Deloitte Hit By Cyberattack That Compromised Client Information & Decided To Basically Tell Nobody At All

from the ostrich-style dept

In the wake of the Equifax breach, there has been some discussion about just how quickly companies should publicly disclose when they have been victims of security breaches that reveal client information. In the case of Equifax, the company had essentially been sitting on the knowledge that it was attacked since July before going public in early September. Something like two months, in other words. While most people agree that victim companies should have some time to get their houses in order before opening the window shades, two months seemed like a lot, given the severity of the attack and the number of potential victims among Equifax's clients.

But two months is nearly lightning quick compared with Deloitte, the enormous accounting firm that discovered it was the victim of an attack in March and only bothered to tell the public, along with most of its clients, this week.

One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

Now, Deloitte may have discovered the breach in March, but there have been whispers that the attackers may actually have pulled all this off in October of last year. The attack was pulled off by accessing an administrator account that lacked anything resembling two-factor authentication, all hosted on Microsoft's Azure cloud service, and potentially exposing every sort of client data ranging from passwords and IP addresses to health information. The decision was made within Deloitte to only inform a few partners and legal staff within the company and a total of six Deloitte clients that the breach had even occurred. Most Deloitte staff and customers had no idea until these past few days.

And that decision could amount to a very real problem for the company, given that most US states and territories have security breach notification laws mandating when companies must tell clients when these sorts of attacks occur. If Deloitte has customers outside of the six it has informed in any of those states or territories, which is a virtual certainty, and those clients' information was exposed by this attack, Deloitte could be in violation of all kinds of state laws for failing to inform those customers what had happened. Most of these laws frustratingly rely on ambiguous language as to how quickly clients or residents of the state should be informed of the breach -- there is all kinds of "in the most expedient time possible" and "without unreasonable delay" language in these laws --, but it would be patently absurd for Deloitte to suggest that 6 months time meets any of those requirements.

In fact, Deloitte won't even acknowledge if it has ever contacted law enforcement about the breach.

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Now, for its part, Deloitte is making much of its ability to perform an internal review of the breach and the contracted security firms its engaged, all while stating that it has allowed them to pinpoint exactly what data was accessed and what wasn't, and that the amount actually accessed is very small. Except it's hard to take on faith the cyber-sleuthing capabilities when the firm has been so opaque about the breach thus far, and at least some of the notification laws require notification upon breach, not upon actual data acquisition.

If nothing else, it should be clear that covering this stuff up and trying to pretend it never happened is no way to do security.

Filed Under: cyberattack, data leak, disclosure, hack, leak
Companies: deloitte, equifax

Former NSA Official Argues The Real Problem With Undisclosed Exploits Is Careless End Users

from the sorry-about-all-the-ransomware dept

As leaked NSA software exploits have been redeployed to cause computer-based misery all over the world, the discussion about vulnerability disclosures has become louder. The argument for secrecy is based on the assumption that fighting an existential threat (terrorism, but likely also a variety of normal criminal behavior) outweighs concerns the general public might have about the security of their software/data/personal information. Plenty of recent real-world examples (hospital systems ransomed! etc.) do the arguing for those seeking expanded disclosure of vulnerabilities and exploits.

Former Deputy Director of the NSA Rick Ledgett appears on the pages of Lawfare to argue against disclosure, just as one would have gathered by reading his brief author bio. Ledgett's arguments, however, feel more like dodges. First off, Ledgett says the NSA shouldn't have to disclose every vulnerability/exploit it has in its arsenal, an argument very few on the other side of the issue are actually making. Then he says arguments against exploit hoarding "oversimplify" the issue.

The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds. Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense—but it is a gross oversimplification of the problem, one that not only would not have the desired effect but that also would be dangerous.

At this point, you'd expect Ledgett to perform some de-simplification. Instead, the post detours for a bit to do some victim-blaming. It's not the NSA's fault if undisclosed exploits wreak worldwide havoc. It's the end users who are the problem -- the ones who (for various reasons) use outdated system software or don't keep current with patches. This isn't a good argument to make for the very reasons outlined in Ledgett's opening paragraph: software vendors can't patch flaws they're unaware of. This is where disclosure would help protect more users, even if it meant the loss of some surveillance intercepts.

