Year: 2018

James Comey: FBI Faces Deep Tech-Related Questions

Threatpost Security News May 24, 2018 0

LAS VEGAS – The American law enforcement system is facing a crisis of identity in the face of technology advancement, with cloud migration and automated systems, data privacy and encryption all remaining central issues for the FBI as it considers its mandate and role in the modern digital age.

Speaking at the Opentext ENFUSE 2018 conference, former FBI Director James Comey began by noting that the bureau in general is trying to strike the right balance between what investigative measures should be left to technology platforms, and which should remain under the purview of humans.

“To me, there’s a little too much of the human involved,” he said.

Using the example of the FBI investigation into Hillary Rodham Clinton’s email practices while she was Secretary of State, he said that the task of sifting through millions of messages became a main challenge for the investigative team.

“The team for instance said there’s no way we can complete the review of the tens of thousands of messages on Anthony Weiner’s laptop before the election, because we didn’t have de-dupe software for the classified network – we only had it for the unclassified network.”

As a result, the FBI’s technical resources flew into action, racing against the clock to create a classified de-dupe tool as time wound down. Eventually, it was put into place, which whittled the number of emails down to 6,000 that had to be read individually by human eyes.

“That challenge was front and center,” he said.

The problem is that the FBI, like other government entities, is wrestling with the need to move to having a unified platform in the cloud for information access. In the FBI’s case, as with other intelligence agencies, that cloud will need to accommodate different levels of classification, and different stakeholders.

“The central challenge is that we share so much info with each other is that we overwhelm each other,” he said. “We need software tools to exploit that data, and to tag and categorize data [to make it useful]. We also need to be able to flag insider threats and control access.”

For instance, the bureau needs to be able to make use of what he called “digital dust.” That dust can be an invaluable tool, as it was in the arrest of the Golden Gate killer, believed responsible for 12 homicides and 45 rapes decades ago. He was recently caught when his 30-year-old DNA was run against a genealogy database.

“It’s fair to say we live in a golden age of surveillance in a very real sense,” he said. “We are all building digital models and replicas of ourselves, and through the richness of that dust the courts can reconstruct who I am.”

However, he also said that despite the deep fears of some Americans that their government can access absolutely everything about them through a web of far-reaching digital surveillance (as famously outlined by Edward Snowden), the reality is that inappropriate tracking is not on the docket.

“There’s a sense of frustration inside the FBI to be honest,” he said. “The public believes that we have all of these surveillance tools, when social media giants know far more about you than we do, with no regulation. This brings up questions around the frameworks we have in place for the use of government authority, which are increasingly outdated. When the single largest collector of information actually isn’t the government, how do we feel about that, as a country?”

On a related topic, he noted that strong encryption tactics — which are at he heart of an impassioned debate begun by privacy advocates — are putting law enforcement at a disadvantage, with “wide swathes of American life off-limits to judicial authority.”

Echoing the sentiments of current FBI Director Christopher Wray and others, he elaborated on the charge he made in his recent book that the encryption is the hardest challenge that the FBI faces at the moment, amounting to no less than an existential question.

“We all care about both sides of this debate; we all care deeply about the security of our lives, our children and communities, and we care about the security of our information. But [by restricting the purview of the Fourth Amendment], that becomes a different way to live,” he said.

The Fourth Amendment guarantees protection of individuals against “unreasonable searches and seizures,” but provides for the ability of law enforcement, with probable cause, to search the effects of a suspect. In this modern age, it has become a question as to whether that authority stretches to the digital realm. Comey added that real content is still king when it comes to securing convictions—actual pictures, messages and the like, not just the aforementioned digital dust that can be used for profiling.

“We’ve always agreed as a people that the government authorities, with appropriate oversight, can gain access to the information they need to determine [criminality],” he said. “We’re now moving to a place where both non-crooks and crooks can wall off communications, data and pictures – we’re drifting to that. And we shouldn’t drift. We need to be able to say either that this is that okay, and weigh the costs and benefits, or if it’s not okay, what do we do about it.”

Comey finished his talk and Q&A by noting that Americans have a unique amount of dysfunction produced by technology, but that we hold a set of core values, no matter the current divisions politically, that will guide the country’s decisions on these and other questions going forward.

“I feel a sense of awakening,” he explained. “If you think of the American people as a bell curve with wings on either side of [political] nuts, the middle is what we call the sleeping American giant, and there lies the repository of our values. I feel that giant awakening. It wakes every couple of generations and creates an inflection point. And I think that’s happening again today.”

Ahead of GDPR, Information Governance Comes into Its Own

Threatpost Security News May 24, 2018 1

LAS VEGAS – In sharp contrast to a year ago, a full 98 percent of US enterprises in a survey from the Information Governance Institute have embarked on information governance (IG) projects. That’s dramatically up (to say the least): Just 10 percent last year had projects in place.

