The Huawei telecom ban makes no sense

Color me confused about our 5G technology policy. Today I see this statement: “I want 5G, and even 6G, technology in the United States as soon as possible. It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind. I want the United States to win through competition, not by blocking out currently more advanced technologies.” That is from a recent set of tweets from our president. He is expected to sign an executive order banning Huawei equipment from domestic cellular carriers before next week. Not to be outdone, Congress is considering HR 4747 that would prevent government agencies from doing business with them.

Huawei seems to be the latest target of badly behaving tech companies, and it has gotten a lot of enemies. Last week our Secretary of State meet with several European leaders, telling them to not purchase any equipment from Huawei in building out their 5G cellular networks. He told them that this gear will make it more difficult for American equipment to operate there.

The fear is that Chinese will embed spying devices in their gear, interfering with communications. Chinese hacking attempts have dramatically risen over the past year, according to this new report from Crowdstrike. While the report didn’t identify Huawei as the source, they did find several hacking attempts aimed specifically at telecom vendors and their government customers.

The US isn’t alone in its fear of Huawei spying. Poland, Italy and Germany are all considering banning their gear from their newer cell networks. Last year, both South Korea and Australia enacted such a ban, and the UK began removing their equipment too. Huawei supplies Australian and UK 4G equipment and BT said last month that they will begin removing that stuff.  A recent news story in The Register stated that Huawei won’t be used to run any new British government networks, even though it will continue to be used in British landline infrastructure.

But is the Chinese government really using Huawei equipment to spy on us? Jason Perlow writes in ZDnet that chances are low, mainly because first there is no concrete proof, and second because it wouldn’t be in their best economic interests. Also, given that you can find Chinese semiconductors in just about everything these days, it would be nearly impossible to effectively ban them.

But there is another confounding reason that no one has mentioned, and that has to do with this law called CALEA. It spells out requirements for telecom suppliers and how they must provide access to government wiretaps and other law enforcement activities from their gear. So technically, not only is Huawei doing this, but all the other telecom vendors have to do so too. If you are with me so far, you see that Huawei is obligated to have this “backdoor” if they want to do business in the USA, yet we are criticizing them for having this very same backdoor! How this will play out in these bans is hard to realize.

A Huawei ban makes no sense. But it won’t stop government agencies from piling on at this stage.

CSOonline: How online polls are hacked and what you should do about it

The news in January about Michael Cohen’s indictments covers some interesting ground for IT managers and gives security teams something else to worry about: He allegedly paid a big data firm Redfinch Solutions to rig two online polls in then-candidate Donald Trump’s favor. To those of us who have worked with online polls and surveys, this comes as no surprise.

Researchers at RiskIQ found another survey-based scam that involves a complex series of steps that use cloned YouTube identities to eventually get marks to take surveys to redeem their “free” iPhones. Instead, the respondents get malware installed on their computers or phones. Security managers need to up their game and understand both the financial and reputational risks of rigged polls and the exploits that are delivered through them. Then they can improve their protective tools to keep hackers away from their networks and users. In this story for CSOonline, I talk about some of these issues and explain why businesses should use online polls and how to keep your networks safe from bad ones. 

Privacy, transparency, and increasing digital trust

There is a crisis of trust in American democracy.” So begins a new report from the Knight Commission on Trust, Media and Democracy organized by the Aspen Institute. It lays blame on our political discourse, racial tensions, and technology that gives us all more access to more commentary and news. “In 2018, unwelcome facts are labeled as fake.”

Part of the problem with trust has to do with the ease of cyber-criminals to ply their trade. Once relegated to a dark corner of the Internet, now many criminals operate in the public view, selling various pieces of technology such as ready-made phishing kits to seed infections, carders to collect credit card numbers, botnets and web stressors to deliver DDoS attacks, and other malware construction kits that require little to no technical expertise beyond clicking a few buttons on a web form. A new report from CheckPoint shows that anyone who is willing to pay can easily obtain all of these tools. We truly have witnessed the growth of the “Malware-as-a-service” industry.