Then Ledgett argues the NSA's leaked exploits weren't really the problem. If they hadn't been available, the malware purveyors just would have used something else.

The actors behind WannaCry and Petya, believed by some to be from North Korea and Russia, respectively, had specific goals when they unleashed their attacks. WannaCry seemed to be straightforward but poorly executed ransomware, while Petya appeared to have a more sinister, destructive purpose, especially in the early Ukraine-based infection vector. Those actors probably would have used whatever tools were available to achieve their goals; had those specific vulnerabilities not been known, they would have used others. The primary damage caused by Petya resulted from credential theft, not an exploit.

This is undoubtedly true. Bad actors use whatever tools help them achieve their ends. It's just that these specific cases -- the cases used by Ledgett to argue against increased disclosure -- were based on NSA exploits vendors hadn't been informed of yet. The patches that addressed more current vulnerabilities weren't issued until after the NSA told Microsoft about them, and it only did that because its toolset was no longer under its control.

Ledgett also points out that the NSA does better than most state entities in terms of disclosure:

Most of the vulnerabilities discovered by the U.S. government are disclosed, and at the National Security Agency the percentage of vulnerabilities disclosed to relevant companies has historically been over 90 percent. This is atypical, as most world governments do not disclose the vulnerabilities they find.

Maybe so, but there's not much honor than just being better than the worst governments. Ledgett only says the NSA is better than "most." This doesn't turn the NSA into a beacon of surveillance state forthrightness. All it does is place it above governments less concerned about the security and wellbeing of their citizens.

Ledgett then goes back to the well, claiming a) the two recent attacks had nothing to do with the NSA, and b) disclosing vulnerabilities would make the NSA less effective.

WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that had not been patched or updated, by actors operating illegally. The idea that these problems would be solved by the U.S. government disclosing any vulnerabilities in its possession is at best naive and at worst dangerous. Such disclosure would be tantamount to unilateral disarmament in an area where the U.S. cannot afford to be unarmed… Neither our allies nor our adversaries would give away the vulnerabilities in their possession, and our doing so would probably cause those allies to seriously question our ability to be trusted with sensitive sources and methods.

The problem here is that Ledgett ignores the obvious: leaked NSA tools helped create the problem. The NSA never disclosed these vulnerabilities to affected software vendors -- at least not until it became obvious it could no longer keep these tools secret.

I'm guessing the NSA is already living through the last part of Ledgett's paragraph. A set of effective, still-undisclosed vulnerabilities being digitally spirited away and dumped into the public's lap probably makes it less likely foreign surveillance partners will be sharing their malware toolkits with the NSA.

This leads right into another argument against vulnerability hoarding: it has been shown with complete clarity that the NSA can't guarantee its exploits will never be used by criminals and malicious governments. The leak of its toolkit shows any suggestion that only the "good guys" will have access to undisclosed vulnerabilities is both ignorant and arrogant. The NSA isn't untouchable. Neither are all the surveillance partners the NSA has shared its tools with.

In the end, it's the private sector's fault, according to Ledgett. The solution is for vendors to write better software and end users to patch more frequently. This is good advice, but not an absolution of the NSA's vulnerability secrecy.

The NSA needs to do better balancing its needs and the security of the general public. Very few people are arguing the NSA should have zero undisclosed exploits. But the exploits dumped by the Shadow Brokers affected older versions of Microsoft system software dating back to Windows XP and they still weren't patched until the exploits had already been made public. These were exploits some in the NSA thought were too powerful, and yet, the NSA did nothing until the malware offspring of its secret exploit stash were taking down systems all over the world.

Filed Under: disclosure, exploits, malware, nsa, rick ledgett, vep, vulnerabilities

NSA Official Says It Might Have Been Nice If The Agency Had Handled The Public Disclosure Of The Section 215 Program

from the see-also:-snooze-v.-lose dept

Now that Edward Snowden has done all the leg work, the Intelligence Community is admitting that, yeah, maybe it should have been more upfront about the phone metadata collection. The soon-to-be-former NSA Deputy Director says it might have been better for the agency to be out ahead of the disclosures, rather than forced to play defense.

