Tag: Security

To Quote Douglas Adams, Don’t Panic

Harold Feld, who is a top flight lawyer on all things telco, and is on one of the relevant advisory committees, notes that, “The Upcoming IPAWS “Presidential Level Alert” Test Is Not A Trump Thing — Really.”

The nationwide alert that will be broadcast on September 20 has been planned for years:

There is a bunch of hysteria running rampant about the September 20, 2018 test of the “Presidential Level Alert” functionality of the Wireless Emergency Alert System (WEA), which is part of the Integrated Public Alert Warning System (IPAWS). (See FEMA Notice of Alert Here.) The thrust of the concerns is that Fearless Leader is creating a propaganda system that can blast through all cell phones and no one can opt out.

I ask everyone to please calm down. The fact that it is called a “Presidential Alert” has nothing to do with Trump. This all goes back to The Warning, Alert, Response Network Act (WARN Act) of 2006. That Act required that we integrate the old Emergency Alert System (EAS) which is on broadcast and cable with a newly created wireless emergency alert system (WEA) so that we could take advantage of the emerging communications technology (texting in 2006, but with an eye toward broadband) to warn people in advance of disasters.

………

This absolutely has nothing to do with Trump. The WARN Act mandates that while users may opt out of other alerts, they may not opt out of “Presidential Level Alerts.” This was decided way back in 2006, when Congress determined that people should not be able to opt out of anything so important that it triggers a nation-wide alert (although, annoyingly, they did give wireless carriers freedom to opt out of WEA entirely, which tells you a lot about the priorities of Congress back in 2006). See WARN Act Sec. 602 (b)(2)(E). This was not a choice by the Trump Administration. Nor can the current FCC allow people to opt out of “Presidential Level Alerts.” It’s in the WARN ACT of 2006.

So please, please stop spreading rumors about this. Please stop treating this as more evidence of Trump overreach with all kinds of possible sinister motives. The President can’t just press a button to send this out. And while a determined President with enough effort can abuse any system, this is not something Trump can just decide to do with his morning Tweets.

 So, just chill out everyone.

Not Surprised, but Appalled

The invaluable Murray Waas has been digging, and he has discovered that the Trump administration knew about Michael Flynn and his lying to the FBI before the WaPo reported it, but did nothing:

In early February 2017, a senior White House attorney, John Eisenberg, reviewed highly classified intelligence intercepts of telephone conversations between then-National Security Adviser Lt. Gen. Michael Flynn and Russia’s ambassador to the US, Sergey Kislyak, which incontrovertibly demonstrated that Flynn had misled the FBI about those conversations, according to government records and two people with first-hand knowledge of the matter. It was after this information was relayed to President Trump that the president fired Flynn, and the following day allegedly pressured then-FBI Director James Comey to shut down a federal criminal investigation into whether Flynn had lied to the FBI.

Eisenberg reviewed the intercepts on or about February 2, 2017, according to confidential White House records and two former White House officials. Despite the fact that not only Eisenberg but presumably also other senior White House officials learned this information, they apparently took no immediate action. Only on February 8, 2017—after The Washington Post contacted the White House to say that it was about to publish a story about the intercepts showing that Flynn had lied about his conversations with Kislyak—did administration officials do anything. That same day, confidential White House records indicate, then-White House chief of staff Reince Priebus, White House Counsel Don McGahn, and Eisenberg directly confronted Flynn about what they learned from the intercepts. On February 10, Vice President Mike Pence, Preibus, and McGahn spoke to Flynn again, but received no satisfactory explanations from him, and recommended to President Trump that Flynn be fired. On February 13, 2017, Flynn resigned.

A former senior White House official, with first-hand knowledge of the matter, expressed disbelief at the inaction: “You have a White House lawyer learning that the national security adviser to the president of the Untied States has possibly lied—about his contacts with Russians—not only to his own White House, but also to the FBI, which is a potential felony, and nobody does anything?” The person added: “I have no reason to question John Eisenberg’s integrity or that he is an exceptional attorney. I guess I buy into narrative that this was a White House in disarray, because the alternative is too painful to contemplate.”

