Security related News for the weeke ending 2020 12 08

Happy Tuesday to you DAML’ers!

We have a great lineup of stories for you this week. We start with an analysis of 15 billion passwords, so you understand how easy yours is to hack… or not!

We move into a huge vulnerability in some VMWare products where the NSA say admins could benefit from our first story (on passwords!). We dibble in a sprinkling of breaches before we move onto some revealing spy stories that bring FBI into focus in a somewhat unfavorable light.

We sail into a story about the Signal protocol and its creator before ending with a humorous look at security, this time from a mind reader in Belgium. (DAML’ers, after last week, do we sense a theme here? Quick, where’s my spoon?)

We literally have plumbed the depths of the seas to (yes, once again) outer space, to bring you this week’s collection of the best privacy and security stories yet… so let’s get going!
Listen to an abbreviated version here.

15 billion passwords analyzed, and these are the most common bits people use!

Really interesting stats on what goes into password… 15.2 billion passwords analyzed.

  • The majority contained 8 characters or less. That’s right, in 2020, people are still using very short, very easy to crack, passwords.

More troubling are the words that appear within the passwords. Let’s see if you use any of these common components:

  • The most popular year was 2010, at 10 million with second-most popular year 1987 at 8.4 million, and 1991 at nearly 8.3 million.
  • Next was most popular names: Eva, Alex and Anna make the top 3.
  • Then come Sports teams: Suns (as in the Phoenix Suns), then Heat followed by Reds. For Soccer fans Liverpool and Chelsea came 5th and 6th.
  • Next most popular component were curse words with “Ass” occurring 27 million times followed by “Sex” at 5 million and the “F-word” in at just under 5 million.
  • Top Cities are next: Abu (for Abu Dhabi) then Rome (Italia) and Lima (Peru).
  • Next are months, days, and seasons in order of popularity: Summer, Friday and May.

So from the perspective of Brute-forcing* your password Eva2010Abu, you might want to make a new year’s resolution to do a password update.

*In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

US: Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE

Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware®1 Access and VMware Identity Manager2 products, allowing the actors access to protected data and abusing federated authentication.

Mitigation? Patch the affected servers. Password-based access to the web-based management interface of the device is required to exploit the vulnerability, so using a strong and unique password lowers the risk of exploitation.

US: Go Elon! FCC Auction to Bring Broadband to Over 10 Million Rural Americans

Space Exploration Technologies Corp. (SpaceX) is awarded US $885,509,638.40 to provide Starlink Broadband to 642,925 locations in 35 US states. This may allow SpaceX to drive prices down even further. No other Low Earth Satellite provider received Federal Communications Commission funding.

MX: Foxconn electronics giant hit by ransomware, $34 million ransom

Foxconn electronics giant suffered a ransomware attack at a Mexican facility over the Thanksgiving weekend, where attackers stole unencrypted files before encrypting devices.

Foxconn is the largest electronics manufacturing company globally, with recorded revenue of $172 billion in 2019 and over 800,000 employees worldwide. Foxconn subsidiaries include Sharp Corporation, Innolux, FIH Mobile, and Belkin.

BleepingComputer has been tracking a rumored Foxconn ransomware attack that occurred over the Thanksgiving weekend.

Today, the DoppelPaymer ransomware published files belonging to Foxconn NA on their ransomware data leak site. The leaked data includes generic business documents and reports but does not contain any financial information or employee’s personal details.

As part of this attack, the threat actors claim to have encrypted about 1,200 servers, stole 100 GB of unencrypted files, and deleted 20-30 TB Of backups.

IL: Israel shaken by data leak after ransomware attack at Shirbit insurance company.

A hacking gang calling itself Black Shadow has demanded a giant insurance firm pay a US $3.8 million ransom after encrypting and stealing sensitive data and documents about its clients.

Customers of the victim, Israel’s Shirbit insurance company, have been advised to consider obtaining new identity cards and driving licenses due to the risk of identity theft after the hackers released a third wave of stolen data this past weekend.

Leaked data has included scans of identity cards, marriage certificates, and financial and medical documents.

