Welcome! We know we are a bit late parting ways with September, but here it is -- Secure Group’s Security and Privacy Roundup for last month. If you are new to our site, our newsletter focuses on relevant news articles about security and privacy issues in the world today. This is the third installment of our bi-monthly compilation, and we hope it proves informative.
There were a few compelling stories worth following this past month. To keep things relevant, the stories are posted in descending order and the latest entries are on top. And remember to check out our previous entries as well!
- Sept. 25 - US and China Cyber-theft Standoff Thaws after Obama Announcement
- Sept. 24 - Activists Boycott Tech Companies Supporting CISA
- Sept. 23 - Number of Fingerprints Stolen in July’s OPM Breach 5 Times Larger than Initially Reported
- Sept. 21 - First-ever Targeted Malware Attack Hits Apple App Store
- Sept. 18 - Ghost Push Virus Infects 600k Users Everyday
Sept. 25 - US and China Cyber-theft Standoff Thaws after Obama Announcement
Relations between the United States and China appear to be warming up after President Barack Obama and China’s President Xi Jinping reached recently a “common understanding” to curb economic cyber espionage. However, Obama wagged his finger and alluded to possible sanctions should Chinese hackers persist with cybercrimes.
The two leaders also revisited a landmark emissions deal reached last year, outlining new steps for the reduction of greenhouse emissions in both nations.
The agreement between the two leaders may have addressed economic cyber-espionage, but has failed to promise any changes in traditional government-to-government cyber spying for intelligence purposes. Chinese hackers are suspected in the attack on the Office of Personnel Management (OPM) earlier this year, which resulted in an in-depth background check of over 20 million US citizens.
The political and economic cyber-espionage between nations is a growing concern, spilling over to the daily lives of ordinary people, as evidenced by attacks such as the one on the Office of Personnel Management. The data caught up in the OPM breach included background checks with data on drug and alcohol abuse and sexual indiscretions. Those affected may not know it until as late as November, according to recent reports (more on this later). By protecting your communication, you may limit the effectiveness of background checks, or at least limit results to “ancient history.” Encrypt your communication, and as much data as you can.
Director of National Intelligence James Clapper is skeptical that the new US/China cyber-espionage deal will result in any meaningful slowdown of cyber attacks on US computer systems. Speaking to the Senate Armed Services Committee on Tuesday, he said that the agreement did not provide clear response parameters for violations, but that economic sanctions and other tools could be used if needed.
Asked if he was optimistic about restricting incidents of cyber-espionage between the two nations, he said simply: “No.” The United States should “trust but verify” that China would meet their end of the agreement, he added. “Trust but verify” is a reference to former President Ronald Reagan's approach to nuclear disarmament with the former Soviet Union.
Sept. 24 – Activists Boycott Tech Companies Supporting CISA
Activist group Fight for the Future criticized tech company Heroku/Salesforce for its support of the Cybersecurity Information Sharing Act (CISA). The recent amendment of the bill (Sept. 11) left many privacy activists disgruntled. The changes, Cindy Cohn, EFF’s executive director, said, give prosecutors “more power to threaten more people with more prison time.”
The CFAA has been problematic for years, and many in the security industry are wary of numerous loopholes and poorly worded clauses. For example, the law does not define what it means to access computers without authorization, but includes provisions for exceeding authorized access. This allows overzealous prosecutors to take advantage of the wording and send many to jail for non-violent computer crimes.
The increased penalties were tacked on in response to recent cyber attacks such as the OPM breach and on the Department of Energy. Proposed penalties for felonies that cause or would result in "aggravated damage to a critical infrastructure computer” increased by 20 years. According to the EFF, the aggravated damage provision is “appallingly vague.” What constitutes a critical infrastructure computer is not specified and, as written, could be read to mean almost any system.
Another change addresses CFAA’s definition of intent. The wording, “knowingly and with intent to defraud” to merely whether the suspect knew “such conduct to be wrongful.” The vagueness of this wording makes it easier to prosecute anyone.
