News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .

The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.

HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .

U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.

Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.

This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

by