Our Heads in the Sand

In class, we’ve heard about the ‘bad things’ people are doing to computer networks with malware, viruses and other cyber-attacks in the news.  These attacks make national news because some hacker stole millions of customer records that may contain private data.

You have no idea what monsters lurk among us.  This elusive monster is the child sexual predator.  Their arrest for possession or distribution of child pornography rarely makes national news.  We pretend it’s a small problem committed by statistical outliers when the local news reports their arrest.

How can these monsters lurk about and victimize children?  Think about these tools used for depraved purposes; Cellphones, laptops, the Tor Network and the Dark web.  It’s everything these animals need to distribute their images.  Technology, Globalization, encryption and the Dark Web have enabled these monsters to thrive; a child predator can encrypt and post images of victims around the world in seconds using peer-to-peer networks.  Thanks Tor – you keep telling us how important encryption is and how no one should be able to discover what your sending across the internet.

According to the Tor Project website on a page describing how users use Tor;

  • They protect their children online.You’ve told your kids they shouldn’t share personally identifying information online, but they may be sharing their location simply by not concealing their IP address. Increasingly, IP addresses can be literally mapped to a city or even street location, and can reveal other information about how you are connecting to the Internet. In the United States, the government is pushing to make this mapping increasingly precise.

I didn’t see one sentence about combating the pedophilia scourge.  Let’s just pretend that Tor hasn’t been responsible for literally millions of exploited images being transmitted globally as academics and others hail Tor’s success because they allow oppressed people to get the word out about brutal dictatorships.  How often does that happen?

In a posting to the agency’s website titled “The Scourge of Child Pornography,” the FBI states many of the people who engage in the production and distribution of child pornography come from all walks of life and most don’t even have a criminal history.   Many of the crimes are carried out on the “dark web,” using Tor – a browser which allows users to remain anonymous.

Among the eye-opening statistics shared, a Department of Justice 2016 report shows one website on the Dark Web hosted 1.3 million images depicting children subjected to violent sexual abuse.

The producers and consumers of child pornography operate in the shadows, and anonymous Internet networks such as Tor often allow them to carry out their illicit activities without fear of being unmasked and caught. Below is a glimpse of the enormity of the problem (compiled in a 2016 report to Congress by the Department of Justice called The National Strategy for Child Exploitation Prevention and Interdiction:

  • The FBI’s analysis of one particularly egregious website on Tor found that it hosted approximately 1.3 million images depicting children subjected to violent sexual abuse. Analysis of these specific files identified at least 73 new victims previously unknown to law enforcement.
  • NCMEC estimated that more than 26 million sexual abuse images and videos were reviewed by their analysts in 2015. Additionally, NCMEC reported that since 2002, more than 10,500 victims depicted in child pornography have been located and identified by law enforcement. According to NCMEC, 4.4 million CyberTipline reports were submitted in 2015.
  • Between 2011 and 2014, researchers from the University of Massachusetts-Amherst looked at five of the most common peer to peer (P2P) networks used to trade child pornography. They estimated that three in 10,000 Internet users on these five P2P networks worldwide were sharing known child pornography in a given month. They also estimated there were 840,000 worldwide unique installations per month of P2P programs sharing child pornography, thus indicating a significant volume of new devices trading confirmed child pornography that connected to at least one of the P2P networks analyzed for the first time.
  • An FBI investigation of a single website hosted on Tor had approximately 200,000 registered users and 100,000 individuals had accessed the site during a 12-day period.

These monsters lurk locally.  In a recent press release issued by The Chester County District Attorney Office, District Attorney Thomas Hogan discussed his Office’s resources and statistics;  the Chester County District Attorney’s Office maintains a Computer Forensics Unit (the “CFU”) to deal with digital evidence.  The CFU was created in 2003.  The CFU processes electronic devices for all 46 police agencies in Chester County, and handles all electronic evidence for the District Attorney’s Office.  From 19 jobs handled in 2003 through 331 jobs in 2017, the CFU has dealt with an ever-expanding case load.

Chester County District Attorney Hogan stated, “Computer forensics is a growing and vital field for law enforcement.  Whether we are investigating drug dealing, child pornography, white collar fraud, or violent crimes, the ability to retrieve and interpret electronic data is crucial.  We are lucky to have such resources available in Chester County.”

