of such a flaw.

In an announcement on its website, newly-founded vulnerability broker Zerodium, offers the million dollar bounty to “each individual or team who creates and submits an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”

There’s no denying – that’s a lot of cash. And Zerodium says it won’t stop there. In fact, it says that it will offer a grand total of $3 million in rewards for iOS 9 exploits and jailbreaks.
…

Graham says the most likely buyers from Zerodium are governments more likely to pay large sums than Microsoft or Apple.

There a reason for that. Microsoft, Apple, Cisco, etc., face no economic down side from zero-day exploits.

Zero-day exploits tarnish reputations or so it is claimed. For most vendors it would be hard to find another black mark in addition to all the existing ones.

If zero-day exploits had an impact on sales, the current vendor landscape would be far different than it is today.

With no economic impact on sales or reputations, it is easy to understand the complacency of vendors in the face of zero-day exploits and contests to create the same.

I keep using the phrase “economic impact on” to distinguish economic consequences from all the hand wringing and tough talk you hear from vendors about cybersecurity. Unless and until something impacts the bottom line on a balance sheet, all the talk is just cant.

If some legislative body, Congress (in the U.S.) comes to mind, were to pass legislation that:

• Imposes strict liability for all code level vulnerabilities
• Establishes a minimum level of presumed damages plus court costs and attorneys fees
• A expedited process for resolving claims within six months
• Establish tax credits for zero-day exploits purchased by vendors

the economics of cybersecurity would change significantly.

Vendors would have economic incentives to both write cleaner code and to purchase zero-day exploits on the open market.

Hackers would have economic incentives to find hacks because there is automatic liability on the part of software vendors for their exploits.

The time has come to end the free ride for software vendors on the issue of liability for software exploits.

The result will be a safer world for everyone.

NLP for Security: Malicious Language Processing by Bobby Filar

From the post:

Natural Language Processing (NLP) is a diverse field in computer science dedicated to automatically parsing and processing human language. NLP has been used to perform authorship attribution and sentiment analysis, as well as being a core function of IBM’s Watson and Apple’s Siri. NLP research is thriving due to the massive amounts of diverse text sources (e.g., Twitter and Wikipedia) and multiple disciplines using text analytics to derive insights. However, NLP can be used for more than human language processing and can be applied to any written text. Data scientists at Endgame apply NLP to security by building upon advanced NLP techniques to better identify and understand malicious code, moving toward an NLP methodology specifically designed for malware analysis—a Malicious Language Processing framework. The goal of this Malicious Language Processing framework is to operationalize NLP to address one of the security domain’s most challenging big data problems by automating and expediting the identification of malicious code hidden within benign code.

Bobby provides pointers to NLP being used for identifying malicious domains, source code analysis, phishing identification and malware family analysis before discussing traditional NLP tasks in a code analysis setting.

For example, how to perform stemming and lemmatization on source code? Or for that matter, what is the equivalent of POS tagging for source code?

More questions than answers but new tools all start that way.

I first saw this in a tweet by Alyona Medelyan.

Anatomy of a malicious email: Crooks exploiting recent Word hole by Paul Ducklin.

From the post:

SophosLabs has drawn our attention to a new wave of malware attacks using a recent security bug in Microsoft Word.

The bug, known as CVE-2015-1641, was patched by Microsoft back in April 2015 in security bulletin MS15-033.

The vulnerability was declared to be “publicly disclosed,” meaning that its use wasn’t limited only to the sort of crooks who hang out in underground exploit forums.

Of course, turning a potential Remote Code Execution (RCE) vulnerability into a reliably-working exploit isn’t always as easy as it sounds, but that has happened here.

Here’s how the new attacks go down.
…

Paul does a great job of covering the details of this attack and about Word attachment attacks in general. Highly recommended reading.

He closes security suggestions and one in particular I want to call to your attention:

Avoid opening unexpected or unsolicited attachments.

Write that down!

I don’t care if the president of the enterprise allegedly wrote to you (why would he?).

If it is unexpected/unsolicited, don’t open it.

If you think it is important, call to verify its sender.

Not a perfect defense because a legitimate sender may be infected but it will get you past one entire category of vulnerabilities.

Advances in technology render traditional methods of stopping cars obsolete!

No more police roadblocks:

No more spike strips:

No more PIT maneuvers:

Now you only need a laser pointer!

John Zorabedian reports in Self-driving cars can be stopped with a laser pointer:

…
Jonathan Petit was able to launch a denial-of-service attack against a self-driving car by overwhelming the car’s sensors with images of fake vehicles and other objects.

As Petit describes in a paper he will present at Black Hat Europe, he recorded the pulses emitted by objects with a commercial lidar (light detection and ranging) system that self-driving cars use to detect objects.

By beaming the pulses back at a lidar on a self-driving car with a laser pointer, he could force the car into slowing down or stopping to avoid hitting phantom objects.

