The commission on Thursday issued a notice that seems public comment on the concept of a Do Not Originate list, which would establish a set of phone numbers that never are used to initiate calls. This would help prevent fraudsters from spoofing the caller IDs of numbers owned by organizations such as the IRS, FBI, banks, and charities, a tactic that they use regularly to make their phone fraud schemes seem more plausible. The policy would allow carriers to block calls from numbers on the DNO list, something that they’re not allowed to do under FCC rules right now.
The proposal is an outgrowth of work done by the Robocall Strike Force, a group that the FCC and a number of carriers established last year in an effort to find answers to the robocall problem. The group has come up with a number of ideas, but the one that has the best potential to have an immediate effect is the DNO list. A trial of the DNO list concept last fall produced a 90 percent decrease in the number of IRS scam calls. Now, the commission is looking to allow carriers to implement this system on a permanent basis.
The malware, known as the Swearing Trojan for some impolite language found in the Chinese code, has been in circulation for several months and uses a number of different methods to spread, including traditional phishing emails and SMS messages. The most sophisticated method, though, is the use of the fake base transceiver stations, which the attackers employ to send SMS messages to victims. The texts appear to come from a Chinese telecom operator and contain a link that will infect the user’s device with the malware.
One of the issues with Android security over the years has been the way that patches are delivered to users. Google distributes updates directly to the Nexus and Pixel devices it sells, but carriers and other manufacturers are responsible for getting updates to their own customers. Some handset makers, including LG and Samsung, follow Google’s lead and send monthly updates to some of their devices on the day they’re released. But many others either deliver them much later or not at all.
In its annual report on Android security, Google said that while the monthly update schedule has helped, it hasn’t fixed the problem entirely.
Trailrunner7 writes: In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.
NSA has both defensive and offensive roles in cybersecurity and does its own vulnerability research and exploit development. Some of the flaws NSA finds are kept private and used for intelligence-gathering purposes in targeted exploitation operations. But many others are disclosed to the affected vendors as soon as possible, said Richard Ledgett, deputy director of NSA.
“Our historic numbers are around 90 percent, or a little better than 90 percent toward disclosure,” Ledgett said during a roundtable discussion on cybersecurity issues Tuesday hosted by the Aspen Institute.
The bug is a critical one and an attacker who is able to exploit it would be able to get complete control of a target device. The flaw lies in the Cluster Management Protocol (CMP) that’s used in IOS, and Cisco said it’s caused by the incorrect processing of CMP-specific Telnet options, as well as accepting and processing these commands from any Telnet connection.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” the Cisco advisory says.
Trailrunner7 writes: The Department of Homeland Security’s US-CERT group has issued an advisory warning enterprises that many security appliances that perform HTTPS inspection through a man-in-the-middle position don’t correctly verify certificate chains before forwarding traffic, weakening the security benefits of TLS in the process.
The advisory comes after a recent paper by security researchers from Google, Mozilla, Cloudflare, University of Michigan, and elsewhere looked at traffic interception appliances and their effect on secure connections. The researchers built a set of heuristics to enable servers to detect HTTPS interception, and found that interception boxes “drastically reduce connection security.”
Trailrunner7 writes: year after flaws in SS7, one of the underlying protocols in the cell network came to the public’s attention, two powerful members of Congress are asking the secretary of Homeland Security how DHS has addressed the threat and whether the department has sufficient resources to detect and defeat SS7-related attacks.
The flaws in SS7, a protocol that’s designed to connect various telecom carriers, can enable anyone with access to the system to carry out discreet surveillance against a victim, knowing only the target’s phone number. Many people at each of the carriers have access to the system, and security researchers have been warning about the problem for years. Last year, researchers demonstrated an attack on the phone of Rep. Ted Lieu (D-Calif.) using this technique, prompting Lieu to call on congressional leaders to address the issue.
Now, a year later, Lieu and Sen. Ron Wyden (D-Ore.) have sent a letter to John F. Kelly, secretary of Homeland Security, to detail what the department has done to address the SS7 problem and whether the federal government understands how this vulnerability could be used for surveillance.
“We are deeply concerned that the security of America’s telecommunications infrastructure is not getting the attention it deserves. Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance,” the letter says.