Why the staggering sea change? Bennett Borden, chief data scientist and chair for the information governance group at law firm Drinker, Biddle and Reath and chair at the IGI, told attendees at the Opentext ENFUSE 2018 conference that IG is finally beginning to be understood as a discrete practice area within businesses, largely driven by the looming General Data Protection Regulation (GDPR) regulations and a heightened awareness of breaches and hacks (the latter is thanks to big cyber-incidents such as the Equifax breach).

“In terms of the major drivers for IG, the number one answer for the last six years has been external regulatory, compliance or legal obligations, which have come to the fore in the past year,” Borden said during a session here on Tuesday. “This year however cybersecurity is driving much of the IG focus too. There’s an awareness now that the more information you have, the more liability there is and the greater chance of a breach.”

In the IGI research, 48 percent said that they strongly agree that cybersecurity is essential to IG, and 37 percent simply “agree.” This data point is somewhat unsurprising given that 30 percent of respondents said they’ve suffered external attacks this year.

IG’s Definition Gains Clarity

The landscape has also shifted in the past year as data privacy has come to the forefront. There’s a growing awareness among consumers and businesses alike about how much information we create in our everyday lives, as we take actions and make decisions and effectuate them by digital means. That gives companies access to increasingly huge amounts of data – data that they don’t necessarily have control over. That creates big risk exposure in terms of the potential for data mishandling.

“We are the most documented members of our species,” Borden said. “Think about all of the data touches you have when you travel, from key cards for hotel rooms to the use of rewards cards to all of the apps that are supposed to make travel easier. It’s an amazing record of what we do as human beings.”

However, there’s a discipline that’s missing, “which is an overall strategy about the purposeful disposition and use of digital data,” Borden said.

Enter IG. Borden stressed that IG shouldn’t be conflated with information management, which concerns how data flows through an enterprise. IG, on the other hand, has to do with why we have the information in the first place and what we do with it.

IG projects include: defining and implementing a framework for how information is treated, and accordingly updating policies and procedures; audits and deletion of old and unneeded data; comprehensive legacy data cleanup; data loss prevention; implementation of legal hold tracking; and execution of big data analytics projects.

A full 41 percent in the IGI survey said that the definition of IG to mean projects like this has gained clarity in the last year.

“Almost every company is doing something around IG, with the updating of policies and procedures leading the way since that’s the easiest to tackle,” said Borden. “Companies are aware that they have too much data, and they don’t know what’s included or even where it is. You can’t solve that without policies and procedures. So most fall back on this to effectuate data strategy.”

Global data remediation projects involving getting rid of risky or useless info and organizing the data that’s left over is the second largest group of IG efforts, he added.

Balancing Interests

IG does face hurdles, not the least of which is the need to balance competing interests across division within the business.

“IG is fundamentally a coordinating and facilitating function,” Borden said. “Most companies don’t have a framework where you can elicit the perspective of each facet, balance the competing concerns and goals, develop a solution that fits the profile of the company, and then execute it.

Functions like HR, product development, sales, marketing, legal and so on tend to have function-specific solutions that create and store information; and they also have different perspectives on what data should be used for.

“The marketing people’s job is to tell people about things, and they push info out all the time to garner more leads,” Borden said. “They want accurate and current information to be spread as widely as possible. But the security function’s job is to get the right information to the right people at the right time. Neither’s wrong, but there are conflicting lines of sight—so who wins?”

Organizations thus need to decide how to govern its information in a way that works for everyone.

Borden advocates a “corporate therapy” approach that involves asking a series of questions of each stakeholder: What are the business, regulatory and legal objectives? What information do I need to accomplish them? How long is that information useful? How does it need to be organized while it’s useful, in terms of access, security and privacy? And finally, what do I do with that information once it’s no longer useful?

“These questions are critical to developing IG maturity – you identify business objectives and the major stakeholders, and get them to talk to each other and develop relationships in order to come to a consensus,” Borden said. “Those on the compliance and legal risk side will talk to each other, tech sits in the middle and the business people are often not at the table, even though they are the ones creating and leveraging the information. They couldn’t tell you how to secure it or how long to use it, and that needs to change.”

The good news is that with the combined carrot (data insights) and stick (risk such as GDPR and cyberattacks) aspects coming to bear, the IG arena has taken off in terms of executive focus. The IGI has seen a big leap in the number of IG leaders with “Information Governance” in their title (a 41 percent rise from last year to reach 52 percent). The number of organizations with IG steering committees has spiked 26 percent, to reach 46 percent.