Richard Ledgett, who is retiring next month, said in an interview with Reuters that disclosing the secret program would have been difficult. But, he said, doing so might have mitigated the damage done by Snowden.

"That's one where I might have to say, yes," Ledgett said in his office at NSA headquarters in Fort Meade, Maryland. "That's one where maybe it would have been less shocking when Snowden did what he did."

Ledgett's not alone in feeling this way. Since the leaking began back in June 2013, several current and former officials have made similar statements. For one thing, controlling the disclosure means controlling the narrative. The IC could have pointed to several things in defense of the bulk domestic collection program, including:

a.) the lawfulness of the collection
b.) the rigorous oversight
c.) the strict compliance with FISA and the FISA court
d.) it's "just metadata"

Doing so might have headed off Snowden and other leakers. Possibly. At the very least, it would have bought the NSA some time and some narrative leeway before documents began being published showing:

a.) the collection's lawfulness was dubious at best
b.) the oversight was a joke
c.) the FISA court routinely discovered abuse by the NSA
d.) metadata exposes quite a bit of a person's life, actually.

Not quite as straightforward were Ledgett's comments on the Section 702 program, which provides backdoor domestic searches for a variety of government agencies, as well as harvests millions of communications from internet backbones. During the run-up to the Section 215 reauthorization two years ago, it sometimes appeared the NSA was willing to make deep compromises on the telephone metadata program in order to spare the internet collection the same sort of Congressional scrutiny.

Since 2011, oversight committee members (well, just a couple of them, actually) have been demanding an estimate of the amount of American communications incidentally-collected by the NSA with this program. Six years later, there have been promises made but none kept. At this point, Ledgett is just another IC official making promises no one seems to have any intent of keeping.

Privacy advocates have repeatedly demanded that the government share an estimate of how many Americans are ensnared by programs authorized under Section 702.

Intelligence officials have declined to do so. But Ledgett, in remarks earlier Tuesday at a forum sponsored by the Aspen Institute, said "yes" when asked if an estimate would be provided before year end.

We'll see. Deadlines have been ignored in the past and Ledgett's on his way out the door, so these are promises he can't be held responsible for not keeping.

Filed Under: disclosure, ed snowden, mass surveillance, nsa, richard ledgett, section 215

Judge In Twitter Lawsuit Over Surveillance Disclosure Dings DOJ For Cut-And-Paste Legal Argument

from the government-control-c dept

As you will hopefully recall, there is an ongoing case between Twitter and the government over exactly how specific or not the social media service can be regarding the number of government surveillance requests it receives. Most of the rest of the big internet companies reached a settlement with the DOJ, including rules how specific companies could be (not very) in revealing such requests. Those rules basically were an attempt by the government to get tech companies to play hide-the-ball on transparency issues, in which the more specific a service attempted to be about how many individuals would be impacted by government orders, the more additional orders had to be lumped into those specifics, rendering the information useless.

Twitter, to its credit, was alone in saying that the proposed settlement wasn't good enough, and continued its fight with the DOJ. Essentially, the fight is over whether Twitter can be specific when it discloses how many orders it has received, or whether it must only disclose "bands" or ranges of orders. Recent arguments made by both sides do a nice job of highlighting the absurdity of the government's argument.

Twitter has argued that just as it has been precise in other areas of its transparency report, so too should it be allowed to say how many national security orders it has received from American authorities.

"Even under the most generous First Amendment standard, there is nothing in there that it is a national security harm to say that we received 44 as opposed to 0 to 499," Lee Rubin, a lawyer representing Twitter, said during the Tuesday hearing.

In court filings, DOJ lawyers have said that allowing Twitter to provide this specific level of information would be detrimental to national security. This assertion is according to a declaration filed by Michael Steinbach, the executive assistant director of the national security branch of the FBI, where he argued that "the disclosure of the information at issue would provide our adversaries a clear picture of the Government’s surveillance activities pertaining to national security investigations."

The DOJ has been conditioned through the acceptance of the argument by far too many courts, as well as the court of public opinion, to simply shout "national security" at any challenge to disclosing anything at all. And that's what it's doing here, as well. So much so, in fact, that the judge presiding over the case pointed out that the legal filings the DOJ had offered didn't address any of the specifics Twitter was arguing.

