There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?
Heartbleed continues its rampage across the internet. There are too many stories to tell and too little time. Read on only if you have the stomach for it.
- Networking companies Cisco and Juniper have revealed that several dozen models of their hardware devices are affected by the OpenSSL security flaw known as Heartbleed. To see if any of your networking products made this list, Cisco’s advisory can be found here, and Juniper’s here.
- Two sources close to the NSA allege that the spy agency has exploited Heartbleed since it first appeared over 2 years ago.
- Android smartphones and tablets running version 4.1.1 of the Google operating system are vulnerable to the bug. According to Google, this may affect less than 10% of all Android devices, but given that there are nearly 900 million Android OS devices, that still means millions.
- The vulnerability was used to steal 900 taxpayer ID’s from Canada’s Revenue Agency.
What this means for you:
The security implications of the Heartbleed vulnerability are staggering and very difficult to encompass. Now, more than ever, you must keep a close eye on your digital assets and accounts. Confirm with your financial institutions whether or not they were impacted by the bug (most major, commercial banking institutions did NOT use OpenSSL), and if they were, wait until they confirm that they have fixed it before changing your password. Do NOT use any software or websites confirmed to be affected by Heartbleed until they patch the bug, even to change your password. If you do this while the vulnerability still exists, there is a good possibility that hackers can actually see you changing your password and record the new one. Right now, because of the spotlight on this hole, hackers are racing to exploit the panic and confusion, and you are more likely than ever to be hacked. Wait until your websites confirm they have patched the security hole before using them to change your password.
Keep in mind that many, many organizations are still working through the impact this bug has on their technology, and many are just as confused as you might be. There will continue to be a lot of uncertainty and possible panicky responses from company representatives who are ill-informed on their company’s official stance on Heartbleed. The vulnerability affects a technology that is sophisticated and not easily explained, and not even the most eloquent among technology professionals can convey the problem and solutions in easy-to-understand terms. During these uncertain times, constant vigilance is the only weapon many of us have at the moment, so keep your eyes open and your IT consultant on speed-dial!
German newspaper Der Spiegel launched a media frenzy last week with the provocative story that the NSA can (and probably has) compromise the iPhone in a way that gives them complete “ownership” of the device for the purposes of surveillance. Fueled by documents released by infamous informant Edward Snowden, the article details a specific program called “Dropout Jeep” that could completely compromise an iPhone…in 2007.
What this means for you:
Today, in the internet economy, media outlets have priorities that aren’t always compatible: keep their audiences informed, and get as many eyeballs/clicks/likes as possible. As you can imagine, stories about iPhones and NSA spying are hot commodities right now, so when the two subjects align, how can you not lead with such an explosive story?
Several articles spurred by the Der Spiegel piece speculated that Apple may have been working with the NSA all along. Most suggested that the NSA can and has owned even current gen iPhones. Apple, of course, has denied any collaboration with the spy agency. The NSA itself continues to remain silent on stories like this. But, as mentioned above, the Dropout Jeep program was active in 2007, and required the hacker to have physical access to the device. As many of you have heard me say before, if someone has physical access to your device, compromising the device (regardless of manufacturer or type) becomes much more straightforward. The Snowden document did indicate that the NSA was working on future versions of the spyware that wouldn’t require physical access to the device, but for the moment, there is no proof that they can “own” modern iPhones.
But there’s no proof that they can’t, either.
In a public event hosted by the Reddit.com, infamous NSA whisteblower Edward Snowden answered questions posted by Reddit users on a variety of topics. Of particular note was his response to a question about whether encrypting emails would be an effective way to keep the NSA (or anyone else, for that matter) out of your business. Snowden’s response was both heartening and depressing at the same time:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means for you:
Imagine you want to send a package that contains some very valuable items to a friend on the other side of the world. You carefully wrap the items and then lock them in a briefcase, which is in turn handcuffed to an armored guard, who is then transported via armored truck to your friend’s house. He makes sure that the package is put into your friend’s hands and verifies that your friend is indeed who he says he is, and he even calls you to let you know that the package has been delivered safely. This is analogous to using email encryption to send an email to a friend.
Unfortunately, your friend’s house has a broken lock on the front door, and he carelessly leaves the valuable items in plain view of a window that is also unlocked. That’s analogous to the weak endpoint security Snowden at the end of his response.
In other words, it doesn’t matter how much security you engage on your end if your recipients don’t engage in the same level of security. To use another real-world analogy: cyber attacks are like water – they will flow into every nook and cranny, looking for a way in. It doesn’t matter if 99% of the surface it is covering is impenetrable. That last 1% provides the hairline crack needed to seep in and destroy everything from the inside.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?