Update on the CISA Bill

The bill that I brought up in my last presentation has been making headway ever since, though no one is sure if it’s for worse or better. For those who don’t remember, this bill was the one that would allow the government and private companies to share data–including personal information–with each other in order to “to prevent and respond to cybersecurity threats.” As was aptly pointed out last time around, it was clear that there were a lot of loopholes in this bill that would essentially allow the government/companies to share whatever data they deemed necessary without any users knowing that their personal information was being circulated.

On March 12th, a slightly updated version of the bill was passed by a vote of 14-1. The one man who voted against it, Senator Ron Wyden, had this to say: “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name. It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.” These worries aren’t unfounded, as the most recent publicly released iteration of CISA (Cybersecurity Information Sharing Act) shows that it also allows for sharing of private data that could “prevent terrorism or an imminent threat of death or serious bodily harm.” Robyn Greene, of the Open Technology Institute privacy counsel, argues that could mean CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.” Even more worrying is the fact that the information could be used in investigations into crimes with no connection to cybersecurity, like carjacking or ID fraud; while these crimes are terrible, they should not be investigated using information that is ostensibly only about cybersecurity.

There is still some hope for this bill being an actually good thing though, depending on how you look at it. Before it was passed, a closed-door session saw a dozen amendments added onto the bill, none of which have had information released about them yet, though intelligence committee chairman Richard Burr said that some of them were designed to prevent user information from being shared with the government too openly. If all goes well and we believe strongly enough, this bill could have had enough protections for users added into it that it can be an objectively good thing in preventing cyber crime in coming years. But, if all goes poorly, then the bill has potential to seriously harm privacy rights. The fact that these amendments were added without public knowledge of what they are is a seemingly damning factor, but for now, it’s unclear just how good or bad this really could be.

 

Article on wired.com : http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-privacy-critiques/

 

Tabloid Phone Hacking

Scores of celebrities are claiming damages from Mirror Group Newspapers resulting from phone and voice mail hacking incidents.  Address books, messages, and voice mails were stolen, and stories were published using the information.  Four Sunday Mirror journalists have been arrested, and in November of 2014, former Sunday Mirror investigations editor Graham Johnson pleaded guilty to intercepting voicemail messages.  He was the second Mirror Group Newspapers journalist to admit to phone hacking.

In September of 2014 the owner and publisher of the Daily Mirror and the Sunday Mirror, Trinity Mirror admitted that some of its “journalists” had been involved in phone hacking, and apologized for the unlawful activity.  MGM also printed the following apology:

“It was unlawful and should never have happened, and fell far below the standards our readers expect and deserve.  We are taking this opportunity to give every victim a sincere apology for what happened.”

MGN has informed its shareholders that it would set aside funds to pay for the cost of settling phone hacking claims as costs have exceeded initial estimates.  Both criminal and civil penalties are expected.

As I dug into this story I found that this was more widespread.  It would appear that journalists began to rely on phone hacking to make news throughout the 2000s.  Several resources were used including black hat hackers and private investigators.  One journalist admitted to hacking one hundred celebrities every day for eighteen months.

http://www.bbc.com/news/uk-england-24059941

http://en.wikipedia.org/wiki/List_of_alleged_victims_of_the_News_International_phone_hacking_scandal

Bill Edwards

Vulnerability  Found in Blackphone’s SilentText App

The first phone from Silent Circle, Blackphone, totes itself as “the world’s first enterprise privacy platform” and is relying on the fact that people are willing to pay a premium for privacy. This is still a neiche market but Blackphone is betting on that neiche having the finances to afford a security-conscious option.
Despite Blackphone being a company with security at the fore-front of their mission, a  type confusion vulnerability was found in their text application, Silent Text. The vulnerability works whether the Silent Text application is installed on one of the company’s Blackphone devices or onto another device. The vulnerability could be exploited to do anything from simply eavesdrop by decrypting messages to actually executing malicious code.

The vulnerability was found and reported by Mark Dowd, an Azimuth Security consultant. It was first reported after giving time to Blackphone to patch the vulnerability. While the application is no longer susceptible to this attack it is unknown whether malicious parties were privy to the issue in time to take advantage of it.
In order to exploit the vulnerability all that was needed was the targets Silent Circle ID or their phone number. The type confusion occurs when the application is performing the JSON deserialization of the incoming Silent Circle Instant Messaging Protocol (SCIMP) message. This type confusion can be exploited to corrupt a pointer which can then be used to execute the attacker’s desired payload.

While the actual vulnerability was patched over a month ago the disclosure is still of interest as Silent Circle has recently acquired their partners stake in the project as well as an additional $50 million dollars in funding. It remains to be seen whether the market will support the company’s mission but the announcement of additional funding seems promising and it appears that their model for bug disclosure is working.
Article on the vulnerability:
http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-let-attackers-decrypt-texts-stalk-users/
For more information on the specifics of the vulnerability:
http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html
Information on the acquisition:
http://www.cnet.com/news/silent-circle-buys-out-secure-blackphone-hardware-partner/

Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/
https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Facebook Gives Out Bounties to White Hat Hackers

In today’s world there are dozens of big name companies being hacked every year through countless vulnerabilities in software that we all depend on.  This has created a rather bleak public opinion of the term ‘hacker.’  Yet, as Facebook is clearly aware, not all hacking is bad hacking – it just depends on how you use the holes that you have exploited.

Facebook is a company that should be very concerned about cyber security, over a billion (yes, I said a billion) people around the world use this social media behemoth – meaning they have a lot of private information to keep track of.  Recognizing this, Facebook started an ongoing public program back in 2011 to give hackers a chance to turn away from the dark side – albeit with a little monetary reward as incentive.  They give hackers a chance to quietly report any exploits that they have found directly to Facebook in exchange for a cash bounty.

Colloquially these hackers are known as ‘white hat’ hackers, and there are surprisingly a lot of them.  Facebook dished out a total of 1.3 million dollars in 2014 alone through this program, with bounties ranging from as low as $500 to as high as $30,000.  Just recently, a hacker named Laxman Muthiyah discovered a way to delete a users photos through Facebook’s graphing API.  Grateful for the find, Facebook gave him a whopping $12,500 for reporting it without making it public.

Despite this monetary reward, these hackers can’t be all in it for the money.  By exploiting Facebook’s holes on their own or by selling them, they could surely turn a much higher profit than what Facebook is offering.  Yet, the reward coupled with a sense of morality are what drive these hackers to continue to do good rather than evil.

– Keegan Parrotte