Hacker Defaces Spotify Pages of Celebrity Musicians

A hacker going by the name “Daniel” took control of prominent Spotify pages last Wednesday from artists like Dua Lipa, Lana Del Rey, Future, and Pop Smoke.

The attacker replaced the profile photos with photos that were apparently of himself and modified the musicians’ biographies. Daniel also promoted a Snapchat account to gain followers and included phrases like “Trump 2020.”

Musicians use a tool called Spotify for Artists to claim ownership of their pages and upload content likes photos and biographies. It is unclear how the attacker gained access to these accounts.

“Best of all shout out to my queen Taylor Swift,” Daniel wrote before the defacements were removed.

The US Used the Patriot Act to Justify Monitoring Who Visited Popular Websites

The US government has been using Section 215 of the Patriot Act to justify allowing law enforcement to log who visits certain popular web pages, according to documents obtained by The New York Times.

The government has not gone so far as to collect users’ keyword searches in search engines, but it has felt emboldened to monitor website visitors without a warrant.

Section 215 and a couple of other surveillance provisions of the Patriot Act expired in March as the US descended into pandemic social distancing and lockdown measures, and Congress has still not made headway on how to reinstate or revise it.

The law allows the FBI to seek clandestine court orders to collect any data from a business that connects to national-security-related investigations.

The news about identifying visitors to certain pages was concerning to privacy and digital rights advocates. “Our web-browsing records are windows into some of the most sensitive information about our lives,” Patrick Toomey, a senior staff attorney with the ACLU’s National Security Project said in a statement on Thursday.

“The FBI should not be collecting this information without a warrant. If Congress considers reviving Section 215 at all, it must prohibit the government from abusing this surveillance law to track the web-browsing activities of people in the United States.”

IL: A Surveillance Firm Is Reportedly Exploiting SS7 Bugs to Gather Data for Governments Worldwide

Researchers from Citizen Lab at the Munk School of Global Affairs, University of Toronto, published evidence this week that the surveillance firm Circles has been exploiting known flaws in global telephony networks to conduct phone surveillance in 25 countries.

Circles is known for selling hacking tools that target the vulnerable infrastructure, known as the SS7 network, and the firm is an affiliate of the notorious mobile spyware maker NSO Group.

The Citizen Lab researchers say they were able to determine, with varying degrees of confidence, that Circle services were purchased by a wide array of countries, including Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates, Vietnam, Zambia, and Zimbabwe.

***DE: From the depths of the Baltic ***

German divers recently stumbled on the rarest of finds: an Enigma encryption machine used by the Nazis to encode secret messages during World War II.

The electromechanical device was used extensively by the Nazi military to encrypt communications, which typically were transmitted by radio in Morse Code. Three or more rotors on the device used a stream cipher to convert each letter of the alphabet to a different letter.

The Enigma had the appearance of a typewriter. An operator would use the keys to type plaintext, and the converted ciphertext would be reflected in 26 lights above the keys—one light for each converted letter. The converted letters would then be transcribed to derive the ciphertext.

Cipher keys were changed using a series of device settings that were changed regularly using lists that were made available in advance. People receiving the messages had to use the same lists as the senders for the messages to be readable.

The Enigma made it hard for the Allied Forces to track German submarines until a British team led by mathematician and scientist Alan Turing broke the encryption the device used. The feat, which built off of breakthroughs made by scientists from the Polish Cipher Bureau, made it possible for the Allies to decipher messages about German military movements. Many historians credit the accomplishment with shortening the war and preventing many thousands of deaths.

The find, made by divers working on behalf of WWF aiming to find abandoned fishing nets that endanger marine life, will be given to the archaeology museum in Schleswig Germany and will take about a year to restore.

Twitter Finally Adds Support for Physical Authentication Tokens

In December 2017, Twitter took the long overdue step to finally offer alternatives to receiving two-factor authentication codes via SMS. At the time, the company expanded its offerings to include third-party authenticator apps, but didn’t go all the way to add support for physical authentication tokens like YubiKeys.

Three years later, Twitter finally took that step—and a welcomed one, with attackers more focussed than ever on the potential value of taking over a high-profile Twitter account.

