Orange Errywhere!

Orange and Japan are my islands. I enjoy writing about cyber security, privacy, technology with an Apple & Google slant, various geekery, and interesting things I find in my travels throughout Japan.


IRS Cyber Theft Tactics Could Work at Any US Government Agency
Check Point Launches New Dedicated ICS Security Appliance
A Beautiful Sunset “Provision” for NSA Bulk Surveillance
IRS Hacked, 100k Individual Tax Records Accessed
Canary Box Aims to Lure Hackers into Honeypots Before They Make Headlines
Iran Claims it Thwarted US Cyber Attack on Its Oil Ministry
FireEye’s Losses Are Why it Dominates Cyber Security Space
PGP Creator Phil Zimmerman Moves to Switzerland to Escape Government Interference on Cryptography Research
Twitter Has Held Acquisition Talks with Flipboard
Attackers Using Email Spam to Infect Point-of-Sale Terminals with New Malware

IRS Cyber Theft Tactics Could Work at Any US Government Agency

Cory Bennett of The Hill discusses how the IRS cyber theft tactics could work at any United States government agency:

The IRS revealed Tuesday that cyber crooks, likely backed by an organized crime syndicate, had accessed returns for roughly 104,000 taxpayers through the agency’s “Get Transcript” feature.

The scheme appeared to be part of a larger plot to file fraudulent tax returns and collect illegitimate refunds.

But the digital thieves didn’t actually break into the IRS’s database. They simply imitated individuals using information culled from the vast trove of personal data being traded on the dark Web after numerous company data breaches in recent years.

Any federal agency with valuable data could fall victim to the same maneuver, experts explained.

“The possibility of the same tactic being reprised at other agencies that have public-facing missions, I think, is very high,” said Jim Penrose, a former head of the National Security Agency’s Operational Discovery Center and now an executive vice president at cybersecurity firm DarkTrace.

It is absolutely true. The US government has a fairly standard cyber security posture across the board, and is likely open to the same types of attacks no matter what agency we are talking about with the one possible exception being the Department of Defense.

Check Point Launches New Dedicated ICS Security Appliance

Eduard Kovacs of Security Week on Check Point launching a new dedicated ICS security appliance:

Available immediately through Check Point’s global partners, the 1200R is a rugged security gateway appliance line that provides protection for SCADA (supervisory control and data acquisition) systems in remote locations and harsh environments.

Part of Check Point’s ICS/SCADA security offering, 1200R is a fully-featured gateway with six 1GbE ports and raw firewall throughput of 2 Gbps. The product supports a wide range of ICS/SCADA-specific protocols, including Siemens Step7, OPC, DNP3, BACNet, IEC-60870-5-104, IEC 60870-6 (ICCP), IEC 61850, Profinet, MMS, and Modbus.

Since it’s designed for use in harsh environments, such as plant floors, the appliance is compliant with IEC 61850-3, IEEE 1613 and IEC 60068-2 industrial specifications for heat, vibration, and immunity to electromagnetic interference. The 1200R is capable of operating in temperatures ranging between -40°C and 75°C, Check Point said.

The solution provides full visibility and granular control of SCADA traffic via a next-generation firewall, logging capabilities for forensic analysis of incidents, and compliance monitoring. The appliance is designed to detect and block exploitation of ICS component vulnerabilities with intrusion prevention system (IPS) signatures.

Thanks to Executive Order 13636 and the NIST Cyber Security Framework, cyber security businesses are spending a lot of time focusing on strengthening the critical infrastructure sectors. Aiming specific appliances at industrial control systems is a smart business move because this space is just blowing up. There is a huge potential to make a lot of money in this space.

A Beautiful Sunset “Provision” for NSA Bulk Surveillance

Josh Chafetz of The Hill on what is being called a beautiful sunset “provision” for NSA bulk surveillance:

But this time was different, because of one simple but crucial, feature of the Patriot Act: a built-in expiration date, also known as a sunset provision. The USA Freedom Act did not simply curtail the NSA’s surveillance authority; it also reauthorized that authority, which is due to expire on June 1. This explains why Senate Majority Leader Mitch McConnell (R-Ky.) was so desperate to pass something: After the Freedom Act failed, he tried to get through a two-month extension of the NSA’s authority in its current state. That failed by an even bigger margin. He then attempted to get unanimous consent agreements for ever-shorter extensions, down even to one day, but Sens. Rand Paul (R-Ky.), Ron Wyden (D-Ore.) and Martin Heinrich (D-N.M.) objected. McConnell has vowed to try again when the Senate reconvenes on Sunday, May 31, hours before the NSA authority is set to expire. The NSA has reportedly already begun winding down the program.

The sunset provision turns out to be hugely important. Without it, the baseline for any future legislation would have been expansive NSA power, and any attempt to move away from this baseline — that is, any NSA reform bill — would have faced very high hurdles. But the sunset provision reset the baseline. Now the status quo, as of June 1, will be an absence of NSA metadata surveillance power. This new baseline forced the NSA’s defenders to come to the table in order to salvage as much of their surveillance powers as they could. And once they’re at the table, critics of the program have a chance to extract real concessions.