The CFU is housed in a special computer forensics lab in the Chester County Justice Center.  Such a lab requires sophisticated computer hardware and software, electronic storage capacity, and a climate-controlled environment.  The Chester County Commissioners authorized the construction of the new lab in 2014.

The explosive growth in the field of computer forensics can be seen in the total number of jobs and devices handled by the CFU every year.  A job is considered a single case, which may include multiple devices to be examined.  For instance, one child pornography investigation will be shown as one “job,” but may involve the examination of three computers and four phones, meaning one job with seven devices.  The following charts show the tremendous increase in work done by the CFU in criminal cases:


Chester County District Attorney Thomas Hogan Press Release dated March 1, 2018, “Computer Forensic Investigations Explode for Chester County Law Enforcement.”





I recently watched a Tom Clancy based film called   ‘Jack Ryan: Shadow Recruit’ starring Chris Pine who portrays a CIA operative trying to disrupt a sinister Russian plot over attacking the US and crushing the US economy.  There’s a scene in the movie in which the character Ryan sneaks into a high security area (snicker) and plugs a device into an electrical outlet.  The device then infiltrates the air-gapped target computer and Ryan is able to get the incriminating data and understands the plot against the US.  I remember thinking to myself – that’s probably not very realistic.   I have to rethink that thought process.

I reviewed cyber related news this morning and saw an article on ‘The Hacker News’ that has me changing my mind.  ‘Hacker can Steal Data from Air-Gapped Computers Through Power Lines’ by Swati Khandelwal caught my attention.

According to Khandelwal, Researchers from Israel’s Ben Gurion University of the Negev—who majorly focus on finding clever ways to exfiltrate data from an isolated or air-gapped computer—have now shown how fluctuations in the current flow “propagated through the power lines” could be used to covertly steal highly sensitive data.

This is fascinating.  Especially since Khandelwal also claims researches from this same University has previously demonstrated various out-of-band communication methods to steal data from a compromised air-gapped computer using light, sound, heat, electromagnetic and ultrasound waves.

A simple security technique to protect classified information is to air-gap a computer to avaois infiltration by hackers via the internet.   The problem in this attack is two-fold; you need to get a device near the air-gapped computer and then you have to actually exfiltrate the data.  These are significant problems to overcome but who knows what the near future holds.

This is actually a malware attack called PowerHammer.  Rather than try to abbreviate the attack and technical details in my own words, here is the Abstract of the research paper describing the attack:

“Abstract—In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a ’conducted emission’. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.”

This paper was literally just published and is linked below if you’d like to learn more. In the near future, air-gapped computers will likely be at risk – if they already aren’t.




Fake News:  What Happened to Our News?

I lived and spent my adolescent years on my Grandfathers dairy and vegetable farm in Northeastern Pennsylvania.  Notwithstanding the work ethic I learned, I learned many life lessons that I reflect upon today when memories are triggered.  Discussions of ‘fake news’ triggers such a memory for me.

There was no concept of fake news on a dairy farm in those days.  There was no 24-hour news channel, no Facebook, and no cable in rural America.   You either watched one of three broadcast channels to get you news or you read a newspaper (We also talked to our neighbors).  That’s how you got your news – and it was family event that coincided with dinner (Dinner was called supper in that house).  After Supper, we all relaxed before milking cows for the night milking and learned about what was happening in the world.

It was quality news.  News stories were presented, by the likes of Walter Cronkite, from a neutral perspective.  You were given the best facts they had.  After the news ended, we’d go to the barn and spend the next three hours milking cows.   During that time, a common point of discussion was the news we saw.  We had to figure out for ourselves how the news affected us and we had to form our own opinions about it.  No one told us how we were supposed to feel about a new story – you had to decide for yourself.  The idea of selecting a news channel based on your political affiliation wasn’t born yet.  You didn’t choose a news channel based on your political bias, you chose the channel to watch based on how good the reception was.  Going outside to turn the antennae was a normal chore.

Times have changed quickly.  For example, here at West Chester University the news on all the televisions is CNN, which has a political bias in a specific direction.  Interestingly, although both CNN and Fox news channels are available, someone at the University makes the news channel selection on our behalf.  I hope it’s a janitor.  Maybe we should turn all ‘news’ channels off, except for the University TV channel – our Communications major use that for practice.

