Tag Archives: i-news

Hi folks!

Herewith, the next in my series of occasional iNews, aka cyber-news from the dark side updates – this one based on some of the presentations I saw at our annual Security Analyst Summit in Singapore last month.

One of the main features of every SAS is the presentations given by experts. Unlike other geopolitically-correct conferences, here the analysts up on stage share what they’ve discovered regarding any cyberthreat, no matter where it may come from, and they do this based on principle. After all, malware is malware and users need to be protected from all of it, regardless of the declared virtue of the intentions of those behind it. Just remember the boomerang effect.

And if certain media outlets blatantly lie about us in response to this principled position, so be it. And it’s not just our principles they attack – for we practice what we preach: we’re way ahead of the competition when it comes to the numbers of solved cyberespionage operations. And we’re not planning on changing our position in any way to the detriment of our users.

So here are a few synopses of the coolest investigations talked about at SAS by the experts behind them. The most interesting, most shocking, most scary, most OMG…

1. TajMahal

Last year, we uncovered an attack on a diplomatic organization from Central Asia. Of course, that an organization like that is interesting to cybercriminals should come as no surprise. The information systems of embassies, consulates and diplomatic missions have always been of interest to other states and their spy agencies or generally any bad guys with sufficient technical ability and financial wherewithal. Yes, we’ve all read spy novels. But here was something new: here a true ‘TajMahal’ was built for the attacks – an APT platform with a vast number of plugins used (we’ve never seen so many used on one APT platform – by far) for all sorts of attack scenarios using various tools.

The platform consists of two parts: Tokyo and Yokohama. The former is the main backdoor, which also fulfils the function of delivery of the latter malicious program. The latter has very broad functionality: stealing cookies, intercepting documents from the printer queue, recording VoIP calls (including WhatsApp and FaceTime), taking screenshots, and much more. The TajMahal operation has been active now for at least five years. And its complexity would suggest that it’s been built with more than one target in mind; the rest remain for us to find…

Details of this APT-behemoth you can find here.

Read on…

Privyet boys and girls!

Herewith, the next in my periodic/occasional cyber-news cyber-shocker-bulletins: a few stories of the cyber-interesting, the cyber-this-news-just-in, and the cyber-absurd…

State-sanctioned hacking!

The Japanese government is believed to be planning to hack 200 million IoT devices of its citizens. And that’s not science fiction folks; it looks like it’s for real. Indeed, it’s how the Japanese are preparing for the Olympics to be held in Tokyo in 2020 – and it’s all legal of course, since it’s the government who’s behind it. So their citizens’ gadgets will be hacked using the cybercriminals favorite method: using default passwords and password dictionaries. If a device is found to have a weak password, bureaucrats will enter the device into a list of unsecure gadgets, which list will then be handed over to internet service providers, which will be expected to inform subscribers and have them make their devices secure by changing the password. It’s all being done as a resilience test in the run-up to the Olympics, to work out if IoT devices in the country are sufficiently protected, and to try and prevent their use in attacks on the Olympics’ infrastructure. The methods to be used for this ‘test’ can easily be disputed, but the fact that the authorities are doing something concrete so well in advance is certainly a good thing. For let’s not forget that the Olympics have been targeted before – and not all that far away from Japan.

iOops!

An 18-year-old hacker, Linus Henze, has published a video highlighting a startling weakness in MacOS – specifically its Keychain program, which stores and secures a user’s many passwords. The teenager used a zero-day to develop his own app that can scan the full contents of the keychain.

Curiously, intriguingly, Mr. Henze isn’t planning on sharing his research and his app with the tech giant, since Apple still doesn’t run a bug-bounty program. So that leaves the company with two options: negotiate with the expert (which would be an unprecedented move for Apple), or consider trying to remedy the issue themselves – which they may or may not be able to do, of course.

Meanwhile, you, dear readers, need not fear for the safety of your passwords! Since there do exist (who’d know?!) fully secure, cross-platform password managers out there. And researchers – there do exist software companies that run bug-bounty programs ).

Even two-factor authentication can be hacked now.

Bank accounts being emptied by cyber-thiefs is on the up. One example recently involved accounts held at the UK’s Metro Bank. And the method used for the robberies involved intercepting text messages sent to account-holders’ phones for two-factor authentication. Now, 2FA is a good thing: it’s an extra layer of security and all that, so why not? It’s just that SMSs are by far not the most secure way to transfer data. For example, vulnerabilities can be exploited in the SS7 protocol, which is used by telecoms operators the world over to coordinate how they route texts and calls. If cyber-baddies manage to access the mobile network of an operator, they’re able to re-route messages and calls without the user being any the wiser. First they’d need to know your login and password for online banking, but that isn’t beyond the abilities of modern-day cyber-villains with their crafty keyboard spies, phishing tactics, or banking Trojans.