Booyah! Trump signs IoT bill into law

On Friday, December 4, U.S. President Donald Trump signed the Internet of Things Cybersecurity Improvement Act of 2020 into law. Reintroduced in 2019, the legislation passed the U.S. House of Representatives in September 2020, and passed the Senate in November 2020.

The IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on addressing issues related to the development, management, configuring, and patching of IoT devices.

Additionally, the law demands the Office of Management and Budget (OMB) to issue recommendations based on the NIST guidelines for federal agencies, which are required to ensure that all IoT devices within their environments fully comply with these standards and guidelines.

This is great news! No wonder he doesn’t want to leave office!

Hacker Lexicon: What Is the Signal Encryption Protocol? Or, the story of Next Gen. Secure Communication

This story starts with school-kid Matthew Rosenfeld born in the early 80s in Georgia. As any school-kid might, he hated the curiosity-killing drudgery of school, so had the idea to try programming video games on an Apple II in the school library. The computer had a Basic interpreter but no hard drive or even a floppy disk to save his code. Instead, he’d retype simple programs again and again from scratch with every reboot, copying in commands from manuals to make shapes fill the screen. Browsing the computer section of a local bookstore, the preteen Marlin­spike found a copy of 2600 magazine, the catechism of the ’90s hacker scene. After his mother bought a cheap desk­top computer with a modem, he used it to trawl bulletin board services, root friends’ computers to make messages appear on their screens, and run a “war-dialer” program overnight, reaching out to distant servers at random.

Somewhere in the intervening years, the would-be anarchist Matthew Rosenfeld adopts the pseudonym, Moxie Marlinspike and an updated dreadlocked image, so we’ll continue the story from here with that moniker.

By his teens, Marlinspike was working after school for a German software company, writing developer tools. After graduating high school—barely—he headed to Silicon Valley in 1999. “I thought it would be like a William Gibson novel,” he says. “Instead it was just office parks and highways.” Jobless and homeless, he spent his first nights in San Francisco sleeping in Alamo Square Park beside his desktop computer.

Eventually, Marlinspike found a programming job at BEA-owned Web­Logic. But almost as soon as he’d broken in to the tech industry, he wanted out, bored by the routine of spending 40 hours a week in front of a keyboard. “I thought, ‘I’m supposed to do this every day for the rest of my life?’” he recalls. “I got interested in experimenting with a way to live that didn’t involve working.”

For the next few years, Marlinspike settled into the San Francisco Bay Area scene that was, if not cyberpunk, at least punk. He started squatting in abandoned buildings with friends, eventually moving into an old postal service warehouse.

He took up hitchhiking, then he upgraded his wanderlust to hopping freight trains. And in 2003 he spontaneously decided to learn to sail. And off he went sailing the Caribbean. See his 2007 documentary "Hold Fast"

For Marlinspike, a failed wiretap can mean a small victory. A few days after Snowden’s first leaks, Marlin­spike posted an essay to his blog titled “We Should All Have Something to Hide,” emphasizing that privacy allows people to experi­ment with lawbreaking as a precursor for social progress. “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed,” he wrote. “How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?”

In 2008, Marlinspike settled in a decrepit brick mansion in Pittsburgh and started churning out a torrent of security software. The next year he appeared for the first time at the Black Hat security conference to demonstrate a program he called SSLstrip, which exposed a critical flaw in web encryption. In 2010 he debuted GoogleSharing, a Firefox plugin that let anyone use ­Google services anonymously.

That year, with the growth of smartphones, Marlin­spike saw his biggest opportunity yet: to secure mobile communica­tions. Helped by a friend who was getting a robotics PhD at Carnegie Mellon, he launched Whisper Systems.

Marlinspike became the director of product security at Twitter. A coworker remembers that his expertise was “revered” within the company. But his greater goal was to alter the platform so that it didn’t keep logs of users’ IP addresses, which would make it impossible for authorities to demand someone’s identity, as they’d done with one Occupy Wall Street protester in 2012.

One fall evening after work, Marlinspike and a friend made a simple plan to sail a 15-foot catamaran out 600 feet into the San Francisco Bay, where they’d drop anchor and row back in a smaller boat, leaving the sailboat to wait for their next adventure. (Anarchist sailors don’t like to pay dockage fees.) Marlinspike headed out into the bay on the catamaran with his friend following in a rowboat.