This does not mean, of course, that the critics will get everything they want. All but one of the Senate votes against the House measure came from Republicans, many of whom did not like the limitations that it placed on the NSA. But their subsequent inability to pass a clean extension of the NSA’s authority meant that the power shifted to civil libertarians like Paul, Wyden and Heinrich. Inaction — the default position — now favors their preferred outcome. Even if something is eventually passed restoring some of the lapsing authority, it will be something that takes significant account of the concerns of the NSA’s critics, and those critics will have the sunset provision to thank for it.

It would really be nice to see the mass surveillance die a quick death. Contrary to what spin the government would like to offer on these NSA programs, they are of little to no value in the grand scheme of the overall intelligence community capabilities.

Unfortunately, even if the Patriot Act section 215 dies, you can rest assured the NSA will use one of its many other authorities to continue its various bulk collection programs.

IRS Hacked, 100k Individual Tax Records Accessed

Katie Kuehner-Hebert of CFO Online on the IRS being hacked and tax records for 100,000 people being remotely accessed:

Amid increasing concern over the security of Internal Revenue Service computer systems, the agency has disclosed that hackers accessed the personal tax data of more than 100,000 taxpayers in an effort to claim fraudulent refunds.

The IRS said it had determined late last week that “unusual activity” had occurred on its online service called Get Transcript, where filers can get tax returns and other filings from previous years.

The hackers used the personal data of taxpayers — including Social Security numbers, dates of birth, and street addresses — to clear a security screen and log on to Get Transcript, the IRS said.

The service has been shut down temporarily and the security breach is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ criminal investigation unit. The IRS will provide free credit monitoring services for the affected taxpayers whose accounts were accessed, including those for which the hackers couldn’t clear all the authentication hurdles.

I find myself somewhat unsurprised this happened considering how government agencies generally approach their own internal-facing cyber security postures.

Canary Box Aims to Lure Hackers into Honeypots Before They Make Headlines

Ars Technica on Canary box aiming to lure hackers into honeypots so they are captured prior to becoming national news:

A honeypot system should be much less susceptible to false alerts, since almost any access to a honeypot system should, by definition, be suspicious.

The Canary box aims to tackle this problem, offering the reliable reporting of a honeypot, but without the complex configuration. In fact, Thinkst says that configuring Canary should only take a few minutes. A hardware button is used to put the Canary into “configuration” mode. An administrator then connects to the Canary with Bluetooth and chooses the personality it should use: it can masquerade as, for example, Windows Server 2008, Linux, and ReadyNAS—and the services it offers. A fake Windows server can offer Windows shares, host some exciting looking files such as “salaries.xls,” or “top-secret-project.docx,” or whatever else is chosen.

After that initial configuration, the device can then be left alone. The Canary will report attempts to access it through an online management console; if someone port scans it, tries to connect to its network services, or opens files from it, it’ll immediately send an alert.

Canary won’t catch every intruder—one that knows exactly what they’re looking for probably won’t be tempted to look for the tempting treats on the honeypot—but it should nonetheless provide an easy way of finding unauthorized network access that isn’t prone to false positives. Compared to many enterprise-oriented security offerings, it’s also affordable: $5,000 a year for two Canary devices and management through the online console.

Sounds like an interesting device to play around with and test its capabilities.

Iran Claims it Thwarted US Cyber Attack on Its Oil Ministry

Reuters reports on Iran claiming to have thwarted a US cyber attack on its oil ministry:

Speaking at a cyber crime forum in Tehran on Tuesday, the head of Iran’s Cyber Police (FATA) Brigadier General Seyed Kamal Hadianfar announced that Cyber Attacks Emergency Center had defended the oil ministry against hackers. The alleged attack took place during a four-day holiday on March 21-24.

“These hackers were from the US” Hadianfar said, as cited by FARS news agency. “The IP address for these hackers was in America.”

The chief of cyber police said that Tehran had already informed Washington via an official letter and issued an “international judicial order” as FATA passed the issue to the foreign ministry.

FATA discovers, identifies and solves some 90 percent of Internet crimes committed against Iran, Iran’s Interior Minister Abdolreza Rahmani Fazli said speaking at the same event. “Iran has had a low number of cyber crimes as compared to other countries despite the presence of over 46 million Internet users in the country,” the minister added.

The cyber standoff between Iran and the US has been widely reported over recent years. Both US and Tehran have accused each other of cybercrimes aimed at strategic sectors of the government and the economy.

FireEye’s Losses Are Why it Dominates Cyber Security Space

Jim Cramer on the peculiarity of why FireEye’s losses are helping it dominate the cyber security space:

But DeWalt responded two ways. First, he asked me to examine the cash flow which, while still negative, had managed to get better over the last couple of quarters.