Once inside the online bank, the criminals send a request for a money transfer and intercept the message with the one-time code from the bank. The code is entered, and the bank transfers the funds, since both the password and the code were correctly entered. And the criminals are laughing all the way to the bank, as it were ).

So what can you do to stop such a scenario happening to you? Here are a couple of tips:

• Never tell anyone your login or passwords – even to a bank employee, but you’ll probably know that one: banks helpfully remind us whenever they can.
• Protect your devices from malware with a reliable antivirus app. There is one I happen to know of… but no – you choose the one you want ).

Cyber-spying on foreign diplomats in Iran – but whodunit?

Our researchers just recently discovered multiple attempts at infection of foreign diplomatic missions in Iran with some rather primitive cyber-espionage malware. The backdoor is presumed to be associated with the hacking group know as Chafer, which happens to ‘speak’ Farsi, and which is thought to have been responsible for cyber-surveillance on individuals in the Middle East in the past. This time, they cybercriminals used an improved version of the Remexi backdoor, designed to remotely control (as administrator) a victim’s computer.

Remexi software was first detected in 2015 when it was used for illegal surveillance of individuals and organizations across the whole region. The Windows-targeting surveillance-ware can exfiltrate keystrokes, screenshots, and browser-related data like cookies and history.

Much ‘home made’ malware is used in the region – often in combination with public domain utilities. But who’s behind these particular attacks? Finding out is made all the more difficult by the very fact that the malware is homespun; it literally could be anybody: Iranians, or non-Iranians pulling a false-flag operation. Alas, false flags are on the up and up and look set to remain so.

“Well, actually… a seal ate my USB stick, sir.”

In New Zealand, one day out walking a vet observed a clearly unwell leopard seal on a beach. As any concerned vet would, he proceeded to… scoop up a lump of the poorly seal’s poop and took it off for analysis. He was expecting to find therein some ghastly little parasites or viruses or what have you, but instead found… a USB stick. After much disinfection (I hope), the vet stuck the thumb drive into his computer (don’t try any of this at home kids, but this was a special case). And guess what? Thereon were stored lots of photos of the beautiful New Zealand scenery! Now the vet and Co. are seeking the owners of the USB – using this here video. Recognize it, anybody?

Boys and Girls! I hereby give you the last edition of i-news for 2018. Every year around this time I get the urge to do a bit of light-hearted summarizing and recapping, so we can see in the New Year in a good mood :). So, today we will talk about the loudest, silliest, funniest and weirdest news from the world of IT and cybersecurity that appeared on our screens in 2018.

First, let’s talk about professionalism in the media – you know, stuff like objectivity, investigative journalism and fact-checking. Or, to be more precise, the absence of all those things.

In October, Bloomberg Businessweek published an “investigation” with a pretty sensational headline and authored by a well-known ‘sauna journalist’. The first part of the headline says it all – The Big Hack. The story is based on information from anonymous sources (surprise, surprise!) and claims hardware manufactured by Super Micro has bugs implanted in them. And it’s supposedly been going on for several years. The chips were supposedly found by staff at Apple and Amazon, and the US authorities have been carrying out an investigation since 2015. And then, the interesting part starts…

US plans to retaliate by implanting tiny “chips” in all hardware sent to China according to 17 unnamed sources. pic.twitter.com/ovqChUm6EI

— Brian Bartholomew (@Mao_Ware) October 6, 2018

Amazon denied any knowledge of the bugs, while Tim Cook of Apple said it’s all lies and called for the article to be retracted. Super Micro declared it had never received any customer complaints or questions from the authorities. (All this sounds pretty familiar!) Within 24 hours of the publication, Super Micro shares plummeted 60%. The company called in an outside firm to conduct an investigation that found no evidence to back up the journalists’ claims. Bloomberg appears to be in no hurry to apologize, although it did assign another journalist to do some further research.

Bloomberg Businessweek® — DOES IT EVEN MATTER IF IT HAPPENED?™ https://t.co/0fMmZZCmmu

— Tavis Ormandy (@taviso) December 11, 2018

Read on…

As regular readers of this here blog of mine will already know, I’m rather into modern art. But when art somehow merges with the anything IT-related, I’m the world’s biggest fan. Well, such a merging is taking place right now in Moscow in its Museum of Modern Art with the exhibition Daemons in the Machine, so supporting it was a no brainer. Artists, consulted by scientists, aimed their creativity at the modern-day topics of artificial intelligence (which, IMHO, is hardly any intelligence at all – just smart algorithms), blockchain, neural networks and robotics. The result is a curious mix of futurology, ethics and – of course – art.