This week I was in London participating in a forum for the Euro press put on by RSA. I got a chance to interview numerous experts who have spent their careers examining cybercrime and understanding how to combat fraud. It was a somewhat sobering picture, to be sure. At the forum, RSA’s president Rohit Ghai spoke about how the largest facet of risk today is digital risk, and how businesses need to better integrate risk management and cyber security methods. “This is a team sport, and security, IT, operations and risk groups all need to work together,” he said. “Our goal is not just about protecting apps or data, but about protecting our trust assets. We trust strangers to share our homes and cars because tech brings us together and drives the sharing economy.” We need to replace this trust system in the B2B world as Airbnb and Lyft have done for consumer-based businesses.

Ghai agrees with the conclusions of the Knight report that trust is at an all-time low. We have gotten so distrustful of our digital lives that we now have a new acronym, LDL, for let’s discuss live. But we can’t turn back the clock to the analog era: we need trust to fuel our future economic growth. He mentioned that to be trustful, “an ethical company should be doing the right thing, even if no one is looking at them at the time.” I liked that idea: too often we hear about corporations that are polluting our environment, denying any responsibility or worse, covering up the details when they get caught.

Part of the challenge is that cybersecurity is really a business problem, not a failure of technology. This is because “breaches and intrusions will occur,” says Ghai. “We have to move beyond the shame of admitting a data intrusion, and understanding its business impact. Our goal should be maintaining cyber wellness, not trying to totally eradicate threats.” Taking better care of customers’ privacy is also good for business, as numerous reports (such as this one from RSA) have concluded recently. Almost half of the consumers surveyed believe there are ethical ways companies can use their data.

Another issue is that what we say and what we actually do about maintain our digital privacy is often at odds with each other. In a 2017 MIT privacy experiment, they found that student participants would quite readily give up personal data for very small incentives, such as a free pizza. This dichotomy is even seen with IT security pros. A recent survey by Yubico found that more than half of those IT managers who have been phished have still not changed their password behavior. If they don’t change to improve their own security, who will?

The same dichotomy can be said about transparency: sadly, there are few companies who are actually as transparent as they claim, either through willfully misleading the public (Facebook is tops in this regard) or by just doing a poor job of keeping their IT assets under appropriate controls (the City of Atlanta or Equifax are two prime case studies here).

Where do we go from here? Security expert Bruce Schneier says that trust is fragile, and transparency is essential to trust. The Knight report carries a series of recommendations for journalists, technology vendor managers, and ordinary citizens, and I hope we can implement many or all of them to make for a better mutual and trusted future. They include being better at practicing radical transparency, for journalists to disclose information sources as a rule, and making social networks step up and take responsibility for protecting their users. All of us need to work together if we want to turn this around and increase trust.

Dealing with CEO Phishing Fraud

When we get emails from our CEO or other corporate officers, many of us don’t closely scrutinize their contents. Phishers count on this for their exploits. The messages often come around quitting time, so there is some sense of urgency so we will act before thinking through the consequences. 

Here is an example of a series of emails between “the boss” (in reality, the phisher) and his subordinate that happened in November 2017. You can see the growing sense of urgency to make a funds transfer happen, which is the phisher’s stock in trade. According to FBI statistics, this type of fraud is now a $12 billion scam. And yes, the money was actually sent to this attacker.

KnowBe4, which sells phishing training services, categorizes the scam into two separate actions:

  1. First is the phishing attempt itself. It is usually called spear phishing, meaning that the attacker has studied the corporate organization chart and targeted specific individuals. The attacker has also examined who has fiduciary responsibility to perform the actual funds transfer, because at the heart of this scam it is all about the money that they can steal from your business.
  2. Next is all about social engineering. The attacker has to appear to be convincing and act like the boss. Often, the targeted employee is tricked into divulging confidential information, such as bank accounts or passwords. Many times they use social media sources to amplify their message and make it seem  more legit.