During the Tuesday hearing, US District Judge Yvonne Gonzalez Rogers, an Obama-appointed judge, seemingly rebuked the government at one point and noted that its legal responses did not directly address Twitter’s arguments. "The analysis that has been provided to the court is generic to any company," she said, explaining that there was "nothing in here that is specific to Twitter.

"If I had five different cases, one by Twitter, one my Microsoft, one by Facebook and all the other groups that do this social media stuff that none of us judges do, [Steinbach] could have taken this exact same declaration and cut and paste the declaration, switched out the names of the company and I would have the same generic explanation for why it is that the government wants to do what it wants to do."

There's no ruling yet, although one is expected in the coming months. Still, it doesn't look good to have the judge dinging the DOJ for failing to address Twitter's argument that there is no national security risk in disclosing a specific number of NSLs it receives, as opposed to a range. Perhaps more importantly, it's refreshing to see a challenge to the longstanding tradition of the government being able to simply shout "national security!" at any attempt at transparency to make it go away.

Filed Under: disclosure, doj, first amendment, nsls, section 702, surveillance
Companies: twitter

Did The NSA Continue To Stay Silent On Zero-Day Vulnerabilities Even After Discovering It Had Been Hacked?

from the Betteridge-and-Glomar-combine-to-say-'we'll-probably-never-know' dept

The NSA's exploit stash is allegedly for sale. As mentioned earlier this week, an individual or a group calling themselves Shadow Brokers claims to be auctioning off parts of the NSA's Tailored Access Operations (TAO) toolkit, containing several zero days -- including one in Cisco's (a favorite NSA TAO target) Adaptive Security Appliance which allows for remote code execution.

The thing about these vulnerabilities is that they aren't new. The exploits being hawked by Shadow Brokers date back to 2013, suggesting the agency has been sitting on these exploits for awhile. The fact that companies affected by them don't know about these flaws means the NSA hasn't been passing on this information.

Back in 2015, the NSA declared that it passed on information about vulnerabilities to affected companies "90% of the time." Of course, this statement contained very few details about how long the NSA exploited vulnerabilities before allowing them to be patched.

The White House told the NSA to make disclosure the preferred method of handling discovered vulnerabilities, but also gave it a sizable loophole to work with -- "a clear national security or law enforcement need."

Ellen Nakashima and Andrea Peterson of the Washington Post spoke to former NSA personnel. The statements they gave suggest there's almost always a "need" that outweighs the general public's security and safety.

Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.

“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.

He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”

Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”

So, there's no presumption of disclosure, not even with a Vulnerability Equities Process in place. If the NSA has a vulnerability to exploit, it will continue doing so until it's no longer effective. The agency's name alone grants it a presumption of secrecy because, after all, nothing has more "national security needs" than the National Security Agency.

This undercuts everything the disclosure process was supposed to do: allow developers to close holes in their software. With its TAO secrets out in the open, the government can no longer pretend stockpiling exploits is a good idea. Nor can it claim it's OK because it's only the "good guys" doing good things with them. The exploits will be sold to the highest bidder -- whether that bidder is a criminal or just another private company stockpiling exploits so it can sell those to highest bidder -- which in some cases may be UN-blacklisted countries with totalitarian governments and long histories of human rights abuses.

Matt Blaze -- referring to the just-disclosed Cisco zero day -- wonders if the NSA only just discovered hackers had made off with its stuff. And if it actually knew for three years these exploits had been compromised, why didn't it disclose the vulnerabilities to affected developers?

I wonder if NSA discovered that they lost the TAO exploit trove in 2013 or just now? If in 2013, why didn't they report the Cisco 0day?

Neither scenario is particularly flattering. Although it's presumed the hackers didn't actually crack an NSA server (theory is the exploits were harvested from a compromised server the NSA was running), not knowing that these vulnerabilities had been obtained by outsiders until possibly three years after it happened is not exactly a flattering look for a security agency.