This is f%$#ed up and sh%$.

When you have tapes showing that your f%$#ing National Security Advisor f%$#ing lied to the f%$#ing FBI, and then this guy f%$# lies to you, and you f%$#ing do nothing until the f%$#ing Washington f%$#ing Post publishes a story about it?

This takes dysfunctional to a whole new level.

Like at DMCA Takedown Notices ……… On Acid

It appears that abuse and misuse of the DMCA, with its lawsuits against printer ink manufacturers and extortion by corrupt lawyers has not informed the people in Washington, DC, who want to legalize revenge hacking, which, of course, will be outsourced to incompetent and malicious contractors:

Imagine this: Facebook is set to release a slew of shiny new features designed to win back users and increase engagement. But before it can release its products, Renren (one of China’s Facebook clones) releases the same features across its platform, beating Facebook to the punch. Infuriated, Facebook security officials claim they know with near certainty that their plans were stolen by a hacker on behalf of the Chinese social-media giant. Some furious employees put in motion a plan to load a devastating malware attack on the hackers’ networks as payback.

Is that even legal? Can Facebook retaliate with a hack of its own? Under current U.S. law, the answer is no, but a growing number of legislators are attempting to change that. Yesterday, Rhode Island Democratic senator Sheldon Whitehouse became the most recent lawmaker to express support for revenge hacking.

“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” Whitehouse said. “If [a major CEO] wanted permission to figure out how to hack back, I don’t think he’d know what agency’s door to knock on to actually give him an answer.”

Hacking back (also known as revenge hacking) involves a retaliatory response by a private company or an individual after they are attacked by a malicious actor. While anyone can monitor and enforce their own network and devices, the Computer Fraud and Abuse Act prevents people from going a step further and hacking into someone else’s network, even if they were hacked first. In his recent book, The Perfect Weapon, journalist David Sanger likens hacking back to a retaliatory home invader.

“It’s illegal, just as it’s illegal to break into the house of someone who robbed your house in order to retrieve your property,” Sanger writes.

The idea that legalizing hacking by Mark Zuckerberg and Jeff Bezos will make anyone any safer is a corrupt fiction.

They’re Bond villains, and granting them immunity to pull this crap will end in tragedy.

ALIS is an Off Switch

Lockheed-Martin has tightly integrated its Autonomic Logistics Information System (ALIS) into the F-35, and now nations that are taking deliveries are concerned about the massive volumes of data being sent back to servers in Fort Worth, Texas, and they are demanding that they gain control of this data:

Lockheed Martin received a $26.1 million contract to develop data transmission controls for foreign customers of the F-35 and its autonomic logistics information system (ALIS).

International development partners and foreign customers of the F-35 have expressed concern that ALIS, which manages and analyses the fighter’s systems, training and flight logs, would automatically transmit information back to Lockheed’s hub in Fort Worth, Texas, possibly giving the company and the USA insight into their military operations.

“This effort provides F-35 international partners the capability to review and block messages to prevent sovereign data loss,” says the contract notice online. “Additionally, the effort includes studies and recommendations to improve the security architecture of ALIS.”

Previously, international development partners and foreign customers of the F-35 had programmed short-term software patches for ALIS that allowed them to control what data was sent back to the USA.

The F-35 does not fly without ALIS after a few days without a deep access to the source code, which only LM and the DoD have.

It isn’t just a matter of the ALIS system being a massive security hole for our allies, it is an off switch.

About F%$#ing Time

For three years, International Standards Organization has been wrangling over which cryptographic algorithms will be incorporated into a standard for interoperability in “Internet of Things” gadgets; at issue has been the NSA’s insistence that “Simon” and “Speck” would be the standard block cipher algorithms in these devices.