The blog post mentions several different situations that are common with this type of fraud:

  1. Business working with a foreign supplier.
  2. Business receiving or initiating a wire transfer request.
  3. Business contacts receiving fraudulent correspondence.
  4. Executive and attorney impersonations.
  5. Confidential data theft.

A new blog post by Richard DeVere here provides some good suggestions on how to be more vigilant and skeptical with these emails. 

  • Examine the tone and phrasing of the email. One time a very brusque CEO — who was known for this style — supposedly sent a very polite email. The recipient flagged it as a potential phish because of this difference.
  • Have shared authority on money transfers. Two heads are better than one.
  •  As Reagan has said, trust but verify. Ask your boss (perhaps by calling directly) if this email really originated from him or her before acting on it. Phone calls and texts can be spoofed from your boss’ number. As the illustration above shows, this is quite common. Take a moment to process what is being asked of you.
  • Report the scammer to the right authorities inside and outside your company.

The bottom line: be wary and take a breath when you get one of these emails.

CSOonline: Building your forensic analysis toolset

A solid toolset is at the core of any successful digital forensics program, an earlier article that I wrote for CSOonline. Although every toolset is different depending on an organization’s needs, some categories should be in all forensics toolkits. In this roundup for CSOonline, I describe some of the more popular tools, many of which are free to download. I have partitioned them into five categories: overall analysis suites (such as the SANS workstation shown here), disk imagers, live CDs, network analysis tools, e-discovery and specialized tools for email and mobile analysis.

The dangers of DreamHost and Go Daddy hosting

If you host your website on GoDaddy, DreamHost, Bluehost, HostGator, OVH or iPage, this blog post is for you. Chances are your site icould be vulnerable to a potential bug or has been purposely infected with something that you probably didn’t know about. Given that millions of websites are involved, this is a moderate big deal.

It used to be that finding a hosting provider was a matter of price and reliability. Now you have to check to see if the vendor actually knows what they are doing. In the past couple of days, I have seen stories such as this one about GoDaddy’s web hosting:

 

And then there is this post, which talks about the other hosting vendors:

Let’s take them one at a time. The GoDaddy issue has to do with their Real User Metrics module. This is used to track traffic to your site. In theory it is a good idea: who doesn’t like more metrics? However, the researcher Igor Kromin, who wrote the post, found the JavaScript module that is used by GoDaddy is so poorly written that it slowed down his site’s performance measurably. Before he published his findings, all GoDaddy hosting customers had these metrics enabled by default. Now they have turned it off by default and are looking at future improvements. Score one for progress.

Why is this a big deal? Supply-chain attacks happen all the time by inserting small snippets of JavaScript code on your pages. It is hard enough to find their origins as it is, without having your hosting provider to add any additional burdens as part of their services. I wrote about this issue here.

If you use GoDaddy hosting, you should go to your cPanel hosting portal, click on the small three dots at the top of the page (as shown above), click “help us” and ensure you have opted out.

Okay, moving on to the second article, about other hosting provider scripting vulnerabilities. Paulos Yibelo looked at several providers and found multiple issues that differed among them. The issues involved cross-site scripting, cross-site request forgery, man-in-the-middle problems, potential account takeovers and bypass attack vulnerabilities. The list is depressingly long, and Yibelo’s descriptions show each provider’s problems. “All of them are easily hacked,” he wrote. But what was more instructive was the responses he got from each hosting vendor. He also mentions that Bluehost terminated his account, presumably because they saw he was up to no good. “Good job, but a little too late,” he wrote.

Most of the providers were very responsive when reporters contacted them and said these issues have now been fixed. OVH hasn’t yet responded.

So the moral of the story? Don’t assume your provider knows everything, or even anything, about hosting your site, and be on the lookout for similar research. Find a smaller provider that can give you better customer service (I have been using EMWD.com for years and can’t recommend them enough). If you don’t know what some of these scripting attacks are or how they work, go on over to OWASP.org and educate yourself about their basics.