I haven’t been myself as I’m only just back from my latest trip, but I hope to find time for a visit before my next one.

And now, we move from high-art digital demons to everyday, run-of-the-mill – but very worrying – digital demons…

Read on…

Hi folks!

Today I’ve got some fresh, surprising cybersecurity news items for you. The first few are worrying stories about threats stemming from a certain ubiquitous small device, which many folks simply can’t be without just for one minute – including in bed and in the bathroom. The last few are positive, encouraging stories – about women on the up in IT. Ok, let’s dive in with those worrying ones first…

Don’t join the Asacub victim club

These days, folks tend to entrust their (trusty?) smartphones with all sorts of stuff – banking, important work and personal documents, messaging (often with very personal details strictly for a few eyes only), and more. But, hey, you’ll know all this perfectly well already, and may be one of these folks to this or that extent yourself; and if you are – you really do need to read this one carefully…

At the end of August a sharp increase was detected in the proliferation of the Android Trojan Asacub, which exploits that peculiarly human weakness called curiosity. The Trojan sends a text message with words like: ‘Hey John: You should be ashamed of yourself! [link]’, or ‘John – you’ve been sent an MMS from Pete: [link]’. So John scratches his head, becomes as curious as a cat, wonders what’s in the photo, clicks on the link, and (willingly!) downloads an application… which then proceeds to stealthily access his full contact list and start sending out similar messages to all his peers.

But this crafty malware doesn’t stop there. It can also, for example, read incoming texts and send their contents to the hackers running the malware, or send messages with a given text to a given number. And the ability to intercept and send texts gives the authors of the Trojan the ability to, among other things, transfer to themselves funds from the bank card of the victim if the card is digitally connected to the phone number. And as if that weren’t bad enough – there’s a bonus for the victim: a huge bill from his mobile provider for sending all those messages to everybody.

So how can you protect yourself from such fearsome mobile malware? Here’s how:

• Don’t click on suspicious links;
• Carefully check which rights are being requested by the downloaded application (e.g., microphone, camera, location…);
• And last and most: the simplest step – install reliable protection on your Android smartphone.

Android? Hmmm. I can hear all the sighs of relief just now: ‘Aaaaahhhh, thank goodness I’ve got an iPhone!’!

Hold your horses all you Apple lovers; here’s a couple of links for you too (don’t worry: you can click these – honest!):

Read on…

Almost 21 years ago, I embarked on a mission to make the world a safer, better place. Today, we’re proud to protect with our cybersecurity solutions the digital lives of over 400 million consumers and 270,000 organizations around the world. Like many other companies whose aim is enhancing people’s lives, we also know that the higher you go, the stronger the winds can be. For us these winds include false media reporting. And in today’s environment of ‘media-ocracy’ and fake news, the situation is getting worse.

For nearly four years now, certain U.S. media outlets have been printing outlandishly preposterous false stories about cyber-conspiracies concocted between secret service folks and Yours Truly against the ‘free world’.

These tales from the paranoid side about us all fit the same template. Accordingly, their basic structure and rhetoric are always identical:

• Unnamed U.S. intelligence officials share certain ‘shocking details’ about [insert as applicable] with a select few representatives of a given media outlet;
• Anonymous sources are mostly used; any ‘sources’ cited are incompetent/unqualified to be sources;
• Zero evidence of any wrongdoing on our part is presented (logical: there is no wrongdoing);
• Distortion of reality based on the Pareto principle (80% truth + 20% fiction = monstrous lie);
• These media stories are then used as a basis for taking political decisions (proof).

Incidentally, you may be wondering why, if all the stories about us are indeed false, we’ve never taken legal action in the U.S. The short answer to that is that U.S. legislation makes establishing the truth of a media story very difficult. Meanwhile, we get a ‘media-ocracy’ – with ‘news’ that isn’t news at all, just a vehicle for instilling in readers’ minds images of an ‘enemy’, so as to influence the underlying opinions of the people reading those media. But it doesn’t stop there. This non-news is used to justify high-level political moves against the next-in-line-to-be-out-of-favor company. Yes, of late it’s not just KL being pinpointed; this is growing bigger and bigger every month, affecting other companies too.

Worryingly, this media-ocracy is very influential – and highly contagious; so much so that it can now be felt all around the world, not just in America. And that now includes even the Netherlands.