The NSA has a history of sabotaging cryptographic standards; most famously, documents provided by Edward Snowden showed that the NSA had sabotaged NIST security standards, but the story goes farther back than that: I have been told by numerous wireless networking exercises that the weaknesses in the now-obsolete Wireless Encryption Protocol (WEP) were deliberately introduced by NSA meddling. And of course, the NSA once classified working cryptography as a munition and denied civilians access to it, until EFF got a court to declare code to be a form of protected speech under the First Amendment.

Now, the NSA has been defeated at ISO, with its chosen ciphers firmly rejected by the committee members, who were pretty frank about their reason for rejecting Simon and Speck: they don’t trust the NSA.

Good.  I don’t trust the NSA either, and I do not want them in my home appliances.

Kushner Clearance Downgraded

He has had an interim Top Secret clearance for months, and now it has been reduced to a secret clearance, because, between his lies misstatements on his clearance forms and his extensive debts to a veritable rogues gallery he is a walking security risk.

We’ve already had reports of multiple foreign governments using his precarious financial situation and closeness to Donald Trump to attempt to derive leverage with the White House, so this was a logical decision to make.

Dumb-Ass


Such a nice boy!

My son Charlie (Youtube Channel here, his Deviant Art here) decided to take his laptop with him to my nephew Sam’s Bar Mitzvah.

On the way home, he misplaced it.

Luckily, left it left the TSA bin at airport security, and his login screen has his name, so he called them today (Lost and Found was closed for the King holiday), and they will be sending it to him, at his expense, via express delivery.

Well, he can take solace that he is a lucky dumb-ass.

Note: I published this post with his express permission, so don’t go calling me a bad parent.

There Is a Major Computer Not Vulnerable to Spectre or Meltdown

It turns out that, the Raspberry Pi is not subject to these vulnerabilities (From the Raspberry Pi blog) because they chose a processor that did not strive for the last iota of peformance.

The Raspberry Pi single board computer was designed as a low cost single board computer for use in computer education and in the 3rd world, and so absolute performance is not a priority, which means no predictive execution, and no vulnerabilities to either of these exploits:

Over the last couple of days, there has been a lot of discussion about a pair of security vulnerabilities nicknamed Spectre and Meltdown. These affect all modern Intel processors, and (in the case of Spectre) many AMD processors and ARM cores. Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel’s address space (which should normally be inaccessible to user programs).

Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.

………

Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.

The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort.

Of course, we need the additional performance because no one writes tight code any more.

How Convenient!

After learning of the vulnerabilities of its processors, Intel CEO Brian Krzanich as much stock as was allowed under the company by-laws:

Brian Krzanich, chief executive officer of Intel, sold millions of dollars’ worth of Intel stock—all he could part with under corporate bylaws—after Intel learned of Meltdown and Spectre, two related families of security flaws in Intel processors.

While an Intel spokesperson told CBS Marketwatch reporter Jeremy Owens that the trades were “unrelated” to the security revelations, and Intel financial filings showed that the stock sales were previously scheduled, Krzanich scheduled those sales on October 30. That’s a full five months after researchers informed Intel of the vulnerabilities. And Intel has offered no further explanation of why Krzanich abruptly sold off all the stock he was permitted to.

As a result of his stock sale, Krzanich received more than $39 million. Intel stock, as of today, is trading at roughly the same price as Krzanich sold stock at, so he did not yield any significant gain from selling before the vulnerability was announced. But the sale may still bring scrutiny from the Securities and Exchange Commission for a number of reasons.

Nothing to see here, move along.

Forcefully Unmap Complete Kernel With Interrupt Trampolines

Yes, Apple crippled older phones, and Intel said, “Here, hold my beer.”

Basically the error can allow low level programs to take over the kernel, with a result kind of like that scene in Raiders of the Lost Ark when they open up the ark.

There is a fix, but it involves changes to the operating system that causes a significant performance hit, and Linux developers were unamused:

2) Namespace

   Several people including Linus requested to change the KAISER name.