CSOonline: How to secure your WordPress site

If you run a WordPress blog, you need to get serious about keeping it as secure as possible. WordPress is a very attractive target for hackers for several reasons that I’ll get to in a moment. To help you, I have put together my recommendations for the best ways to secure your site, and many of them won’t cost you much beyond your time to configure them properly. My concern for WordPress security isn’t general paranoia; my own website has been attacked on numerous occasions, including a series of DDoS attacks on Christmas day. I describe how to deploy various tools such as WordFence, shown below and you can read more on CSOonline. 

Both real and fake Facebook privacy news

I hope you all had a nice break for the holidays and you are back at work refreshed and ready to go. Certainly, last year hasn’t been the best for Facebook and its disregard for its users’ privacy. But a post that I have lately seen come across my social news feed is blaming them for something that isn’t possible. In other words, it is a hoax. The message goes something like this:

Deadline tomorrow! Everything you’ve ever posted becomes public from tomorrow. Even messages that have been deleted or the photos not allowed. Channel 13 News talked about the change in Facebook’s privacy policy….

Snopes describes this phony alert here. They say it has been going on for years. And it has gained new life, particularly as the issues surrounding Facebook privacy abuses have increased. So if you see this message from one of your Facebook friends, tell them it is a hoax and nip this in the bud now. You’re welcome.

The phony privacy message could have been motivated by the fact that many of you are contemplating leaving or at least going dark on your social media accounts. Last month saw the departure of several well known thought leaders from the social network, such as Walt Mossberg. I am sure more will follow. As I wrote about this topic last year, I suggested that at the very minimum if you are concerned about your privacy you should at least delete the Facebook Messenger app from your phone and just use the web version.

But even if you leave the premises, it may not be enough to completely cleanse yourself of anything Facebook. This is because of a new research report from Privacy International that is sadly very true. The issue has to do with third-party apps that are constructed from Facebook’s Business Tools. And right now, it seems only Android apps are at issue.

The problem has to do with the APIs that are part of these tools, and how they are used by developers. One of the interfaces specifies a unique user ID value that is assigned to a particular phone or tablet. That ID comes from Google, and is used to track what kind of ads are served up to your phone. This ID is very useful, because it means that different Android apps that are using these Facebook tools all reference the same number. What does this mean for you? Unfortunately, it isn’t good news.

The PI report looked at several different apps, including Dropbox, Shazam, TripAdvisor, Yelp and several others.

If you run multiple apps that have been developed with these Facebook tools, with the right amount of scrutiny your habits can be tracked and it is possible that you could be un-anonymized and identified by the apps you have installed on your phone. That is bad enough, but the PI researchers also found out four additional disturbing things to make matters worse:

First, the tracking ID is created whether you have a Facebook account or not. So even if you have gone full Mossberg and deleted everything, you will still be tracked by Facebook’s computers. It also is created whether your phone is logged into your Facebook account (or using other Facebook-owned products, such as What’sApp) or not.

Second, the tracking ID is created regardless of what you have specified for your privacy settings for each of the third-party apps. The researchers found that the default setting by the Facebook developers for these apps was to automatically transfer data to Facebook whenever a phone’s user opens the app. I say was because Facebook added a “delay” feature to comply with the EU’s GDPR. An app developer has to rebuild their apps with the latest version to employ this feature however. The PI researchers found 61% of the apps they tested automatically send data when they are opened.

Third, some of these third-party apps send a great deal of data to Facebook by design. For example, the Kayak flight search and pricing tool collects a great deal of information about your upcoming travels – this is because it is helping you search for the cheapest or most convenient flights. This data could be used to construct the details about your movements, should a stalker or a criminal wish to target you.

When you put together the tracking ID with some of this collected data, you can find out a lot about whom you are and what you are doing. The PI researchers, for example, found this one user who was running the following apps:

  • “Qibla Connect” (a Muslim prayer app),
  • “Period Tracker Clue,”
  • “Indeed” (a job search app), and
  • “My Talking Tom” (a children’s’ app).

