Huawei: Dutch Treat for 5G Security
April 27, 2021
A secret report from 2010 has surfaced in the Netherlands and has been reviewed by editors at news site de Volkskrant. The document reveals that “Huawei Was Able to Eavesdrop on Dutch Mobile Network KPN,” reports the NL Times. We learn that, in 2009, KPN used Huawei tech and that six employees of the Chinese tech giant worked at its head office. Warned by security firm AIVD that this was a dicey situation, KPN hired researchers at Capgemini analyze any risks involved. We learn:
“The conclusions turned out to be so alarming that the internal report was kept secret. ‘The continued existence of KPN Mobile is in serious danger because permits may be revoked or the government and businesses may give up their confidence in KPN if it becomes known that the Chinese government can eavesdrop on KPN mobile numbers and shut down the network’, de Volkskrant quotes the report. At the time, KPN’s mobile network had 6.5 million subscribers.”
These subscribers included then Prime Minister Jan Peter Balkenende and other ministers as well as, importantly, Chinese dissidents. The write-up continues:
“The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers. The company gained unauthorized access to the heart of the mobile network from China. How often that happened is not clear because it was not recorded anywhere.”
Huawei assures everyone it never took advantage of this access and there is no evidence (yet) that it did so. The revelation explains why KPN has since maintained its own mobile core network and relied upon Western suppliers. Lesson learned.
Cynthia Murrell, April 27, 2021
Bad Actors Include Russian Crime Oligarchs: Wosar Speaks Out
April 12, 2019
Hollywood romanticizes computer hacking and other digital crimes. There is some truth to what happens on the screen, but the action is usually more downbeat and usually does not keep the bad actors at the edge of their seats. While the bad actors get a lot of screen time, the good guys, those who protect the average person, from cyber attacks rarely get praised. The BBC took the time to praise one digital hero’s actions in the article, “Hated And Hunted.”
Perhaps the most vicious type of malware is ransomware. Ransomware is a computer virus that once downloaded onto a computer, it scrambles all of the data and delivers a ransom note stating the user must pay a certain amount of money or all of their data will be deleted. Fabian Wosar is a good actor, because he understands the virus code and knows how to hack the hacker. In other words, he knows how to outsmart the hackers and beat them at their own game. The hackers are so upset with Wosar that they actually write mean notes to him in their virus code.
Wosar is an introverted individual, who loves to design anti-virus code for his cyber security company, Emsisoft. He spends hours working and often binges long hours at his job, often giving away his ant-ransomware away for free. Wosar compares writing code to writing a novel and how he can tell who wrote specific code based on individual styles. He also believes that he stopped over 100 different cyber gangs from their illegal activities.
Ransomware is one of the most profitable cyber crimes and its perpetrators can evade authorities for years, especially if they are smart about it. Ransomware victims often pay hundreds of thousands of dollars and pounds to the criminals, especially if they decide paying the ransom is considered cheaper than replacing a system. Cyber criminals are also quite intimidating:
The most successful cyber-crime gangs are run like mafia organizations with specific structures and divisions of labor.There are the virus coders, the money launderers, the protection heavies and the bosses who decide on targets and sometimes funnel the money into other, potentially more serious, criminal enterprises.Catching these gangs is extremely challenging. One of the most prolific recent ransomware gangs, responsible for two major ransomware families – CTB-Locker and Cerber – made an estimated $27m and eluded police for years.It took a global police operation involving the FBI, the UK’s National Crime Agency, and Romanian and Dutch investigators to bring them down. In December 2017, five arrests were made in Romania.
Wosar keeps his identity hidden and moves around to keep himself safe. While he does enjoy his work, he does suffer from health problems due to his sedentary lifestyle and might get a dog to force himself outside. Outside, however, may pose risks.
Whitney Grace, April 12, 2019
Zerodium Boosts Payouts for Zero Day Exploits to US$2 Million
January 14, 2019
The Hacker News reported that Zerodium will pay up to $2 million for an iPhone zero day exploit. The idea is that the market for iPhone hacks is robust even if Apple is struggling to hits its internal sales targets. The write up states:
Zerodium—a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world—said it would now pay up to $2 million for remote iOS jailbreaks and $1 million for exploits that target secure messaging apps.
The big payout is for a remote hack which jailbreaks an iPhone. The idea is that an entity can access an iPhone remotely and perform actions on that iPhone with having direct physical access to the device. The approach is known as a “zero click” exploit; that is, no user interaction required.
The company is also offering a payout of $1 million for WhatsApp exploits.
The reason? Hacker News explains:
The hike in the price is in line with demand and the tougher security of the latest operating systems and messaging apps, as well as to attract more researchers, hackers and bug hunters to seek complex exploit chains.
DarkCyber anticipates more price increases as bad actors shift to encrypted messaging for certain types of communications and transactions.
Stephen E Arnold, January 14, 2019
The Hacking Hit Parade
October 12, 2018
Beyond Search readers may find “Top 10 Web Hacking Techniques of 2017 interesting.” Many of these may seem to be small potatoes compared to the allegedly hacking of Supermicro motherboards, but intriguing nevertheless.