   We came up with a list of technically correct acronyms:

     User Address Space Separation, prefix uass_

     Forcefully Unmap Complete Kernel With Interrupt Trampolines, prefix f%$#wit_

   but we are politically correct people so we settled for

    Kernel Page Table Isolation, prefix kpti_

   Linus, your call :))

As near as I can figure out, Intel’s claim that this is, “Not a bug,” and this appears to be true.

This appears to be a direct consequence of their attempt to boost processor performance in their competition with AMD, which appears not to be vulnerable to the “KPTI” bug, also called “Meldtown”.

However, it does appear that speculative execution in general creates a whole host of potential (though thankfully more difficult) exploits across a much wider range of processors. (This one is called Spectre).

I’m beginning to think that it is time for a major change in CPU architectures.

Well, This is Great

Did you know that Equifax runs the My Social Security and is responsible for verifying data for Obamacare exchanges for the US government?

You know, that whole, “Reinventing Government”, thing that Bill Clinton put forward in the 1990s, when critical government functions were outsourced to private for-profit operators, is looking to be an even worse deal than when it was first implemented in the mid-1990s.

Of course, efficiency and savings were never really the goals: It was a depressingly successful attempt to subvert the civil service laws and to return to the spoils system.

Just ask President Garfield how well that worked out.

How to Check the Equifax Hack Without Signing Away Your Rights

Equifax just got hacked, with perhaps as many as 143 million Americans had their data compromised.

In response, Equifax put a link on their site to see if your link had been compromised.

There was one problem though, they make you jump through hoops, and try to get you into their credit monitoring service, which involves signing away your rights to sue.

There’s also related insider trading by senior executives between when the breach was discovered and when it became public, but that’s another post.

I am now going to walk you through how to check if your data was compromised while not signing up for their bogus credit monitoring service and entering binding arbitration hell. (Facebook users, click through for all the pictures)

The joys of American business: They f%$#ed up, and f%$# millions of people, and Equifax’s response is to try to f%$# these people another time.

Well, here are the instructions:

  • Go to equifax.com and click the marked link:
  • On the next page DON’T click on the link at the top:
  • Scroll down and click here:
  • On the next page click the “check potential impact” button:
  • And you are FINALLY taken to a page where you can check if your record was compromised:

Equifax should be put out of business.

This is F%$#ed Up and Sh%$

Yesterday I wrote about a Pakistani crime ring operating out of the of a number of Democratic Congressional offices.  (As if that wasn’t weird enough).

It turns out that they got fired once the investigations of equipment and data theft became known by every office at which they worked, except for Debbie Wasserman Schultz’s office.

She did not fire her larcenous staffer until after his arrest for fraud:

When a computer expert who worked for congressional Democrats was accused of stealing computers and data systems in February, members of Congress cut him loose within days, leaving Imran Awan with no supporters five months later.

Except for Rep. Debbie Wasserman Schultz.

The Weston Democrat has not explained in detail why she continued to employ Awan until Tuesday when she fired him — after he was arrested on bank-fraud charges at Dulles International Airport in Virginia attempting to board a flight to Pakistan.

And she has not elaborated on what work Awan did for her after he lost access to the House computer network.

She declined to answer questions about Awan in Washington on Wednesday, and her spokesman, David Damron, accompanied her to the House floor while instructing a reporter that Wasserman Schultz would not take questions about her former employee.

………

But months after Awan was fired by everyone else, Wasserman Schultz grilled Capitol Police Chief Matthew Verderosa in May over why computer equipment was confiscated from her office as part of the investigation into Awan even though she was not under investigation.

“Under my understanding, the Capitol police are not able to confiscate a member’s equipment when the member is not under investigation,” Wasserman Schultz said. “It is their equipment and it is supposed to be returned.”

Verderosa told Wasserman Schultz that he couldn’t return the equipment without the permission of the investigation.

Am I the only one who thinks that this is hinky beyond words?

There are only two reasons I can see behind this, either Awan has something truly damming on DWS, or DWS hired Awan to spy on her colleagues in Congress.

Something here is crookeder than ……… sh%$ ……… I’ve run out of analogies.