The alternative is actually worse: that the NSA knew its exploits had been taken but STILL chose not to disclose the vulnerabilities to software developers. In this scenario, there's no longer any "what if" about it. The NSA knew exploits were in the "wrong" hands but withheld this info to continue utilizing the exploits. If that's the case, the NSA is complicit in any exploitation by the "wrong" people because it chose to withhold, rather than disclose, major vulnerabilities even after it knew it had been compromised.

It may be that the NSA truly didn't know about this hacking until the hackers started passing out parts of its exploit hoard, but that's not exactly comforting considering the agency's efforts to be declared the overseer of the US government's CyberWar.

Filed Under: disclosure, exploits, nsa, reporting, tao, vep, vulnerabilities equities program, vulnerability, zero days

Two YouTubers About To Learn That Trust Is A Valuable Commodity That You Can Only Lose Once

from the paging-the-FTC dept

While we've had some reservations in the past about the FTC's guidelines on endorsements and testimonials in the online arena, our concerns have tended to be about the grey areas of the law. The way that reviews for books, music and games often work falls into this grey area, with products and media handed out for review, and the disclosure guidelines the FTC laid out seem overly intrusive. Whatever our reservations about those guidelines, however, the goal of preventing the surreptitious pimping of a product or service by a trusted source that has direct connections with it was laudable.

Which brings us to two YouTube personalities, TmarTn and Syndicate Project, whose real names are Trevor Martin and Tom Cassell. These two have spent a great deal of time urging their followers to use the CSGO Lotto website while, at best, barely disclosing the site's sponsorship, and never even coming close to acknowledging that they are executives of the company behind the site.

Trevor Martin and Tom Cassell, known online as TmarTn and Syndicate Project, uploaded videos in which they appeared to win big prizes playing CSGO Lotto. But it has emerged that the pair are presidents of the company, which is incorporated in Florida.

Mr Cassell apologised on Twitter to those who felt misled. In a YouTube video message to his followers, which he later deleted, Mr Martin said that the ownership of CSGO Lotto had "never been a secret".

"I created the site. I wanted to build something awesome for other people to enjoy and I played on it," he said. "Obviously, on my end, me playing on Lotto rather than other sites, gives me an advantage because it promotes my own site, but it is not immoral, there is nothing wrong with it. I am 100% honest."

Yet it's difficult to square that response with the facts. CSGO stands for Counter Strike: Global Offensive, a very popular online shooter. Within that game, players can mod their weapons with "skins", or visual modifications. Whatever that sounds like to you, please understand that there is serious money in the use, trading, and selling of these skins. That in turn has spawned websites that allow you to gamble these skins, wagering them to potentially win more valuable skins at the end of a game, with winners supposedly chosen at random. For this, CSGO Lotto has an 8% rake on the value of the skins given away in a round.

So, what kind of money are we talking about here? Well...

In April, Bloomberg reported that online betting on games such as CSGO was a booming industry worth billions of dollars.

Yeah, it's a big deal. Now, back to our two YouTubers and their claims of total honesty and transparency. Despite what they say, the current outrage has only come about because another YouTuber dug up the ownership details on the company behind CSGO Lotto, finding that the site's president is one Trevor Martin and its vice president is Thomas Cassell. Before those details were published? No controversy. Now that they've been published? Controversy. These two can claim they properly disclosed their associations all they want, but the fact that those disclosures didn't do the job of informing viewers that they owned the site says everything.

Oh, and about those disclosures:

In short, h3h3 was unable to find any instances of Martin or Cassell disclosing affiliation with CSGO Lotto—let alone high level operation of it....

On top of that, in an earlier video about CSGO Lotto that’s since been made private (you can see it in h3h3's video above, however), Martin said things like, “We found this new site called CSGO Lotto, so I’ll link it down in the description if you guys want to check it out. We were betting on it today and I won a pot of like $69 or something like that, so it was a pretty small pot, but it was like the coolest feeling ever. I ended up following them [CSGO Lotto] on Twitter and stuff, and they hit me up and they’re talking to me about potentially doing like a skin sponsorship.” That is, as PC Gamer points out, a pretty strange way to talk about a site you helped found.

Martin has also claimed that CSGO Lotto videos did include disclosures, but if you run videos like “HOW TO WIN $13,000" through the ol’ Wayback Machine, it appears that a very slight disclosure—“video made possible by CSGO Lotto”—was added after the fact.