IG Driving Value

While concerns over risk are causing change, so is a new perception of IG’s overall value.

“We’re starting to see that companies recognize that it’s just good business practice to get a handle on their data and how they handle it,” Borden said.

About half (46 percent) of respondents in the survey said they saw value in IG this year, compared to just 16 percent last year, which is a whopping 179 percent change. The number of respondents reporting that their organization was extracting no value from the information it holds was slashed by more than half (a 55 percent decline).

“Companies are realizing that the info they create has insights within it,” Borden explained. “Also, people in senior management positions today were largely raised in the information age, and they’re used to the idea that insights are leveragable.”

This has of course given rise to the data brokerage world – which, Cambridge Analytica aside, continues to be a lucrative new era companies wanting to explore (legal, privacy-first) marketing and customer service applications of digital footprint data.

“We can we understand human conduct by the data trails we leave behind us as we move through our lives,” Borden said. “The more information we have, the more we can understand what people do, why they do it and what they’re going to do.”

VPNFilter Malware Infects 500k Routers Including Linksys, MikroTik, NETGEAR

Threatpost Security News May 24, 2018 0

Malware called VPNFilter has infected 500,000 router brands ranging from Linksys, MikroTik, NETGEAR and TP-Link that are mostly used in home offices. Researchers at Cisco Talos said they decided to warn the public of the threat despite the fact the infected devices and malware are still under investigation.

Researchers said their investigation into VPNFilter has been over the last several months and included both law enforcement and private-sector intelligence partners. “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves,” researchers wrote in a Wednesday post.

Talos believes the attacks are being perpetrated by state-sponsored or state-affiliated actors and that an attack leveraging those compromised devices could be “imminent.” Researchers can’t say for sure who is behind VPNFilter, but say code used by the malware authors overlap with BlackEnergy malware used in previous attacks in the Ukraine. Currently, VPNFilter malware has been found mostly on devices in the Ukraine, but also in 54 additional countries.

“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols,” researchers wrote.

Researchers said the malware has destructive capabilities that allow an attacker to either infect a device or render it unusable. “[This] can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the report stated.

More troubling to researchers, as of Thursday they “observed another substantial increase in newly acquired VPNFilter victims focused in Ukraine.”

The malware itself is multi-staged with phase one including VPNFilter targeting a number of CPU architectures of devices running firmware based on Busybox and Linux.

“The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices,” Talos wrote.

Researchers said that this method of achieving persistence differs from other similar IoT malware such as Mirai. The Mirai malware could be removed from a device with a simple reboot. VPNFilter, on the other hand, “is capable of modifying non-volatile configuration memory values and adds itself to crontab, the Linux job scheduler, to achieve persistence,” according to the report.

After the malware has burrowed its way into a system’s memory, it begins to download an image from the image hosting site Photobucket, or from the domain toknowall[.]com as a backup. From the image downloaded, the malware extracts an IP address embedded in the image’s EXIF metadata that is used as a “listener” for the malware to receive instructions to initiate stage two.

“The stage 2 malware first sets up the working environment by creating a modules folder (/var/run/vpnfilterm) and a working directory (/var/run/vpnfilterw). Afterward, it will run in a loop, where it first reaches out to a C2 server, and then executes commands retrieved from the C2,” researchers wrote.

Malicious capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

A third stage of the malware has also been observed where attackers leverage as many as two plugin modules – a packet sniffer and a communication plugin. Both leverage ToR to cloak communications. The packet sniffer module is capable of intercepting network traffic through a “raw socket” and looks for strings used in HTTP basic authentications. “This allows the attackers to understand, capture, and track the traffic flowing through the device,” researchers said.

Links made to the Russian-speaking actors with the BlackEnergy APT group were made when Cisco Talos researchers closely examined the malware’s encrypted binaries. “Analysis of this RC4 implementation shows that it is identical to the implementation used in BlackEnergy, which is believed by law enforcement agencies to originate with a state actor,” researchers stated.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos researchers said.

Amazon Comes Under Fire for Facial Recognition Platform

Threatpost Security News May 24, 2018 1

Facial-recognition technology has long been touted as a useful tool for law enforcement, but the ability of systems like Amazon’s Rekognition platform to identify large numbers of people at once in a single video or still frame has raised the hackles of privacy advocates.

The American Civil Liberties Union said Tuesday that it has confirmed that the Orlando, Fla. Police Department and the Washington County Sheriff’s Office in Oregon both have contracts for Rekognition, according to documents obtained under Freedom of Information Act requests. It flagged the contracts as evidence of the potential for invasive mass surveillance.

The platform typically works by matching facial images to those housed in databases chosen by the customer. In Washington County’s case, officers can use a mobile app to submit an image to be indexed against a database of more than 300,000 mugshots, according to the documents.