OK, This is Very Weird

It appears that a group of Congressional aides, most of them working for Debbie Wasserman Schultz in some capacity, and all of them originally from Pakistan, have been under criminal investigation, and one of Wasserman Schultz’s aides was arrested trying to catch a flight to Pakistan: (Background stories going back to February here and here)

Imran Awan, a House staffer at the center of a criminal investigation potentially affecting dozens of Democratic lawmakers, has been arrested on a bank fraud charge and is prevented from leaving the country while the charge is pending.

A senior House Democratic aide confirmed Awan was still employed by Rep. Debbie Wasserman Schultz (D-Fla.) as of Tuesday morning. But David Damron, a spokesman for Wasserman Schultz, later said that Awan was fired on Tuesday.

Awan pleaded not guilty on Tuesday to one count of bank fraud during his arraignment in the U.S. District Court for the District of Columbia.

Awan is accused of attempting to defraud the Congressional Federal Credit Union by obtaining a $165,000 home equity loan for a rental property, which is against the credit union’s policies since it is not the owner’s primary residence. Those funds were then included as part of a wire transfer to two individuals in Faisalabad, Pakistan.

Awan was arrested Monday evening at Dulles International Airport in Virginia before boarding a flight to Lahore, Pakistan. His wife, Hina Alvi, had earlier left the country for Pakistan, along with their children. Federal agents do not believe Alvi has any intention of returning to the U.S., according to a court document.

………

Awan, a longtime IT staffer who worked for more than two dozen House Democrats, has been at the center of a criminal investigation on Capitol Hill for months related to procurement theft. Several of his family members, also IT staffers at the time, were implicated in the ongoing investigation.

………

Alvi, another House staff member involved in the Capitol Hill investigation, left the country with their three daughters, headed for Pakistan, in March, according to an affidavit filed in the Awan case. Alvi had “numerous pieces of luggage” and more than $12,000 in cash, FBI agent Brandon Merriman wrote in the affidavit.

(emphasis mine)

The stories of he investigation at Politico go back to early February, which means that, unlike the claims made by Mr. Awan’s lawyer, any investigation almost certainly began under the Obama administration.

There are also allegations of equipment and data theft, and these people worked for Democratic members of Congress for years.

This is f%$#ing weird, and I’m wondering if this is organized crime or some sort of ISI operation gone pear shaped.

United Strikes Again

United notified passengers that they could not check check comic books in as luggage if they were flying to Comic Con in San Diego, because ……… Transportation Security Administration (TSA).

The TSA released a statement that United Airlines had f%$#ed up: (Also here)

Don’t worry Comic-Con fans, you don’t have to remove your comic books from your checked luggage, despite what a Sunday photo circulated on Twitter suggests.

The dust-up began after a person named Adi Chappo tweeted the above, tagging United Airlines, which responded on Twitter:

If you are at #SDCC #SDCC2017 and are flying out on @united – please take note of this and share!!! pic.twitter.com/s1sV269DuQ

— Adi Chappo (@adichappo) July 23, 2017



The restriction on checking comic books applies to all airlines operating out of San Diego this weekend and is set by the TSA. ^MD

— United (@united) July 23, 2017



But by Monday, the Transportation Security Administration was saying that no such restriction existed.

Good afternoon. Pls note there are no TSA restrictions on checking comic books or any other types of books. https://t.co/Nu00IvcZSc

— TSA (@TSA) July 24, 2017



Lorie Dankers, a TSA spokeswoman, told Ars on Monday morning that she was mystified as to how United could get this policy wrong. “I don’t know how United went ahead and stated a TSA policy incorrectly,” she said. “I can say that TSA has advised in the past that if people bring several of the same type of item, it can alarm the checked baggage screening, but there is no prohibition on bringing things that are not a security threat. In this case, comic books are not a security threat and we encourage travelers to bring them if they so choose.”

Seriously, they make big bank on checked bags, so it takes a special type of incompetence to do this.

