Spoofing hotel master keys.
The proof-of-concept may be a bit obsessive (F-Secure researchers spent about a decade and a half on it) but the results are eye-opening. Door-opening, too. The researchers showed that they could use a Proxmark RFID card reading tool on an expired keycard you might find in any hotel's trash to make a master key that can open any room in a hotel. The hack works on Vingcard Vision Locks. The proof-of-concept narrows down the master key possibilities and then, in about twenty tries over a minute, gives the hackers a master. The researchers disclosed their findings to Vingcard's parent, Assa Abloy, a year ago, and the company has developed and issued a patch. But as is so often the case with such devices, it's likely that the patch hasn't been universally or even widely applied (WIRED).
And here's another thing for travelers to worry about: vulnerable ski lifts. White hats determined that controls on lifts used in Austria and made by Dopplmayr/Garaventa were susceptible to remote starting and stopping, and to manipulation of "safety distance parameters." The researchers disclosed the flaw to the manufacturer, which addressed them promptly (HackRead).
Why Atlanta was vulnerable to ransomware.
Briefly, observers put it down to a combination of new leadership and old, outmoded IT infrastructure. The SamSam ransomware extortionists asked for $51 thousand to release the affected files, which the City of Atlanta apparently decided not to pay. The cost of remediation and recovery has been high: about $2.7 million in emergency IT and security contracts, and it's still not over, either (StateScoop).
UK's NCSC continues warnings.
Warnings against the possibility of attacks against critical infrastructure, especially power grids, continue. Last Sunday Ciaran Martin, head of GCHQ's National Cyber Security Centre, said that GCHQ is on "heightened alert" for Russian activity expected to follow the Salisbury nerve agent attack (National).
Jihadist messaging, and extremist messaging generally.
ISIS is in decline; al Qaeda seems to be in the ascendant. Their messaging continues, now in competition (War on the Rocks).
Terrorists and other extremist groups have excelled at marketing, not hacking per se. Maybe the Internet in general and social media in particular are structurally disposed to foster the organic growth of extremism, quite apart from the direction of state-controlled trolls. A long essay in the New York Times concludes that by their nature social media tend to breed extremism—"attention, praise and a sense of importance and agency" are easy to come by online. And who wouldn't want those, especially if you're young, frustrated, and feeling disrespected? And worse yet, the algorithmically discerned rate of engagement is self-reinforcing, serving more like-minded messages until the recipients come to believe that what they're reading is good, normal, mainstream, common sense, even if that common sense has induced them to seriously consider ramming a car into a crowd of people the driver is convinced are enemies of history, a deity, a race, a gender, and so on.
A piece in WIRED follows René Girard is seeing the root of the trouble as "mimetic desire" and "mimetic exhibitionism." So the fault may be in us as much as the platforms. Facebook has a new ad campaign in which the company expresses contrition and firmly resolves to sin no more. Besides, it was all really an accident. They just had a naive, panglossian view of human nature. Now they're sadder and wiser (WIRED). There are many calls for regulation, but how these might work are unclear. The public utility analogy has been considered, but there are problems there as well (WIRED).
The Internet as a whole does seem to produce disinhibition so thorough as to amount to a mania. See, for example, the treatment of (innocent) relatives of the recently arrested (alleged) Golden State Killer, himself tracked by police taking advantage of the immature market for DNA-based ancestry tracing. They followed him down that family tree, and now amateur detectives, vigilantes, and activists are busily engaged in hacking at that tree (Motherboard).
And the assumption that near-universal connectivity must be a good thing is increasingly being called into question. This is not an argument for disconnecting, but rather a reminder that acquaintance and familiarity can be as likely to breed enmity as understanding (Foreign Affairs).
Fake news and content moderation.
Much of the discussion of content moderation concentrates on manifestly objectionable stuff, like cannibalism. But Facebook's attempts to moderate what people post have run up against the problems of attempting to apply a set of rules that would admit of little judgment or appreciation of context (WIRED). Those problems aren't significantly different for an army of moderators than they are for a set of algorithms.
There are other issues of popular delusion. Did you know that drinking from plastic water bottles causes cancer? Neither does anyone else, but 43% of people surveyed by researchers at University College London and the University of Leeds believe this nonetheless (Times). This fraction is worth bearing in mind in discussions of fake news as tech companies come under increased pressure to do something about it (Wall Street Journal). Why should Twitter be any more effective than, say, Francis Bacon or the authors of the Port Royal Logic?