Only after Marlinspike had passed the pier did he realize the wind was blowing at a treacherous 30 miles an hour. He decided to turn back but discovered that he’d mis-rigged the craft and had to fix his mistake. Then, without warning, the wind gusted. The catamaran flipped, throwing Marlinspike into the ice-cold water.

Marlinspike tried to swim for shore. But the pier was too far away, the waves too strong, and he could feel his body succumbing to hypothermia, blackness creeping into the edges of his vision. He headed back to the overturned boat. Alone now in the dark, he clung to the hull, took stock of the last hour’s events, and realized, with slow and lonely certainty, that he was very likely going to die.

When a tugboat finally chanced upon his soaked and frozen form he was nearly unconscious and had to be towed up with a rope. When he arrived at the hospital, Marlinspike says, the nurses told him his temperature was so low their digital thermometers couldn’t register it.

“The experience made me question what I was doing with my life.” A normal person might have quit sailing. Instead, Marlinspike quit Twitter. A year and a day after he had started, he walked away from over $1 million in company stock. In 2013 he re-launched his startup as an open source project called Open Whisper Systems and thereafter released Signal and then versions for Android and Chrome. Next came encrypted communications for What’s App.

“Moxie has brought us a world-class, state-of-the-art, end-to-end encryption system,” WhatsApp cofounder Brian Acton said. “I want to emphasize: world-class.”

And then in February 2014, Facebook purchased the messaging service WhatsApp for $19 billion. The acquisition price was staggering for an app that made little money and was largely popular outside the United States.

OK, so now cut from San Francisco to Mumbai: Currently Facebook and Jio are leaders in their respective industries in India. Facebook’s main app and WhatsApp are among the most used social platforms in India. WhatsApp has over 400 million users in India, which makes the country its largest market. Jio is behind India’s leading wireless phone network, which has close to 400 million subscribers.

Facebook plans to leverage Jio to accelerate the uptake of online shopping in India. They hope to help millions of India’s small retailers increase their sales by connecting them with online shoppers. Facebook and Jio are already testing a service that lets Indians shop from local stores through WhatsApp.

Last month Facebook (NASDAQ:FB) announced one of its biggest investment deals in history. The company invested $5.7 billion for a 10% stake in the Jio Platform. The Facebook-Jio deal could open a path to meaningful WhatsApp monetization. And that will bring changes to the What’sApp that you’ve been using.

So, we think It’s time to revisit the Signal app.

BENEATH ITS ULTRASIMPLE interface, Moxie Marlinspike’s crypto protocol hides a complex machine of automated moving parts.

  1. When Alice installs an app that uses Marlinspike’s protocol, it generates pairs of numeric sequences known as keys. With each pair, one sequence, known as a public key, will be sent to the app’s server and shared with her contacts. The other, called a private key, is stored on Alice’s phone and is never shared with anyone. The first pair of keys serves as an identity for Alice and never changes. Subsequent pairs will be generated with each message or voice call, and these temporary keys won’t be saved.

  2. When Alice contacts her friend Bob, the app combines their public and private keys—both their identity keys and the temporary ones generated for a new message or voice call—to create a secret shared key. The shared key is then used to encrypt and decrypt their messages or calls.

  3. The secret shared key changes with each message or call, and old shared keys aren’t stored. That means an eavesdropper who is recording their messages can’t decrypt their older communications even if that spy hacks one of their devices. (Alice and Bob should also periodically delete their message history.)

  4. To make sure she’s communicating with Bob and not an impostor, Alice can check Bob’s fingerprint, a shortened version of his public identity key. If that key changes, either because someone is impersonating Bob in a so-called man-in-the-middle attack or simply because he ­reinstalled the app, Alice’s app will display a warning.

Concerned about your Privacy and security?

Watch this video from Duval Guillaume and be richly rewarded.

“Dave” is an extremely gifted clairvoyant who shares very detailed, personal information with his subjects. This video reveals the magic behind his magic.

One viewer comments: “Then… this mind reader is nothing compared to NSA!”

And that’s it for this week. See you in Se7en days DAML’ers!

1 Like