The wonderful thing about new media outlets like YouTube is that the barriers to gaining a following are lower. The other side of that coin, however, is that trust is the ultimate selling point, and it's the kind of thing you can only lose once. It's hard to imagine that these two will have any kind of loyal following after this episode, not to mention that the FTC is likely to come calling. They've done it before, after all.

Either way, lesson learned, boys?

Filed Under: disclosure, endorsements, ftc, syndicate project, tmartn, tom cassell, trevor martin, trust, youtube
Companies: csgo lotto

Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems

from the life-lessons dept

A Florida man has been charged with felony criminal hacking charges after disclosing vulnerabilities in the voting systems used in Lee County, Florida. Security analyst David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the county's election systems. Levin was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond. Levin's first and biggest mistake was to post a video of himself on YouTube logging into the Lee County Elections Office network using the credentials of Sharon Harrington, the Lee County Supervisor of Elections.

That gave prosecutors the ammo they needed to arrest Levin, even if he believed he was doing locals a favor:

"Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony."

But at least a portion of Levin's crime may be of the political variety. In the video posted to YouTube Levin detailed the SQL injection alongside a man by the name of Dan Sinclair, who just so happens to be running against Harrington for the Elections Supervisor position. In the video, Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders:Sinclair has been telling local news outlets that the arrest is politically motivated and the result of "political corruption." Officials at the Lee County Elections office claim however that elections data was never actually at risk:

"The server that was vulnerable to Levin's SQL injection attack, they said, had been retired in October. At the time of Levin's attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn't vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn't have the ability to post new pages to the site or to access voter data or tabulation systems, they said."

Granted it's not clear if the data, usernames and passwords used in the attack were also potentially useful in compromising any of the county's other systems, and Levin's currently too busy in the court system to offer additional insight.

At the end of the day there's plenty of fault and lessons to go around. The county obviously shouldn't keep systems with easily-exploitable vulnerabilities online, as such lower-level systems could open the door for attacks on higher-level operations. Levin meanwhile could have taken any number of steps to reveal the flaws without risking prosecution, and step one to not getting arrested for computer crimes usually involves you avoiding posting videos of you breaking the law on YouTube. Following Dan Kaminsky's guide on how to disclose vulnerabilities without getting arrested is a good starting point for anybody that may someday find themselves in Levin's shoes.

Filed Under: cybersecurity, dan sinclair, david levin, disclosure, florida, lee county, voting, vulnerability

FBI Won't Tell Apple How It Got Into iPhone... But Is Apparently Eager To Help Others Break Into iPhones

from the just-one-phone! dept

Remember how the FBI insisted over and over again that the case in San Bernardino was not about setting a precedent and was totally about getting into "just that one phone?" Of course, no one believed it, but pay close attention to what's happening now that the FBI was able to hack into Syed Farook's work iPhone. The DOJ has also said that the crack was limited to just that type of phone and probably wasn't widely applicable. However, at the same time, the Justice Department probably has no interest in sharing the details of the vulnerability with Apple:

The FBI may be allowed to withhold information about how it broke into an iPhone belonging to a gunman in the December San Bernardino shootings, despite a U.S. government policy of disclosing technology security flaws discovered by federal agencies.

Under the U.S. vulnerabilities equities process, the government is supposed to err in favor of disclosing security issues so companies can devise fixes to protect data. The policy has exceptions for law enforcement, and there are no hard rules about when and how it must be applied.

Apple Inc has said it would like the government to share how it cracked the iPhone security protections. But the Federal Bureau of Investigation, which has been frustrated by its inability to access data on encrypted phones belonging to criminal suspects, might prefer to keep secret the technique it used to gain access to gunman Syed Farook's phone.

Or, as iPhone forensics guru Jonathan Zdziarski succinctly summarized:

FBI: You should do it, it's just one phone
Apple: No it isn't
FBI: We got in
Apple: You should say how, it's just one phone
FBI: No it isn't

Yeah.