Second, though, he said that he needed to spend more to meet the demand, the demand that comes from the almost daily hacks, like the one for that big Blue Cross Blue Shield outfit, CareFirst just experienced where FireEye was called in to find out what the heck was going on. Like the Sony (SNE), Home Depot  (HD) and Target (TGT) hacks, where only FireEye seems to have the forensic technology to get to the bottom of the hack quickly.

Plus, the company isn’t just in the forensics business. It’s in the threat prevention game, too, and in order to be a dominant player in that end, you have to spend a ton of money and get the right, trustworthy people working for the company. These people are expensive and they don’t grow on trees.

He then explained that it took 18 months to get certified by the Department of Homeland Security to offer the highest level of liability protection available under current law. Or, in English, if you hire FireEye to protect you from cyber attacks you are indemnified by the government for losses, part of a strategy to force companies to take cyber attacks seriously.

It’s amazing that any company needs a carrot like that to protect themselves from lawsuits, but hiring FireEye does the trick even though, as you can imagine, getting the certification cost FireEye a lot of money and time.

FireEye, and Dave DeWalt in particular, are in this for one reason and only one reason: acquisition. They are hoping a larger company like Cisco acquires them just as Dave DeWalt had done to McAfee and its acquisition by Intel. This explains why they can spend so much without fear, because they know someone out there will acquire them at a huge premium thanks to their mind-share and stature in the cyber security business.

Disclaimer: I work for Intel Security, a FireEye competitor.

PGP Creator Phil Zimmerman Moves to Switzerland to Escape Government Interference on Cryptography Research

Patrick Howell O’Neill of The Daily Dot on Phil Zimmerman, the creator of the infamous Pretty Good Privacy, moving to Switzerland to escape US government interference in cryptography research:

Zimmerman, 61, created PGP (Pretty Good Privacy, the most popular email encryption software ever made), found the mobile encryption firm Silent Circle, and developed numerous other cutting-edge encryption technologies. He has been a pioneer in the privacy and surveillance communities for decades.

“Every dystopian society has excessive surveillance, but now we see even western democracies like the US and England moving that way,” Zimmerman told theGuardian. “We have to roll this back. People who are not suspected of committing crimes should not have information collected and stored in a database. We don’t want to become like North Korea.”

The US needs to tread carefully here, otherwise the country risks losing top intellectual minds in important areas like cryptography, if it truly intends to follow through with some of these dangerous ideas.

Twitter Has Held Acquisition Talks with Flipboard

Kara Swisher of re/code on recent acquisition discussions between Twitter and Flipboard:

Twitter has been engaged in an ongoing series of talks to acquire Flipboard, according to multiple sources with knowledge of the situation, in an all-stock deal that would value the company at over $1 billion.

Those discussions, which have been pushed by Twitter CFO Anthony Noto, have been taking place since the beginning of the year, said sources, as the social communications giant has faced increasing pressure from Wall Street to grow its audience and innovate its products. But despite a flurry of activity more recently, sources said these talks between Twitter and Flipboard — who are partners on a number of different fronts — seem to be currently stalled.

Still, the concept behind the acquisition are intriguing on all kinds of levels. For Twitter, it would bring an experienced product team — headed by well-known Silicon Valley entrepreneur Mike McCue — to the company.

I love Twitter and love Zite – which was recently acquired by Flipboard – so it will be interesting if this marriage is consummated, and if so, what will become of it.

Twitter desperately needs solid leadership who understands the company, actually drinks their own kool-aid, and is capable of coming up with inventive means of monetizing the platform. It would also be nice to have a Twitter management team who comprehends the importance of third-party developers and tools, who will help push Twitter in areas the company never thought to go.

Attackers Using Email Spam to Infect Point-of-Sale Terminals with New Malware

Lucian Constantin of PCWorld on attackers using email spam to infect point-of-sale terminals with new malware in what is quickly becoming a primary focus area for exploitation by criminals leveraging cyber for illicit activities:

The emails had fake resumes attached that were actually Word documents with an embedded malicious macro. If allowed to run, the macro installed a program that downloaded additional malware from a remote server.

Among those additional programs, the FireEye researchers identified a new memory-scraping malware threat that steals payment card data from PoS terminals. They’ve dubbed the new threat NitlovePOS.

PoS malware has become commonplace over the past few years and has led to some of the largest credit card breaches to date. This kind of malicious program was used to steal 56 million payment card records from Home Depot last year and 40 million from Target in late 2013.

Once they are installed on PoS terminals, these programs scan the system’s memory for card data while it’s being passed from the card reader to the specialized merchant application—hence the term “memory-scraping.” Criminals can use the stolen data to create fraudulent copies of the compromised cards.

Attackers typically infect PoS systems with malware by using stolen or easy-to-guess remote access credentials. Another method is to first compromise other computers on the same network as the terminals and then to attack them.

However, it’s unusual to see PoS malware distributed through spam, like in the case of NitlovePOS, especially as part of a larger, indiscriminate campaign. This suggests that cybercriminals seek to exploit cases where employees use Windows-based PoS terminals to check their email or perform other risky activities.

Copyright © 2015, Scott Jarkoff, & all respective content owners.