Outrageously cynical fake news.
Certain forms of disinformation seem to call for denunciation as an obvious response. A good example has been on display in connection with the Organisation for the Prohibition of Chemical Weapons (OCPW) and its inquiry into the chemical agent attacks by the Assad regime against civilians in the Syrian town of Douma. Russia has claimed to have evidence that the attack never happened, that the victims were phony, and that it's all just an atrocity story cooked up by the British, the Americans, and so forth. In support of this claim they presented footage of a 2016 short film that dramatized an earlier chemical attack in Syria. The 2016 film never represented itself as anything other than dramatization (Radio Free Europe | Radio Liberty).
Britain and France in particular are having none of it. The French reaction was particularly direct: that country's ambassador to the Netherlands (the OPCW is headquartered in the Hague) called the Russian disinformation an "obscene masquerade" (Radio Free Europe | Radio Liberty).
This isn't the first time Russia has produced bogus evidence in support of false propaganda claims. In November of last year Russia's Ministry of Defense released what it called "irrefutable proof" of American combat support of ISIS. The gun camera footage offered was in fact imagery from a popular smartphone game, "AC-103 Gunship Simulator: Special Ops Squadron" (BBC).
Obscene or not, Russian information operations aren't always so easily debunked or countered (CyberDB).
"Malign behavior."
The misbehavior is Russian, and the G7 will be on it, says the UK (Deutsche Welle). Cold War veterans are offering comparisons and contrasts between current tensions and those that obtained between Churchill's "Iron Curtain" speech in 1946 and the Soviet Union's collapse in 1991 (War on the Rocks). Here's one comparison: the Kremlin has again begun to talk about the Americans in terms of Wild West cowboys waving Colt Peacemakers (Washington Examiner). This time around the showdown is cyberspace, instead of the OK Corral (or Checkpoint Charlie).
Different approaches to information operations.
China goes for mass marketing, and observers think this likelier to have more effect at home than abroad. The government is establishing "Voice of China" to centralize its global outreach (Foreign Policy). Attempts to influence foreign opinion have hitherto included the establishment of centers at foreign universities, but that approach may also be wearing thin, as Texas A&M a week ago closed two Confucius Institutes after they were criticized as a posing a threat to national security (Heritage). The Lone Star State seems to be a tough audience. In January the University of Texas turned down funding from the China-United States Exchange Foundation, a Hong Kong organization thought to be a government propaganda operation (South China Morning Post). Such outreach programs are also to a significant extent inward-looking, with an intended audience of Chinese students studying abroad as well as the Chinese diaspora (Foreign Policy).
Hacking back in Georgia.
Tech firms are urging Georgia's Governor Nathan Deal to veto a bill that might criminalize many forms of vulnerability research while authorizing hacking back at attackers. It's the second half of the bill that Microsoft and Google (they sent a joint letter to the US state's governor) object to. The legislation, Senate Bill 315, would create a new crime: unauthorized computer access." Microsoft and Google disliked the implications of an exemption for "cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" (Atlanta Journal-Constitution).
Grey market ransomware services? Or legitimate risk management tool?
Proven Data Recovery, a business that offers to help ransomware victims recover their files, is believed to operate by paying the ransom, and then charging its client a premium for the decryptor the extortionists deliver. This doesn't seem to be illegal, but some are questioning the business model (Graham Cluley). If you're going to pay the ransom, which you probably shouldn't, you might as well cut out the middle man.
Old SAP configuration issues persist.
Proper configuration of the SAP Message Server ACL should mitigate the risk: to succeed, an attacker would need access to the Message Server internal port with a default configuration in the ACL (SecurityWeek).
A rose by any other name would smell as sweet...
...and the National Protection and Programs Directorate would be just as much in charge of security if it were called the Cybersecurity and Infrastructure Security Agency (Federal News Radio). Right? Or maybe not. But the NPPD would still like permission to change its name. This inside baseball of agency equities will be worth watching.
Here's another one, maybe a Rule 5 player to be named later: the House Armed Services Subcommittee on Emerging Threats and Capabilities would like to shift the Defense Information Systems Agency's (DISA’s) information technology functions and Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DoDIN) to US Cyber Command (Fifth Domain). JFHQ-DoDIN is already task-organized to report to Cyber Command, which has drawn ironic headlines ("House lawmakers propose moving cyber defense from CYBERCOM to CYBERCOM") but the change isn't entirely nugatory. It would make, the House committee thinks, for cleaner command relationships.