I stopped watching all news because it’s become a hurtful political propaganda machine designed to attack people who do not align with each other’s political perspective.   Are we being cowed by the Billionaire Media Moguls with political agendas – or are they just capitalizing on a business need; do Americans want to be presented news based on how they align politically?  Seems like we are being presented news that we agree with and minimize the perspectives of the ‘other’ side.  Sounds dangerous.

I miss the old news – good old-fashioned Old-School reporting of events from a neutral perspective.  I trusted it – a feeling I haven’t experienced in several years and don’t expect to feel again – possibly ever.  I fear most news has become so biased that it should be considered ‘Fake News’.








The Basic Bitcoin Eclipse Attack

The goal of the attack is to manipulate the peer-to-peer network, so the victim node is obscured from the network because the attacker controls the traffic going to and from the victim node. The attacker would then try a double-spend attack and prevent the victim from getting information back about the bitcoin transaction.  The attacker could also coopt the victims mining resources or do selfish mining.

The Eclipse Attack depends on filling the ‘tried’ and ‘new’ tables of victim node with information pushed onto it by the attacker.  The attacker takes advantage of the Bitcoin Eviction Discipline which allows the attacker to send the victim node fresher IP addresses than what is currently stored in the ‘tried’ table.  The discipline forces the ‘tried’ table to pop older stale IP as the victim node receives fresh connection information from the attacker which is written into the ‘new’ table.

The attacker fills the target node with his information using ADDR messages because nodes in the bitcoin network are designed to accept unsolicited ADDR messages and store the IP addresses in the ‘new’ table.  The problem is that these new addresses are not tested for connectivity and can be trash IP addresses that are not part of the bitcoin network.  The attacker simply keeps sending trash ADDR messages until he overloads the victim node’s ‘new’ table with unusable IP addresses.

The attack is completed when the node restarts and tries to connect to the Bitcoin network using the IP addresses stored in the new and tried tables.  Once the victim node restarts it likely connects to the attacker IP addresses that were pushed onto the tables earlier because the victim node defaults to IP addresses on the ‘tried’ table since the ‘new’ table is filled with trash IP addresses it cannot connect to. This attack requires the attacker to have access to blocks of IP addresses that can pushed onto the tables before a restart occurs.

Once the victim node restarts and connects to the attacking node, the attacking node can then perform additional attacks such as the double-spend.  Since the victim node connections have been flooded by the attacker, it cannot connect to legitimate bitcoin nodes in the network, so it cannot receive information about the transaction and is therefore ‘Eclipsed’ from the network and vulnerable to additional attacks.

Facebook and Privacy – The Price of Free

I’ve had a Facebook account for a long time.  There was a time when Facebook was a fantastic tool to let your friends and family know what going on in life.  I’m not a good Facebook friend though – I tended not to respond to the posts of others, rather, I’d click the obligatory like since it only took a moment to acknowledge their posts.   It was much easier to post something to Facebook with a photo rather than call, email or text.  It was so convenient – and free.

I’m writing in the past tense because I dumped Facebook.  I stopped posting on Facebook last year because Facebook was spreading people’s bombastic vitriolic by placing it in my news feed.   I was also bombarded with ads; everyone in the world was trying to sell me something or was trying to get me to agree with their political views.  The convenience of Facebook disappeared.  Truthfully, it’s just easier to NOT use Facebook than to read the social, political and personal opinions my friends and family felt they needed to ‘share with the world’ and in my feed.

In short order, we’ve gone from a country of citizens concerned about our online privacy to 214 million Facebook users, in January 2018, vying for online attention by telling the data economy and scraping engines entirely too much information about ourselves, our family and our pets too.  Everyone is contributing to the huge new world of social white noise trying to be heard and have their say – be it nasty or nice.  When did we become so needy?

I gawk at our willingness to be ‘bought’ by a free service.  Not too long ago, citizens were up in arms at the prospect of the U.S Government gathering our online information and using that data to spy on us.  (People give the Government way too much credit).  While they were looking at Washington, D.C. as ‘Big Brother’, companies in Seattle and San Francisco were executing on plans to gather vast amounts of user data to monetize and scale the large social networks they gave away to people to use for ‘free’.  They have become an ‘Even Bigger Brother’.   Yet we ignore what’s happening.  Silly sheeple; complaining about the government and privacy when you have the apps of the largest offenders in the data economy installed on the phone you carry around with you everywhere, everyday – because it’s free.