Meanwhile, the DOJ may not be interested in helping Apple patch that hole, but it is apparently at least willing to look into other cases where it can help law enforcement break into locked iPhones. There are some (somewhat conflicting) reports saying that the FBI has agreed to help prosecutors in Arkansas try to get into a couple of iOS devices in a murder case there. Of course, it may not be the same technique or situation (and the FBI might not be able to get in, either).

However, this does show just how eager law enforcement is to get into lots of phones, and how important it is that Apple actually be able to protect its users from those who do not have legitimate reasons to hack into phones. It's too bad that the FBI is apparently choosing to hold onto the info that helps it in a few cases while failing to protect the rest of the public who may use Apple devices.

Filed Under: arkansas, disclosure, doj, encryption, fbi, going dark, iphone
Companies: apple

Child-Monitoring Company Responds To Notification Of Security Breach By Publicly Disparaging Researcher Who Reported It

from the got-a-full-clip-of-'thank-yous'-with-your-name-on-it dept

"Thanks for letting us know about this! We'll get it fixed immediately!" said almost no company ever.

There's a long, but definitely not proud, tradition of companies shooting the messenger when informed of security flaws or possible breaches. The tradition continues.

uKnowKids is monitoring software parents can install on their children's cell phones that allows them to track their child's location, as well as social media activity, text messages and created media. As such, it collects quite a bit of info.

The information on your child collected includes:

• the online profile/screen names, mobile telephone numbers and email addresses associated with the Linked Accounts and the people communicating with the Linked Accounts and devices and in certain situations, the text of the online or mobile phone SMS or MMS conversations themselves;
• the geographic location and time and date associated with a specific geographic location of your Linked Account mobile device;
• your Linked Accounts’ social networking activity and contacts;
• photographs sent, received or uploaded by your Linked Account;
• the websites visited from your Linked Account mobile device; and
• the applications installed on your Linked Account mobile device.

That's a lot of data, all related to children. This should be kept locked up tight. Unfortunately, it wasn't.

Chris Vickery, who now blogs about security over on MacKeeper, alerted this site that a misconfigured MongoDB installation exposed over 6.8 million private child text messages, 1.8 million images (many depicting children, according to Chris), and over 1700 in-depth child profiles.

The data reportedly included full names, email addresses, GPS coordinates, dates of birth, and much more, although Chris tells DataBreaches.net that he did not see payment info or parent details exposed.

Vickery did the right thing and notified uKnowKids. The security hole was closed. But the company wasn't interested in thanking Vickery for his efforts. Instead, as the Office of Inadequate Security notes, the company decided to notify its customers in a rather unusual fashion. A post at the company's site completely misconstrues the chain of events.

Here's the BS headline.


And here's the BS text:

It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.

The hacker claims to be a "white-hat" hacker a "security researcher" or "white hat hacker" or "ethical hacker" which means he tries to obtain unauthorized access into private systems for the benefit of the "public good". Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.

The passive aggression continues later in the post.

The first IP address that obtained unauthorized access to uKnow's private database was 65.36.124.81. We believe this IP address is associated with Mr. Christopher Vickery in Austin, Texas, but we don't have confirmation of that fact yet.

Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night. We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated "benign" intentions.

The second IP address (209.144.254.123) that accesed uKnow's private database in an unauthorized manner is reportedly associated with Mr. Vickery's full-time employer in Austin, Texas. Again, we don't yet have confirmation on who owns this IP address or the IP address owner's official connection with Mr. Vickery, but this is the early information we have been able to determine so far.

The post goes on to insinuate that Vickery has some sort of malignant interest in holding onto uKnow's code.

The database also included uKnow's proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow's technology.

We have repeatedly requested that Mr. Vickery permanently delete any and all copies of uKnow's intellectual property including iits proprietary customer data, business data, database schemas and field names, trade secrets, curated data dictionaries and algorithms.

After initial resistance, Mr. Vickery claims to have deleted the downloaded database in its entirety. However, he has reportedly retained an uknown number of screenshot copies of uKnow's intellectual property, and is so far unwilling to permanently delete this information. In an effort to protect our customers and stakeholders, we contine to request the destruction of any and all copies of uKnow's database including screenshots which are, in fact, copies of uKnow's database.