In an interview with IEEE Spectrum, Petit explained that spoofing objects like cars, pedestrians, or walls was fairly simple; and his attack could be replicated with a kit costing just $60.
…

Compare the $60 to stop a “smart” car versus $313.94 for a set of MS10 spikes, $45K for a Ford Taurus for the PIT maneuver, or right at $225,000 in cars for the full police roadblock (five cars x $45K).

What lies at the root of the smart car vulnerability?

Unchecked input. The same cause of buffer overflows, SQL injection attacks, etc. A leading cause of computer vulnerabilities is spreading to cars.

Waiting for the day that failure to check input data = strict liability + punitive damages.

Ford got a taste of liability with the exploding Pintos.

Are smart car manufacturers lining up for another taste?

Warning! Seagate Wireless Hard Drives Have a Secret Backdoor for Hackers by Khyati Jain.

From the post:

Several of Seagate’s 3rd generation Wireless Hard drives have a secret backdoor for hackers that puts users’ data at risk.

A Recent study done by the security researchers at Tangible Security firm disclosed an “undocumented Telnet services” with a hard-coded password in Seagate Wireless Hard Drives.

The secret Telnet Vulnerability (CVE-2015-2874) with an inbuilt user account (default username and password — “root”) allows an attacker to access the device remotely, left users data vulnerable to theft.
…

But wait! There is an easy fix!

Fortunately, there’s an easy fix. Seagate recommended its affected customers to update the device firmware to version 3.4.1.105 to address these issues.

Oh, yeah, but what about all those Seagate Wireless Hard Drives that are already in the supply chain?

FYI: It need not say “Seagate” on the outside to be a vulnerable Seagate product.

Imagine if Ford brake recalls (so far in 2015) offered you a free brake repair kit you could order online. The cost of installation being place on you.

I wonder how well that would go over?

Shifting repair costs and obligations to end users has proven to be a highly ineffectual way of maintaining software security.

I don’t have a magic solution but continuing the current model and expecting different results is madness.

Does the headline make you feel safer?

It shouldn’t.

Mohit Kumar highlights a new policy from the Justice Department in New Rules Require FBI to Get Warrant for Spying With ‘Stingrays’ Cell Phone Trackers that requires:

• warrants for use of “Stingrays” or “IMSI catchers”
• destruction of collected data when target found or once a day
• disclose annually the number of times stingrays were used

Mohit notes the policy has some truck-sized holes in it but, the policy is praised by some as a “step in the right direction.”

In order to feel safer, you must assume that federal agents are going to follow the new policy. I suggest you take a clue from Clapper openly lying to Congress and remaining unpunished for the odds of federal agents following this policy.

Some will, if you believe that Fox Mulder is an actual human being and not an actor in a television series.

If being tracked by cellphone is a serious issue for you, search for “Faraday cage” or “Faraday bag.” For the background principles, see: Faraday cage.

If having a working cellphone is an absolute requirement, bug cheap phones in bulk and make them single-use burner phones. One call in or out and its recycled. Insure that the accounts for the phones have no common characteristics such as purchaser, means of payment, place of purchase, sequence of numbers, etc.

Inconvenient but real security is by definition always inconvenient.

Otherwise, welcome to being tracked by:

• federal agents who don’t follow the new policy
• federal agents who find the loopholes in the policy
• state and local police who have no such policy
• private contractors
• DVs – digital vacuums who sweep up digital debris in high traffic areas to find something worth selling

Speaking of digital vacuums, when was the last time you called your mistress from an airport?

PS: I have never used Burner, which is an app that promises phone numbers you can discard and:

Once a number expires or is burned, the number is permanently removed from your account. Any unused voice minutes or text messages on an expired or burned number cannot be transferred to any new or existing Burners.

Please note: All call, SMS and voicemail history will also be removed from your account once a number expires.

One concern is whether if served with a national security letter, if Burner would capture your data prior to a number being burned?

Perhaps best for avoiding crazy ex-lovers, marketers, etc., and not more serious opponents.

Another nail in Adobe Flash’s coffin – Chrome to block Flash ads from September 1st by Graham Cluley.

From the post:

Last month, Firefox blocked all Flash content by default – as it waited for Adobe to patch a critical security hole that was being actively exploited in malicious attacks.

The news came hot on the heels of Facebook’s security chief calling for Flash to be put out of its misery permanently.

And from next Tuesday, September 1st, Google’s Chrome browser will be blocking Flash ads by default. In a notice posted on Google Plus, the company says that the change is being made to improve performance for users.
…

Be aware that Graham has previously said that simply disabling Flash in your browsers may not be enough to protect yourself from Flash vulnerabilities.

Considering the security issues known to exist with Adobe Flash, I see no reason to place much confidence in any patching that Adobe produces for Flash. If they were capable of doing it correctly, it would already be done.

The best strategy is that if a webpage or PDF or Word document requires Flash, don’t look.

In the case of documents, return to sender requesting they use less insecure software for communication purposes. (Government offices take note! Flash should be banned from all submissions to government agencies.)