Facebook happily thanks you though – to them your data privacy is worth $16.  I good trade as far as they’re concerned.  They love that you click on the multitude of highly personalized ads they display in your home feed.   Have you ever wondered why the ads they present you seem so pertinent to you or your recent online searches?  They could care less that you may be offending your family and friends with your social, political and personal posts.  Just come back everyday to check your feed and see their ads.

We’ve lost our minds with the amount of personal information we intentionally feed the data economy.  The Government has nothing like the dossier that Facebook and others have on you.  We have become our own worst enemies in the data privacy world — and will continue to do so, because Facebook is still free.







Is Panera Bread soon to be known as Panera Breech?

Krebs on Security broke the story a couple days ago about a data breech that occurred through the Panera Bread website.  Panera is alleged to have leaked customer data through an online ordering app at the website, panerabread.com.   Apparently, when a customer created an account to order food online, the customer information was stored in plain text and accessible by anyone.

Interestingly, Krebs provides an email send to Panera’s Director of Information Security Mike Gustavison from a security researcher who discovered the problem on August 2, 2017.  Gustavison’s initial reaction to the researcher’s notification was a scolding and curt response;

“My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty, or listen to a sales pitch.”

The complete email chain is published on Dylan Houlihan’s blog.   Houlihan discovered and immediately reported the vulnerability.  Viewing the email chain is a wonderful exercise in ‘How NOT to handle a security researcher reporting a security breech to your company.’  Do you think anyone responsible for cyber security at Panera, that does $5B in sales annually with millions of customers, would take 5 minutes to at least look? Mishandled.

Immediately a disparity between Krebs and Panera became apparent over the number of customers affected.   According to Panera, the number stands at 10,000, but Krebs and his sources place the number in the millions.  I suspect both numbers will moderate toward a middle number somewhere but here’s the biggest problem I see so far – there’s no mention of the breech on the Panera website.

I take issue with Panera’s handling of the incident so far; ethical transparency and the SEC.  Why can’t Panera issue a statement on their website acknowledging the issue, the mistakes they made and the fix they completed?  Fortunately for them, Panera is private company and not subject to the Security Exchange Commission and shareholder notifications.  They’re just not very transparent.






Netflix Public Bug Bounty

Netflix announced a bug bounty program for their website, mobile apps and about a dozen other web properties this week offering rewards between $100 and $15,000 for each discovered vulnerability.

Bug Bounties are nothing new to Netflix – but you wouldn’t know it because Netflix has been engaged in an invite-only private bug bounty program for the last five years and recognizes bug hunters in a “Hall of Fame” menu which is a nice touch. Netflix launched the Responsible Vulnerability Disclosure program privately in 2013 and decided the experience was productive.  As a result, they opened the program publicly this month on the Bugcrowd platform.   Acknowledging the bug hunters involved in the private program is a positive message to the community that the company is highly engaged in the cyber security realm.

The bug-busting invitees come from Bugcrowd’s top 100 ranked bug hunters.  The bug hunters submitted 275 bugs of which 145 were determined to be valid. This seems like a low bug total and may be attributable to the engineering culture of ownership and security at Netflix.

There are strict guidelines posted on Bugcrowd.  The authorized cyber-targets are clearly explained here, as are what targets are off-limits.  They also explain a few caveats in testing; You must hack against your own account and if you reach an unauthorized area or discover private information when attacking, you must stop immediately and submit a bug report.

The bounty matrix is clearly described in Bugcrowd with the highest bounties of $15,000 focused on the Netflix API and netflix.com.





Under Armour Under Attack

Under Armour revealed that the companies popular MyFitnessPal app had been hacked last week and began notifying customers on Thursday.  The stolen data includes user names, email addresses and scrambled passwords but added that Social Security numbers, driver license information and payment card data was safe.

The press release states that 150 million accounts were affected.

Why I’m writing this article:  Companies experiencing significant data breaches have been releasing minimalistic press releases and hoping that the news media doesn’t notice the fact that a data breach affecting millions of people occurred.   Companies are not conspicuously posting notice of the breech on their website.  Wonder why?   Because there’s not requirement to conspicuously post it on the company Home page.