Government appointments.
The Senate Foreign Relations Committee recommended confirmation of Mike Pompeo, formerly Director of Central Intelligence, as US Secretary of State to the full Senate this week (Times). The US Senate also confirmed US Army Lieutenant General Paul Nakasone to succeed Admiral Michael Rogers as Director, National Security Agency, and Commander, US Cyber Command (Politico).
Mira Ricardel, formerly of Boeing and the Department of Defense, has been appointed US Deputy National Security Advisor (Defense News). Vice President Pence has appointed retired Army Lieutenant General Keith Kellogg as his principal National Security Advisor (Bloomberg). New National Security Advisor John Bolton continues to churn through the National Security Council staff (Fox News).
Crime and punishment.
Huawei is under a US Federal criminal investigation. The Department of Justice suspects the Chinese device manufacturer of having evaded sanctions against Iran (Wall Street Journal), which is what's landed ZTE in hot American water (Nikkei Asian Review).
Europol and its partners took down Webstresser.org this week (Europol). Webstresser was one of the world's largest, perhaps the largest, distributed denial-of-service for-hire operations (SecurityWeek). Apparently any skid with a grudge could rent the service for the low, low price of $14.99 (KrebsOnSecurity).
Police in Largo, Florida, went into a funeral home and attempted to unlock the iPhone of a man they'd shot during a traffic stop with the dead man's finger. This seems at best insensitive. It also didn't work (CSO).
Courts and torts.
Verizon, whose Oath content division contains most of what used to be Yahoo!, is seeking to close the door to further lawsuits over Yahoo!'s series of breaches. The new privacy policies and terms of service, intended in large measure to bring data collection and use into compliance with GDPR, include a waiver of participation in class action lawsuits and a mutual arbitration clause. These are common to any of the services belonging to Oath, but Yahoo! is a bigger target for litigation than its corporate sisters, and so its changes have attracted more attention (C|NET). The US Securities and Exchange Commission is fining Altaba (formerly doing business as Yahoo!) $35 million for failure to disclose its 2014 data breach (JDSupra).
Patch news.
Microsoft issued additional patches for Spectre this week (SecurityWeek), and a major Windows 10 update is expected Monday (TechCrunch). But Microsoft is, again, not fast enough for Google. Project Zero discloses a vulnerability Redmond hasn't yet got around to correcting (Naked Security).
This week Drupal fixed a remote code execution vulnerability, CVE-2018-7602, that affects Drupal versions 7.x and 8.x. The flaw is under active exploitation in the wild, which lends urgency to patching (Help Net Security).
Apple patched MacOS, iOS, and Safari (SecurityWeek). Among the vulnerabilities addressed is an APFS password leaking issue that hadn't been much discussed in security advisories (Naked Security).
Industry notes.
Twitter has told Kaspersky Lab that the Moscow-based security company will no longer be welcome to buy Twitter ads. Twitter cites violations of its policies, and Kaspersky says it's baffled: what policies? One must have some sympathy with Kaspersky: when Twitter was asked to say what policies Kaspersky had violated, the social media company pointed to last Fall's ban on Kaspersky products by the US Department of Homeland Security, which ban is indeed difficult to find in Twitter's terms and conditions (CyberScoop).
ZTE, which a week ago came under sanctions imposed by the US Department of Commerce, is calling the ban not only unfair, but a threat to the company's survival (Daily Star). Other countries are considering similar measures (BGR). A number of analysts think that ZTE won't be the last company to feel the pain of closer security scrutiny (CNN Money).
NTT has completed its acquisition of managed services provider Secure24 (Data Center News). Over in Wales, Shearwater has acquired another security company, Crystal IT Services, which it will rebrand as a new division: Xcina IS (Insider Media).
Red Balloon, whose Symbiote Defense is intended to secure embedded hardware, operating systems, and firmware stacks, attracted investment from In-Q-Tel (Washington Technology).
Palo Alto has closed its acquisition of SecDo (Benzinga).
Tech companies appear to be bypassing, if not (as headlines suggest) initial public offerings, then at least much of the traditional investment banking that's gone along with IPOs (WIRED).