The top three techniques, according to the write up, are:
- Coming in at number three is a method for spoofing customer support tickets. The key is “implicit trust.”
- At number two is Web cache deception. The idea is to put data into a Web cache in order to get the good stuff.
- And, the number one, hacking method for 2017 was use of server side request forgery. Now this method is like a multiple warhead weapon; that is, once can use some quite interesting methods of delivery and create what the innovator calls “quick fun”.
We will provide more information in our November 27, 2018, DarkCyber news program.
Stephen E Arnold, November 27, 2018
Can Digital Shadows Meet the Award Hype for Their Cyber Defense Product
April 28, 2017
The article on Zawya titled Digital Shadows Continues to Make Waves with Two Prestigious Award Wins positions Digital Shadows as the juggernaut of the risk management market with its product SearchLight sweeping up honors left and right from Cyber Defense Magazine, Momentum Partners, and the 2016 SINET awards. Each accolade cites Digital Shadows cutting edge technology and strategy. What makes the company so innovative?
Digital Shadows monitors for digital risks beyond the boundary of an organization, identifying cyber threats, data leakage and reputational risk. It then notifies clients of data leaks online; hacktivists’ or cybercriminals’ plans to target the organization; employees or suppliers putting themselves and their company at risk; along with criminals selling company information and data on the surface and dark web.
Beyond this, the alerts themselves are verified and rated in urgency by a team of analysts who also advise the organization on how to proceed for customized threat intelligence. Alastair Paterson, CEO and Co-Founder, calls the process a “marriage” between the technology and the human team. Digital Shadows has seen monumental growth in the triple digits for the past three years including opening new offices in Dallas, San Francisco, and London and building an employee base of over 100 people.
Chelsea Kerwin, April 28, 2017
Dark Web Expert Was There From the Beginning
March 21, 2017
Journalist William Langewiesche at Vanity Fair presents the storied career of a hacker-turned-security expert, whom he pseudonymously calls Opsec, in the extensive article, “Welcome to the Dark Net, a Wilderness Where Invisible World Wars are Fought and Hackers Roam Free.” The engaging piece chronicles the rise of the Dark Web alongside Opsec’s cyber adventures, which began when he was but a child in the late ’80s. It also clearly explains how some things work on and around the Dark Web, and defines some jargon. I would recommend this article as a clear and entertaining introduction to the subject, so readers may want to check out the whole thing.
Meanwhile, I found this tidbit about a recent botnet attack interesting. For background, Opsec now works for a large, online entertainment company. Langewiesche describes an intrusion the security expert recently found into that company’s systems:
The Chinese [hacking team] first went into a subcontractor, a global offshore payment processor that handled credit-card transactions, and then, having gained possession of that network, quietly entered the Company through a legitimate back door that had been installed on the Company’s network to administer consumer accounts. The initial breach was a work of art. The Chinese wrote a piece of customized software purely for that job. It was a one-of-a-kind ‘callback dropper,’ a Trojan horse that could be loaded with any of many malware modules, but otherwise stood empty, and regularly checked in with its masters to ask for instructions. Once inside the network, the Chinese were able to move laterally because the Company, for the sake of operational efficiency, had not compartmentalized its network. …
First, using ‘bounce points’ within the network to further obscure their presence, [the hackers] went after the central domain controller, where they acquired their own administrative account, effectively compromising 100 million user names and passwords and gaining the ability to push software packages throughout the network. Second, and more important, the Chinese headed into the network’s ‘build’ system, a part of the network where software changes are compiled and then uploaded to a content-distribution network for the downloading of updates to customers. In that position they acquired the ability to bundle their own software packages and insert them into the regular flow, potentially reaching 70 million personal computers or more. But, for the moment, they did none of that. Instead they installed three empty callback Trojans on three separate network computers and left them standing there to await future instructions. Opsec and his team concluded that the purpose was to lay the groundwork for the rapid construction of a giant botnet.
Opsec suspects the same payment processor vulnerability was exploited at other companies, as well, as part of a plan to launch this giant botnet as part of a global cyber-war. Considering he only caught the attack due to one small error made by the hackers, the discovery is unnerving. Opsec has his ideas on how to fight such a series of attacks, but he is holding off at the behest of his employer. Officially, at least. See the article for more information.
Cynthia Murrell, March 21, 2017
Who Knew Hackers Have Their Own Search Engines?
March 3, 2017
Hackers tend to the flock to the Internet’s underbelly, the Dark Web, and it remains inaccessible unless you have a Tor browser. According to the AIRS Association, hacker search engines are a lot easier to access than you think, read about it in “5 Hacker-Friendly Search Engines You Must Use.” The best-known hacker-friendly search engine is Shodan, which can search for Internet connected devices. While Shodan can search computers, smartphones, and tablets the results also include traffic lights, license plate readers, and anything with an Internet connection. The biggest problem, however, is that most of these devices do not have any security:
The main reason that Shodan is considered hacker-friendly is because of the amount and type of information it reveals (like banner information, connection types, etc.). While it is possible to find similar information on a search engine like Google, you would have to know the right search terms to use, and they aren’t all laid out for you.