The only reason why we discover data breach even occurred at a publicly traded company is thanks to the Securities and Exchange Commission- the SEC.  The SEC requires a publicly traded company to make financial notifications that may affect investors.  Failure to do so could be a criminal violation, but certainly is a regulatory violation.

Under Armour posted the data breech information on their investor relations page because it must be there – a shareholder notification was required – I don’t get a feeling that they posted it there for the sake of corporate transparency.  Data breeches should be regulated and there should a reporting requirement that includes a conspicuously posted notice on the Homepage page of a company website.

The scarlet ‘B’…




Financial Fallout from Cyber Attacks: Merck Pharmaceuticals.

I discovered an article on Databreachtoday.com that immediately grab bed my attention: “The Financial Fallout of Data Breaches”.  I’ve researched the costs of breaches recently, but most estimates seem to offer an average cost perspective on breeches.  The databreechtoday.com article was different because it gave a specific cost that a large corporation with local presence incurred because of the Notpetya ransomware attacks in 2017.  That company is Merck Pharmaceuticals.

It’s important to understand that notwithstanding the reputational cost associated with the attack itself, Merck also incurred losses related to IT infrastructure, drug sales, drug manufacturing and research, and drug inventories.   But it doesn’t stop there.  There’s additional legal and regulatory costs after the Federal and State governments investigate and access fines in the future.  Then there’s costs, to be determined later, resulting from lawsuits from other companies or people harmed by Merck because of the breach.

I apologize for copying and pasting the relevant section from Merck’s recent Annual Report, but it’s so succinct in it’s legalize explanation of how much the attack cost the company.

Merck’s Annual Report, form 10K, revealed that: “On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. All of the Company’s manufacturing sites are now operational, manufacturing active pharmaceutical ingredient (API), formulating, packaging and shipping product. The Company’s external manufacturing was not impacted. Throughout this time, Merck continued to fulfill orders and ship product. Due to the cyber-attack, as anticipated, the Company was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million. In addition, the Company recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, in Materials and Production costs, as well as expenses related to remediation efforts in Marketing and Administrative expenses and Research and Development expenses, which aggregated $285 million in 2017, net of insurance recoveries of approximately $45 million. Due to a residual backlog of orders, the Company anticipates that in 2018 sales will be unfavorably affected in certain markets by approximately $200 million from the cyber-attack. Merck does not expect a significant impairment to the value of intangible assets related to marketed products or inventories as a result of the cyber-attack”

Lastly, Merck indicated that it is engaging in an ‘enterprise wide’ effort to improve its resiliency against future attacks and improve the speed at which they can recover in the future.  That cost will likely be detailed in next year’s Annual Report.

My math puts the cost at $745M and still counting.






Orbitz – Your Trip to Cybervictimville is Booked!

Travel company Orbits announced a security breach that compromised over 880,000 customer accounts over a two-year period from January 2016 – December 2017.   Orbits is a travel and vacation package aggregator and direct competitor of Priceline.

According to Expedia, who owns Orbitz, “Criminals had access to Orbitz consumer and business partner platforms, but not the Orbitz.com website. The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacked between Jan. 1, 2016 and Dec. 22, 2017.”

According to the press release, the breach allowed attackers to steal names, dates of birth, billing addresses, email addresses.  Expedia was clear to apologize but added that there was evidence that the data was actually stolen; I’d would love to have Expedia explain to me how they arrived at that conclusion (Hackers apparently just like to look at data for two years).  There was no mention if passwords were also stolen.  Expedia explained that the attack targeted third party vendors and not the Orbitz website.

Financially, this will likely have a negative impact on the valuation of parent company Expedia whose stock price has underperformed in the past year.  Not only is the breach a reputational hit, it’s an unplanned expenditure of millions of dollars for the 880,000 customers who accept Expedia’s offer for credit monitoring because of the breach.  I wonder if Expedia will contract with Experian to perform the monitoring service?

From a prevention perspective, it’s important to use unique passwords for each web property you interact with – Never reuse passwords! The lesson here is that if a hacker acquired your reused password at Orbitz, he/she would have it for other sites as well.

For Orbitz, the key takeaway is to be vigilant of your third-party vendors and their networks – especially their legacy systems.  The days of making your vendors demonstrate the security of their networks is here.

What I find most interesting is American Express also revealed a breach recently blaming a third-party vendor just as Orbits has done.   Neither company has identified the third-party vendor.