On February 3 of this year, the largest Dutch national daily newspaper, De Telegraaf, published a ‘sensational’ article about a hacker who, allegedly, had claimed to have hacked into the network of our Dutch office (from just outside the building) and managed to obtain a number of IP addresses – all as part of a supposed investigation to help uncover a leak in the Dutch parliament – a leak organized to help ‘the Russians’. Inevitable questions like why specifically we were hacked, why those particular IP addresses were obtained, etc. are left unanswered, but for us the key thing to be addressed was the claim that someone had breached our own highly secure corporate network.

So yes, we took the claims very seriously. We’re a cybersecurity company, remember?! So naturally we carried out an internal investigation. And guess what it showed. No hack occurred. But that’s only the start of this sorry tale.

Read on: It gets even more ridiculous…

Hi folks!

Herewith, the next installment in my ‘Uh-oh Cyber-News’ column – the one in which I keep you up to date with all that’s scarily fragile and frailly scary in the digital world.

Since the last ‘Uh-oh’ a lot has piled up that really needs bringing to your attention. Yep, the flow of ‘Uh-ohs’ has indeed turned from mere mountain-stream trickle to full-on Niagara levels. And that flow just keeps on getting faster and faster…

As a veteran of cyber-defense, I can tell you that in times past cataclysms of a planetary scale were discussed for maybe half a year. While now the stream of messages is like salmon in spawning season: overload! So many they’re hardly worth mentioning as they’re already yesterday’s news before you can say ‘digital over-DDoSe’. “I heard how they hacked Mega-Corporation X the other day and stole everything; even the boss’s hamster was whisked away by a drone!”…

Anyway, since the stream of consciousness cyber-scandals is rapidly on the up and up, accordingly, the number of such scandals I’ll be writing about has also gone up. In the past there were three of four per blogpost. Today: seven!

Popcorn/coffee/beer at the ready? Off we go…

1) Infect a Friend and Get Your Own Files Unlocked for Free.

Read on: Effective Hacker Headhunting…

As always for this ‘column‘, I’ll be giving you a round-up of some of the most eek recent items of cybersecurity news, which might not have made the headlines but which are no less eek for that. And as usual, it’s all mostly bad news. There are still a few reasons to be optimistic though – but only a few. Eek!

Uh-oh Cyber-News Item No. 1: The Future’s Arrived.

A screenshot from Blade Runner

Many authors like to fantasize about how things will be in the future. Often, science fiction writers come up with deep philosophical reflections upon man and his place in the Universe. There’s Russia’s Strugatsky brothers, there’s Philip K. Dick, and there’s Arthur C. Clarke (plus his ‘translator’ to the silver screen Stanley Kubrick), for example. And very often such deep philosophical reflection is rather bleak and scary.

Other times, the reflection is a little less deep and philosophical, but no less likely to one day lead to reality – in fact, oftentimes more so. This is where I make appearances!…

So. Back in the first decade of this century, during my presentations your humble servant liked to tell fun ‘scare’ stories about what could happen in the future. Example: a coffeemaker launches a DDoS attack on the fridge, while the microwave works out the factory PINs of the juicer so it can then show text-adverts on its digital display.

Fast forward less than a decade and such ‘sci-fi’ is coming true…

Read on: Computer worms rising from the dead…

Just a quick read of the news these days and you can find yourself wanting to reach for… a Geiger counter. I mean, some of the news stories are just so alarming of late. Or am I overreacting? Let’s see…

Uh-oh News Item No. 1: Apocalypse Averted – for Now. 

Photo courtesy of Wikipedia

It was reported that the IT system of Unit B of the Gundremmingen Nuclear Power Plant in Swabia, Bavaria, southwestern Germany – right on the 30-year anniversary to-the-day of the Chernobyl disaster (!) – had been infected by some malware. However, it was also reported that there’s no reason to worry at all as no danger’s being posed whatsoever. All’s ok; we can all sleep soundly; everything’s under control; the danger level couldn’t be lower.

After sighing a ‘pheewwwww’ and mopping one’s brow, you read further…

… And as you do, you get a few more details of the incident. And it does indeed seem all is ok: the background radiation level, after all, didn’t go up – that’s the main thing, surely. Right? But then you read further still…

And you find out that the (Internet-isolated) system that was infected happens to be the one that controls the movement of nuclear fuel rods. It’s here you stop, rub the eyes, and read that again slowly…

WHAAAAT?

Read on: Cyber-Spy-Novel-Worthy …

Herewith, a quick review of and comment on some ‘news’ – rather, updates – on what I’ve been banging on about for years! Hate to say ‘told you so’, but… TOLD YOU SO!