They are both inconveniencing the customer and losing money on the deal.

Reality is Weird

Have you heard of the The U.S. Cyber Consequences Unit?

Here is their description of themselves:

The U.S. Cyber Consequences Unit (US-CCU) is an independent, non-profit (501c3) research institute. It provides assessments of the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks. It also investigates the likelihood of such attacks and examines the cost-effectiveness of possible counter-measures.

Although the US-CCU aims to provide credible estimates of the costs of ordinary hacker mischief and white collar crime, its primary concern is the sort of larger scale attacks that could be mounted by criminal organizations, terrorist groups, rogue corporations, and nation states.

The mission of the US-CCU is to provide America and its allies with the concepts and information necessary for making sound security decisions in a world where our physical well-being increasingly depends on cyber-security. The reports and briefings the US-CCU produces are supplied without charge to the government, to entire critical infrastructure industries, and to the public.

Do you know what the name of their director is?

It’s Scott Borg.

We……… Got ……… Lucky

Here is a very good account of how a techie more or less accidentally found the off switch for this weeks ransomware attack.

It’s not really an accident, though the techie, one “MalwareTech”, describes it as such.

Basically, he has a procedure, and a check list of sorts for evaluating this sort of thing.

Because he followed this procedure, he found that the software phoned home to an unregistered domain, and he registered that domain, and its existence functioned as a kill switch.

As I’ve said before, this is not an accident: this is a byproduct of proper procedures.

Much like a pilot’s preflight checklist, success is a byproduct of a deliberate process, and not some random stroke of luck.

As Baseballer Branch Ricky pithily noted, “Luck is a residue of Design.”

Pull All of His Security Detail, and Let Market Forces Rule

Scott Pruit, environment hating wingnut and current head of the Environmental Protection Agency, is requesting a round the clock security detail in his next budget.

It appears that in addition to being a corrupt stooge of the energy industry, he’s also an abject coward:

The administrator of the US Environmental Protection Agency, historically, has had some measure of government-funded personal security detail. Agents routinely picked Gina McCarthy from the airport, for example, or accompanied her on site visits during her time as EPA administrator from July 2013 to Jan 2017. But Scott Pruitt, the new EPA chief, wishes to be guarded 24/7.

………

The Times calls it a first for an EPA chief, and notes that the 10 additional agents would more than double the agency’s current security staff, which has hovered between six and eight agents in recent years. Similarly, security detail for education secretary Betsy DeVos has reached unprecedented levels: Typically, the secretary of education is guarded by about six agents from within the Department of Education. Since her contentious confirmation, DeVos has been under the protection of the US Marshals Service, costing $8 million over eight months.

What security menace is Pruitt guarding against? According to Myron Ebell, who led Trump’s EPA transition team but is no longer employed by the administration, Pruitt is at risk from his own employees—and “the left.”

Seriously, the wingnuts spend their days soiling their pants in abject terror.

More News from the Internet of Things

In another episode of how manufacturers are f%$#ing things making ordinary objects around your house internet enabled, now hackers can take over your dishwasher:

Don’t say you weren’t warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it’s accused of ignoring the warning.

The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka “Miele Professional PG 8528 – Web Server Directory Traversal.” This is the builtin web server that’s used to remotely control the glassware-cleaning machine from a browser.

“The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday.

………

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher’s web server vuln – Jens Regel of German company Schneider-Wulf – complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.

Appliance makers: stop trying to connect stuff to networks, you’re no good at it.

I would also add, regulators need to police this stuff, and civil liability law needs to be rewritten to ensure that the manufacturers, and perhaps senior management are explicitly liable for this crap, including punitively harsh mandatory penalties.

If copyright trolls can threaten 6 figure judgements against people’s kids who Bit Torrent a Nickelback song,* then these manufacturers need to face at least that much jeopardy.

*I will note, if your kids are downloading Nickelback, I do think that a visit from Child Protective Services (CPS) might be in order, because, well, it’s f%$#ing Nickelback.