Google has identified the family of PHAs as Chamois and said that it caught them through the use of traffic analysis, which determined that the apps were trying to evade the company’s security systems. The goal behind the apps appears to have been ad fraud, and the developers employed a few different techniques to get around Google’s detection and prevention systems.
“We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems,” Bernhard Grill, Megan Ruthven, and Xin Zhao, security software engineers at Google, said
Confide is one of the group of encrypted chat apps that have emerged in the last few years and promises end-to-end encryption and self-destructing messages. But the team at IOActive discovered a group of vulnerabilities in the app that make users susceptible to a range of attacks that could result in account compromises, message disclosure, and other problems. The vulnerabilities are across a number of different areas in the app, but one of the main issues is the way Confide handles SSL certificates.
“The application’s notification system did not require a valid SSL server certificate to communicate, which would leak session information to actors performing a man-in-the-middle attack,” the IOActive bulletin says.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
The proposed legislation includes the caveat that victims can’t take any actions that destroy data on another person’s computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it’s generally illegal.
BEC scams, also known as CEO or executive impersonation schemes, are the evolution of phishing attacks and rely on the criminals’ ability to convince a key member of an organization to transfer money to an account the attackers control. As simple as the scam is in concept, there are a number of moving parts that all must work in unison for the theft to succeed. Most importantly, someone inside the target organization has to fall for the ruse.
Based on the FBI’s data, plenty of people are doing just that. The bureau said that since the beginning of 2015, businesses in the U.S. have lost more than $3 billion to BEC scams. These schemes can be crippling for victimized businesses, as some of the incidents involve losses in the tens or hundreds of thousands of dollars. Last year, one firm lost $98 million in a BEC scam that lasted several months.
Trailrunner7 writes: People have been trying to find a replacement for PGP almost since the day it was released, and with limited success. Encrypted email is still difficult to use and painful to implement in most cases, but Google has just released a Chrome plugin designed to address those problems.
The new E2EMail extension doesn’t turn a user’s Gmail inbox into an encrypted mail client. Rather, it is a replacement that gives users a separate inbox for encrypted messages. The system is built on Google’s end-to-end encryption library, and the company has released E2EMail as an open-source project.
Trailrunner7 writes: A senator from Oregon who has a long track record of involvement on security and privacy issues says he plans to introduce a bill soon that would prevent border agents from forcing Americans returning to the country to unlock their phones without a warrant.
Sen. Ron Wyden said in a letter to the secretary of the Department of Homeland Security that he is concerned about reports that Customs and Border Patrol agents are pressuring returning Americans into handing over their phone PINs or using their fingerprints to unlock their phones. DHS Secretary John Kelly has said that he’s considering the idea of asking visitors for the login data for their various social media accounts, information that typically would require a warrant to obtain.
“Circumventing the normal protection for such private information is simply unacceptable,” Wyden said in the letter, sent Monday.
The failures that led to Edward Snowden walking out the door with a massive cache of NSA data four years ago were not the kind that normally make their way into the public’s line of sight. Those failures were organizational, technical, and procedural, and the agency had to take a hard look at itself in the aftermath of Snowden’s theft, the NSA’s former deputy director said.
“If you’d asked me in the spring of 2013 what’s the state of your defense of the business, I would’ve said it’s good but not perfect. We don’t take our eye off the ball, we don’t assume we can chase everything down. We’d have said we vet the insiders the old-fashioned way,” Chris Inglis, the former deputy director of NSA, said in a talk at the RSA Conference here Thursday.
“Cybersecurity professionals don’t have experience dealing with traditional investigations. These cases are complex because you often don’t have the data you need to tell the story. We need to find a way to help companies characterize what’s going on. It’s a problem we haven’t really thought about for a long time,” Milan Patel, a former FBI cyber investigator and current managing director of cyber investigation and incident response at K2 Intelligence said during a panel discussion on cyber espionage at the RSA Conference here Wednesday.
In one recent case, Patel was called in to a large real estate company to investigate an administrator who had given himself extra network privileges. The admin then got access to the Exchange server and began reading emails sent by the company’s executive team. During the investigation, Patel discovered that several other people had unnecessary elevated privileges, but the firm didn’t have a way to track when the employees had gotten those rights or how. The company also didn’t have any way to do forensics on the employee’s laptop or phone.