Other than Shodan some of the other scary search engines are ZoomEye, I2P, PunkSPIDER, and Censys. These search engines range in the amount of data they share as well as their intended purpose, but they all reveal Internet connected devices. Beginners can use these search engines, but it takes a little more than technical know how to get results displayed. One needs to figure out how to use them before you even enter the first search result, because basic keyword will not get you far.
Hacker search engines are a good tool to use to find security breaches in your personal network or Web site. What will prevent most people from using them is the lack of experience, but with only a small amount of learning these search engines in the wrong hands are dangerous.
Whitney Grace, March 3, 2017
Unintended Side Effects of Technology Restrictions
February 23, 2017
Do lawmakers understand how much they do not understand about technology? An article at Roll Call tells us, “Proposed Tech-Export Rules Bashed by Companies, Researchers.” It is perfectly understandable that human-rights organizations have pressed for limits on the spread of surveillance technology and “intrusion software”—a broad term for technology that steals data from computers and mobile devices, including some tools that can hijack hardware. Several Western governments have taken up that banner, imposing restrictions designed to keep this technology out of the hands of bad actors. In fact, 41 nations pledged their commitment to the cause when they signed on to the Wassenarr Arrangement in 2013.
While the intentions behind these restrictions are good, many critics insist that they have some serious unintended side effects for the good guys. Writer Gopal Ratnam reports:
Although such technologies can be used for malicious or offensive purposes, efforts to curb their exports suggests that the regulators didn’t understand the nature of the computer security business, critics say. Unlike embargoes and sanctions, which prohibit dealing with specific countries or individuals, the proposed restrictions would have forced even individual researchers working on computer security to obtain licenses, they say.
The technologies the Wassenaar agreement tried to restrict ‘certainly can be used for bad purposes, but cybersecurity tools used by malicious hackers are also used for good purposes by technology companies and developers,’ says John Miller, vice president for global cybersecurity and privacy policy at the Information Technology Industry Council, a Washington-based group that represents technology companies. ‘Export control law usually doesn’t get into making distinctions on what the technology is going to be used for.’ And that’s ‘one of the reasons it’s difficult to regulate this technology,’ Miller says.
Besides, say some, the bad guys are perfectly capable of getting around the restrictions. Eva Galperin, of the nonprofit Electronic Frontier Foundation, insists human rights would be better served by applying pressure generally to repressive regimes, instead of trying to stay ahead of their hackers. Ratnam goes on to discuss specific ways restrictions get in the way of legitimate business, like hampering penetration tests or impeding communication between researchers. See the article for more details.
Cynthia Murrell, February 23, 2017
Counter Measures to Money Laundering
January 30, 2017
Apparently, money laundering has become a very complicated endeavor, with tools like Bitcoin “washers” available via the Dark Web. Other methods include trading money for gaming or other virtual currencies and “carding.” ZDNet discusses law enforcement’s efforts to keep up in, “How Machine Learning Can Stop Terrorists from Money Laundering.”
It will not surprise our readers to learn authorities are turning to machine learning to cope with new money laundering methods. Reporter Charlie Osborne cites the CEO of cybersecurity firm ThetaRay, Mark Gazit, when she writes:
By taking advantage of Big Data, machine learning systems can process and analyze vast streams of information in a fraction of the time it would take human operators. When you have millions of financial transactions taking place every day, ML provides a means for automated pattern detection and potentially a higher chance of discovering suspicious activity and blocking it quickly. Gazit believes that through 2017 and beyond, we will begin to rely more on information and analytics technologies which utilize machine learning to monitor transactions and report crime in real time, which is increasingly important if criminals are going to earn less from fraud, and terrorism groups may also feel the pinch as ML cracks down on money laundering.
Of course, criminals will not stop improving their money-laundering game, and authorities will continue to develop tools to thwart them. Just one facet of the cybersecurity arms race.
Cynthia Murrell, January 30, 2017
HSDirs Could Be the Key to Dark Web Intelligence
January 12, 2017
An article on Security Affairs called Boffins spotted over 100 snooping Tor HSDir nodes spying on Dark Web sites points to a new tactic that could be useful to companies offering Dark Web intelligence services. Within the inner workings of the Dark Web live at least 100, according to researchers, malicious hidden service directories (HSDirs). These are the relays of the network that allow people to visit hidden services. The author quotes researchers Filippo Valsorda and George Tankersley who presented at the Hack in the Box Security Conference,
When a person wants to host a hidden service, they have to advertise their service on a Tor Onion database, which is a DHT made up of a group of stable relay machines called HSDirs . The person who wants to visit the hidden service has to request information about that service from the database. Therefore, those relays or HSDirs can see who is making the request for a connection and when you want to connect. Therefore, to deanonymize a user’s traffic, an attacker could choose to become the HSDir nodes for the hidden service.
Additionally, researchers from Karlstad University in Sweden found 25 nodes within the The Onion Router (Tor) which showed entities snooping on the supposedly anonymous network. It appears gaps exist. The research shows an unspecified actor from Russia was eavesdropping. Are these snoopers Dark Web intelligence or cybercriminals? We shall stay tuned.
Megan Feil, January 12, 2017