In the week prior to Fight for the Future’s call for boycott, 13 tech companies and the BSA | Software Alliance sent a letter to Congress asking lawmakers to act on cyber security legislation that would “have an immediate positive action on the digital economy.”
According to the letter, CISA "will promote cyber security and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.” The companies that signed the missive include: Adobe, Altium, Apple, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce, Siemens, and Symantec’s CEOs.
While companies may benefit from the liability protection provided under CISA, supporting the law "is short-sighted," said Evan Greer, CTO of Fight for the Future. “It also shows these organizations are backing away from the promises they made in their own privacy policies.”
Sept. 23 - Number of Fingerprints Stolen in July OPM Breach 5 Times Larger than Initially Reported
A governmental data breach aimed at the Office of Personnel Management's systems in July was perhaps the largest discovered so far. The interception affected the records of almost 22 million users.
Part of the stolen data includes background investigation files on people trying to obtain security clearances as well as information about the sexual indiscretions and substance abuse of over 18 million people. Moreover, initial estimates of the damage point to the theft of over a million fingerprints. However, the OPM reported Sept. 23 that estimates may have been wildly miscalculated, and that the number of stolen fingerprints is around 5.6 million. This revelation came after reviewing previously unanalyzed archived records.
The Office of Personnel Management citied federal experts and assured breach victims that “as of now, the ability to misuse fingerprint data is limited,” but that “this probability could change over time as technology evolves.” Because fingerprints do not change over time, the possibility of technological evolution making fingerprint data more useful makes this attack potentially very serious.
Members from the FBI, the Department of Homeland Security, the Department of Defense (DOD) and other intelligence organization have formed a work group to study how cyber-criminals could potentially exploit the data.
However, even as agencies work to contain this potential disaster, the OPM faces severe criticism and scrutiny, especially for its notification process. Because a contract for identity theft protection was not awarded until two months after the breach was revealed, some victims may not find out their data was taken until November.
In particular, Senator Ben Sasse (Nebraska) is upset at the handling of this breach by the OPM and said that “the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” and gave the American public “no reason to believe that they've heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security."
House Oversight Committee Chairman Jason Chaffetz also condoned OPM’s handling of the breach, and said that the announcement on Sept. 23 was indicative of continued incompetence.
“OPM keeps getting it wrong...This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s [information technology] management team is not up to the task. They have bungled this every step of the way.”
As investigations into this breach continue, we may very well see in the future policy formed on how to deal with future breaches, as well as information regarding how such breaches will be prevented.
Sept. 21- Apple App Store Hit by Malware
Malware is not strictly the province of Android devices. Even Apple’s App Store, essentially a gated community for apps, can be compromised, as recent events show. Millions of Apple device users received a warning last week of a series of potentially dangerous apps infecting the App Store. Several popular apps on the App Store, including the messaging service WeChat, fell victim to the malware known as XcodeGhost, stealing users’ private info.
While the malware is mainly affecting users in China, many of the apps listed have a global reach. This was the first recorded large-scale attack to make it past Apple’s stringent review process. According to Palo Alto Networks, only five malicious apps had previously made it through the App Store’s protection.
The attack was possible by convincing developers of legitimate software to use a tainted, counterfeit version of Apple's software for creating iOS and Mac apps known as Xcode.
Sept. 18 - Ghost Push Virus Infects 600k Users Everyday
If Android users needed any more incentive to avoid downloading applications from unprotected sources, then the newly discovered Ghost Push virus might be just the impetus needed to promote more security awareness. According to Cheetah Mobile’s security research lab, the new virus affects up to 600 thousand users daily.
Experts from the mobile research lab said that the virus has affected 14,847 phone types and 3,658 brands. Once infected, unwanted and annoying apps are installed on the device. The virus is very difficult to remove, even when using antivirus or wiping the device. This is because the virus gains root access, and can slow it down, drain the battery and consume data. Thirty-nine apps have been infected. The virus has not yet been discovered (as of writing) on any official Google Play Store apps. The infected apps are likely spoofed with misleading labels. If you must install an unofficial app, check the package name. Package names such as “com.abc.yinhe” should be avoided.