In Orlando, the technology is in a pilot phase, where the resort town is using eight city-owned cameras to pick up on “persons of interest.” Rekognition simply scans the video feed and flags people that also have hits in the database that the police department is using.

While the public-good aspects of the technology are obvious – picking up on people on the FBI’s most-wanted list, for example, or hunting for other criminals on the lam, in addition to augmenting Amber and Silver alert efforts – the capacity for overreach has sounded alarm bells for some.

“With Rekognition, a government can now build a system to automate the identification and tracking of anyone,” the ACLU said in a statement published on Tuesday. “If police body cameras, for example, were outfitted with facial recognition, devices intended for officer transparency and accountability would further transform into surveillance machines aimed at the public. With this technology, police would be able to determine who attends protests. ICE could seek to continuously monitor immigrants as they embark on new lives. Cities might routinely track their own residents, whether they have reason to suspect criminal activity or not. As with other surveillance technologies, these systems are certain to be disproportionately aimed at minority communities.”

As Amazon describes in its materials for the product, in “Crowd Mode” customers can “detect, analyze, and index up to 100 faces (up from 15) in a single image.”

Officials from the ACLU, Electronic Frontier Foundation, Freedom of the Press Foundation, Human Rights Watch and others also wrote a joint letter to CEO Jeff Bezos, demanding “that Amazon stop powering a government surveillance infrastructure that poses a grave threat to customers and communities across the country. Amazon should not be in the business of providing surveillance systems like Rekognition to the government.”

Amazon responded in a media statement that the platform is a tool that must be used responsibly, and that it would suspend its use if the services are abused.

“Amazon requires that customers comply with the law and be responsible when they use AWS services,” the tech giant said. “As a technology, Amazon Rekognition has many useful applications in the real world…Our quality of life would be much worse today if we outlawed new technology because some people could choose to abuse the technology. Imagine if customers couldn’t buy a computer because it was possible to use that computer for illegal purposes?”

It also noted the capacity for good, explaining that various agencies have used Rekognition to find kidnapping and sex-trafficking victims; that amusement parks use Rekognition to find lost children; and that UK police used Rekognition over the weekend to identify and verify royal wedding attendees.

And to be fair, these are not the first law-enforcement agencies to consider facial recognition as a useful tool: The U.S. Customs and Border Patrol for instance has been piloting this kind of technology at various airports since last year.

Too Soon?

That said, there are real-world, full-implementation examples of misuse for facial recognition (and technology troubles) that should offer a cautionary tale.

Last week in the UK, Big Brother Watch called facial recognition a “dangerously authoritarian surveillance tool,” after examining its use by police forces during sporting events and festivals to identify suspects in real time.

The group said in a report that the system that the Metropolitan Police use in London for example issues false positives 98 percent of the time. Meanwhile, BBW said that the South Wales Police has stored images of 2,400 of those false-positive images without the consent of the citizens.

“We’re seeing ordinary people being asked to produce ID to prove their innocence as police are wrongly identifying thousands of innocent citizens as criminals,” said BBW director Silkie Carlo. “It is deeply disturbing and undemocratic that police are using a technology that is almost entirely inaccurate, that they have no legal power for, and that poses a major risk to our freedoms.”

Regardless of one’s opinion on whether the potential for 1984-like government surveillance balances out the positive policework functions it enables, there are also less savory applications for facial recognition that engender data privacy questions.

As Amazon points out in the Rekognition product guide, “you can accurately capture demographics and analyze sentiments for all faces in group photos, crowded events, and public places such as airports and department stores.”

This application has also been put into practice in the real world, also across the pond: A giant smart billboard in London’s Piccadilly Circus has started using facial and object-recognition technology and a tower of hidden cameras to scan pedestrians, indexing age, gender, income and even mood and language.

The goal of course is to serve up “relevant” messages and marketing. As Tim Bleakley, CEO at the company running ads for the board, Ocean Outdoor, explained: “Coca-Cola, for example, can log on at any given moment, see a large group of Spanish tourists and change the copy of the ad from ‘hello,’ to ‘buenos dias’.”

David Ginsburg, vice president of marketing at Cavirin, told Threatpost that the marketing applications could represent a do-not-cross line.

“Having cameras equipped with facial recognition is nothing new,” he said. “However, the scary thing that Amazon has is access to both consumer and retail databases. Currently, if the police want to tap into the personal databases, they have to do it on their own. But if Amazon can deliver it to them on a silver platter, that is a bit disconcerting. Frankly, tying the police to retail and social databases may be crossing a line and we might want to rethink what we are doing moving forward. Although Amazon is not tying this to their retail database now, it is a slippery slope.”

Image source: Amazon