First.

(Random pic of) the Cattenom Nuclear Power Plant in France where, I hope, all is tip-top in terms of cybersecurity

I’ve been pushing for better awareness of problems of cybersecurity of industry and infrastructure for, er, let’s see, more than 15 years. There has of late been an increase in discussion of this issue around the world by state bodies, research institutes, the media and the general public; however, to my great chagrin, though there’s been a lot of talk, there’s still not been much in the way of real progress in actually getting anything done physically, legally, diplomatically, and all the other …lys. Here’s one stark example demonstrating this:

Earlier this week, Chatham House, the influential British think tank, published a report entitled ‘Cyber Security at Civil Nuclear Facilities: Understanding the Risks’. Yep, the title alone brings on goosebumps; but some of the details inside… YIKES.

I won’t go into those details here; you can read the report yourself – if you’ve plenty of time to spare. I will say here that the main thrust of the report is that the risk of a cyberattack on nuclear power plants is growing all around the world. UH-OH.

The report is based exclusively on interviews with experts. Yes, meaning no primary referenceable evidence was used. Hmmm. A bit like someone trying to explain the contents of an erotic movie – doesn’t really compare to watching the real thing. Still, I guess this is to be expected: this sector is, after all, universally throughout the whole world, secret.

All the same, now let me describe the erotic movie from how it was described to me (through reading the report)! At least, let me go through its main conclusions – all of which, if you really think about them, are apocalyptically alarming:

1. Physical isolation of computer networks of nuclear power stations doesn’t exist: it’s a myth (note, this is based on those stations that were surveyed, whichever they may be; nothing concrete). The Brits note that VPN connections are often used at nuclear power stations – often by contractors; they’re often undocumented (not officially declared), and are sometimes simply forgotten about while actually staying fully alive and ready for use [read: abuse].
2. A long list of industrial systems connected to the Internet can be found on the Internet via search engines like Shodan.
3. Where physical isolation may exist, it can still be easily gotten around with the use of USB sticks (as in Stuxnet).
4. Throughout the whole world the atomic energy industry is far from keen on sharing information on cyber-incidents, making it tricky to accurately understand the extent of the the security situation. Also, the industry doesn’t collaborate much with other industries, meaning it doesn’t learn from their experience and know-how.
5. To cut costs, regular commercial (vulnerable) software is increasingly used in the industry.
6. Many industrial control systems are ‘insecure by design’. Plus patching them without interrupting the processes they control is very difficult.
7. And much more besides in the full 53-page report.

These scary facts and details are hardly news for IT security specialists. Still, let’s hope that high-profile publications such as this one will start to bring about change. The main thing at present is for all the respective software to be patched asap, and for industrial IT security in general to be bolstered to a safe level before a catastrophe occurs – not after.

Among other things, the report recommends promoting ‘secure by design’ industrial control systems. Hear hear! We’re totally in support of that one! Our secure OS is one such initiative. To make industrial control systems, including SCADA, impenetrable, requires an overhaul of the principles of cybersecurity on the whole. Unfortunately, the road towards that is long – and we’re only at the very beginning of it. Still, at least we’re all clear on which direction to head toward. Baby steps…

Second.

For several years I’ve also been pushing for the creation of a global agreement against cyberwar. Though we signs of a better understanding of the logic of such an agreement on the part of all the respective parties – academics, diplomats, governments, international organizations, etc. – we’re seeing little real progress towards any such concrete agreement, just like with the securing of industrial systems. Still, at least the reining in of cyber-spying and cyberwar is on the agenda at last.

Photo: Michael Reynolds/EPA. Source

For example, Barack Obama and Xi Jinping at the end of September agreed that their countries – the two largest economies in the world – won’t engage in commercial cyberspying on each other anymore. Moreover, the topic of cybersecurity dominated their joint press conference (together with a load measures aimed at slowing climate change). Curiously, the thorny issues of political and military cyber-espionage weren’t brought up at all!

So. Does this represent a breakthrough? Of course not.

Still, again, at least this small step is in the right direction. There have also been rumors that Beijing and Washington are holding negotiations regarding an agreement on prohibiting attacks in cyberspace. At the September meeting of the leaders the topic wasn’t brought up, but let’s hope it will be soon. It would be an important, albeit symbolic, step.

Of course, ideally, such agreements would be signed in the future by all countries in the world, bringing the prospect of a demilitarized Internet and cyberspace that little bit closer. Yes, that would be the best scenario; however, for the moment, not the most realistic. Let’s just keep pushing for it.