This means the user could be potentially profiled as likely a Muslim mother who is looking for a new job. Thinking about this sends a chill up my spine, as it probably does with you. The PI report says, “Our findings also show how routinely and widely users’ Google ad ID is being shared with third parties like Facebook, making it a useful unique identifier that enables third parties to match and link data about an individual’s behavior.”

Finally, the researchers also found that the opt-out methods don’t do anything; the apps continue to share data with Facebook no matter what you have done in your privacy settings, or if you have explicitly sent any opt-out messages to the app’s creators.

Unfortunately, there are a lot of apps that exhibit this behavior: researchers found that Facebook apps are the second most popular tracker, after Google’s parent company Alphabet, for all free apps on the Google Play Store.

So what should you do if you own an Android device? PI has several suggestions:

First, reset your advertising ID regularly by going to Settings > Google > Ads > Reset Advertising ID. Next, go to Settings > Google > Ads > Opt out of personalized advertising to limit these types of ads that leverage your personal data. Next, make sure you update your apps to keep them current. Finally, regularly review the app permissions on your phone and make sure you haven’t granted them anything you aren’t comfortable doing.

Clearly, the real bad news about Facebook is stranger than fiction.

Screencast review: Managing enterprise mobile device security with Zimperium

Zimperium is very useful in managing mobile device risks and automating their meditation across the largest enterprise networks.

It includes phishing detection and has the ability to run on both a variety of different cloud infrastructures as well as on-premises. It has deep on-device detection and a fine-grained collection of access roles. It uses a web-based console that controls protection policies and configuration parameters. Reports can be customized as well for management and compliance purposes. I tested the software in December 2018 on a sample network with both Android and iOS devices of varying vintages and profiles.

Pricing decreases based on volume starting at $60/year/device

Keywords: David Strom, web informant, video screencast, mobile device security, mobile device manager, MDM, mobile threat management, Knox security, iOS security

Jon Callas on joining the ACLU

I have known Jon Callas for many years, tracking back to when he was part of the PGP Corporation and bringing encrypted email to the world. He has been a long-time security researcher who has been part of the launch teams at Silent Circle and Blackphone. Recently he has moved from Apple to the ACLU, where he is a technical fellow in the Speech, Privacy and Technology Project.

I spoke to him last week and caught up with what he is working on now, and thought you might be interested. His job now is to help the mostly legal team at ACLU to understand the technical issues, especially from someone who has been deeply steeped in them over the years. “Technology is such a part of the modern world that we need more people to understand it,” he said. One of his focus areas is the recent changes in Australian encryption laws. He is still trying to figure out the implications, and so far he views this bill as more guiding government assistance than actual intervention. The bill also raises more questions than it answers, such as how does a developer secretly insert code into a system that has tracking or build version controls? He is also watching the revelations around the Facebook document trove that was released this week by British lawmakers. (Here is the backstory and ProtonMail’s comments on the law is here.) “Clearly, there are contradictions between what Facebook management said they were and weren’t doing and what was mentioned in these documents,” he said. When I asked him what he what do if he were CTO of Facebook, he just laughed.

One other area of interest is how to understand how the government is acting to curb freedom of speech, and what is going on at our borders. “The government quite reasonably says that they can look inside your suitcase when you cross into our country. That I understand, but shouldn’t your electronic devices be treated differently from what else is in your suitcase? There are many answers here, and we need to have legal and policy discussions and understand exactly what problems we are trying to solve.”

We also spoke about the recent actions by Google employees protesting their Chinese-specific search engine. “I find it encouraging that tech people are looking at the consequences of what they do and where this technology is going to be used and what it all means,” he said. Now, “we are more in tune with privacy concerns. People are thinking about the ethics and consequences of what they are doing. They want to have a part in these discussions. That is what a free society should do.”