It also suggests Vickery's possession of screenshots might somehow violate COPPA (a law ensuring the privacy of data generated by children) and has apparently reported him to the FTC.

We have contacted the Federal Trade Commission for guidance and to report the breach. uKnow goes to great effort and expense to fully comply with the FTC's COPPA regulations, and we beleive we are in full compliance at this time.

uKnow's demand for Mr. Vickery to delete ALL copies of uKnow's database was obviously driven by our desire to protect our uKnowKids customers, but also to fully comply with COPPA requirements that we do not knowingly allow any third parties access to child data without first having affirmative, verifiable permission from parents. Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately.

Nowhere in this long statement questioning Vickery's intent is there an apology for the breach. There are no unqualified statements of gratitude. Vickery's history of finding misconfigured databases is well-documented, as is his standard operating procedure of notifying affected companies immediately and destroying any data he obtained while investigating these leaky databases.

Instead of simply fixing the hole and informing affected customers, uKnow decided to publicly disparage the person who alerted it of the issue. It's responses like these -- along with continual abuse of computer security laws -- that make security researchers leery of informing affected parties. Informing someone of a security hole shouldn't be greeted with antagonism and legal threats. But that's the default operating mode, one that only ensures security holes discovered in the future are less likely to be reported.

Filed Under: chris vickery, disclosure, ethical hacking, security research, shoot the messenger, vulnerability, white hat hacking
Companies: uknowkids

Judge In Child Porn Case Says FBI Must Turn Over Details On Its Hacking Tool

from the a-new-form-of-file-sharing dept

In California, the FBI is hoping to force Apple to write a hacking tool for it so it can access the contents of an iPhone. Further up the coast in Washington, the compelling force is moving in the opposite direction. The attorney representing a man swept up during the FBI's two-week stint as sysadmins for a child porn server has just had a motion granted that would force the agency to turn over details on the hacking tool it deployed.

A judge has ordered the FBI to reveal the complete code for its Tor exploit to defense lawyers in a child porn case. pic.twitter.com/AZ8QYgGwKe

— Brad Heath (@bradheath) February 17, 2016

The docket report Brad Heath screencapped shows a granted motion for discovery targeted at the FBI. Joseph Cox at Motherboard received confirmation from federal public defender Colin Fieman that the docket note indeed says what it appears to say.

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he continued.

While the defense will likely see the code -- provided the FBI can't argue its way out of disclosing its methods -- it's highly likely the general public won't have access to these details. The docket is littered with documents sealed at the request of the FBI. Fortunately, there are also a few motions by Michaud's lawyer to unseal documents, so there's still a small chance information on the FBI's NIT (Network Investigative Technique) will make its way in the public domain. If so, it will probably be heavily-redacted, but it should still provide a small peek into the FBI's hacking efforts.

Cox also points out that the FBI has already turned over some of its NIT code, but what the defense received was missing several key elements.

Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery.

However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer.

The only other new document of import in the case is a sworn declaration from Special Agent Daniel Alfin, which claims the FBI has already handed over everything it should have to.

The NIT computer instructions provided to the defense on January 11, 2016, comprise the only "payload" executed on Michaud's computer as part of the FBI investigation resulting in his arrest and indictment in this case. Accordingly, the defense has been given access to the only "payload" as that term is used by the defense in its Third Motion to Compel, accompanying Declaration.

But the declaration also notes the FBI has more information it could "share" with the defense.

The government has advised the defense that it is willing to make available for its review the two-way network data stream showing the data sent back-and-forth between Michaud's computer and the government-controlled computer as a result of the execution of the NIT.

It also points out that at no time did images travel from Michaud's computer to an FBI-owned computer or vice versa. Agent Alfin also avers that once the investigation concluded, the FBI no longer had access to Michaud's computer.

Considering the judge has already given the FBI a pass for running a child porn website for two weeks, it seems unlikely the court will find anything about the NIT to be the basis for tossing evidence. There may be some issues troubling the outer reaches of the Fourth Amendment, but courts have historically forgiven questionable law enforcement behavior that serves a "compelling public interest" -- and it's hard to find a more "compelling" interest than fighting child pornography.

Filed Under: disclosure, fbi, hacking tool, tor, tor browser