Decrypted: With more SolarWinds fallout, Biden picks his cybersecurity team

All change in the capital as the Biden administration takes charge, and thankfully without a hitch (or violence) after the attempted insurrection two weeks earlier.

In this week’s Decrypted, we look at the ongoing fallout from the SolarWinds breach and who the incoming president wants to lead the path to recovery. Plus, the news in brief.


THE BIG PICTURE

Google says SolarWinds exposure “limited,” more breaches confirmed

The cyberattack against SolarWinds, an ongoing espionage campaign already blamed on Russia, claimed the U.S. Bureau of Labor Statistics as another federal victim this week. The attack also hit cybersecurity company Malwarebytes, the company’s chief executive confirmed. Marcin Kleczynski said in a blog post that attackers gained access to a “limited” number of internal company emails. It was the same attackers as SolarWinds but using a different intrusion route. It’s now the third security company known to have been targeted by the same Russian hackers after a successful intrusion at FireEye and an unsuccessful attempt at CrowdStrike.

Senator: ‘More transparency is needed’ by exam proctoring tech firms

Three of the leading exam proctoring companies are facing calls to be more transparent, amid continued claims of bias by students forced to take remote exams because of the ongoing pandemic.

Exam proctoring tech lets students take remotely invigilated tests from home. Students are told to install their university’s choice of proctoring software, which allows the exam monitor deep access to the student’s computer, including their webcams and microphones, to monitor their activity to spot potential cheating.

But companies like Proctorio, ExamSoft, and ProctorU have faced a barrage of criticism from students who say that their proctoring technology is fraught with problems, including issues of bias — all of which could impact their test results.

Chief among the complaints are that their proctoring software cannot recognize faces with darker skin tones or religious headgear, and discriminates against students with disabilities and those in lower-income areas who may not have the internet speeds to meet the standards of the test-taking tech.

Several U.S. Democratic senators sent Proctorio, ExamSoft, and ProctorU letters in December calling on the companies to explain their technology and policies better. In their responses seen by TechCrunch, the companies rejected claims of discrimination and all said that it’s up to the teachers to decide whether a student has cheated, not the companies themselves.

But lawmakers say that the companies are not transparent enough, and worry teachers could be making decisions about a student’s conduct based on little more than what the technology tells them.

“Proctorio, ExamSoft, and ProctorU claim they don’t have problems with bias, yet alarming reports from students tell a different story,” Sen. Richard Blumenthal (D-CT) told TechCrunch. “These responses from the companies are only the first step in learning more about how they operate, but much more transparency is needed into the systems that have the power to accuse students of cheating. I will work on every fix necessary to ensure students are protected.”

Students across the U.S. have already called on their schools to stop using proctoring software citing privacy and security risks.

We sent the companies several questions. ProctorU’s chief executive Scott McFarland declined to comment citing the holiday weekend. Proctorio and ExamSoft did not respond.

A security researcher commandeered a country’s expired top-level domain to save it from hackers

In mid-October, a little-known but critically important domain name for one country’s internet space began to expire.

The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.

Clearly, a domain of such importance wasn’t supposed to expire; someone in the Congolese government probably forgot to pay for its renewal. Luckily, expired domains don’t disappear immediately. Instead, the clock started on a grace period for its government owners to buy back the domain before it was sold to someone else.

By chance, Fredrik Almroth, a security researcher and co-founder of cybersecurity startup Detectify, was already looking at nameservers of country code top-level domains (or ccTLDs), the two-letter suffixes at the end of regional web addresses, like .fr for France or .uk for the United Kingdom. When he found this critical domain name was about to expire, Almroth began to monitor it, assuming someone in the Congolese government would pay to reclaim the domain.

But nobody ever did.

By the end of December, the clock was almost up and the domain was about to fall off the internet. Within minutes of the domain becoming available, Almroth quickly snapped it up to prevent anyone else from taking it over — because, as he told TechCrunch, “the implications are kind of huge.”

It’s rare but not unheard of for a top-level domain to expire.

In 2017, security researcher Matthew Bryant took over the nameservers of the .io top-level domain, assigned to the British Indian Ocean Territory. But malicious hackers have also shown interest in targeting top-level domains hack into companies and governments that use the same country-based domain suffix.

Read more on TechCrunch

Taking over a nameserver is not supposed to be an easy task because they are a vital part of how the internet works.

Every time you visit a website your device relies on a nameserver to convert a web address in your browser to the machine-readable address that tells your device where on the internet to find the site you’re looking for. Some liken nameservers to the phone directory of the internet. Sometimes your browser looks no further than its own cache for the answer, and sometimes it has to ask the nearest nameserver for the answer. But the nameservers that control top-level domains are considered authoritative and know where to look without having to ask another nameserver.

With control of an authoritative nameserver, malicious hackers could run man-in-the-middle attacks to silently intercept and redirect internet users going to legitimate sites to malicious webpages.

These kinds of attacks have been used in sophisticated espionage campaigns aimed at cloning websites to trick victims into handing over their passwords, which hackers use to get access to company networks to steal information.

Worse, Almroth said with control of the nameserver it was possible to obtain valid SSL (HTTPS) certificates, allowing for an attacker to intercept encrypted web traffic or any email mailbox for any .cd domain, he said. To the untrained eye, a successful attacker could redirect victims to a spoofed website and they would be none the wiser.

“If you can abuse the validation schemes used to issue certificates, you can undermine the SSL of any domain under .cd as well,” Almroth said. “The capabilities of being in such a privileged position is scary.”

Almroth ended up sitting on the domain for about a week as he tried to figure out a way to hand it back. By this point the domain had been inactive for two months already and nothing had catastrophically broken. At most, websites with a .cd domain might have taken slightly longer to load.

Since the remaining nameserver was running normally, Almroth kept the domain offline so that whenever an internet user tried to access a domain that relied on the nameserver under his control, it would automatically timeout and pass the request to the remaining nameserver.

In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.

We reached out to the Congolese authorities for comment but did not hear back.

ICANN, the international non-profit organization responsible for internet address allocation, said country code top-level domains are operated by their respective countries and its role is “very limited,” a spokesperson said.

For its part, ICANN encouraged countries to follow best practices and to use DNSSEC, a cryptographically more secure technology that makes it nearly impossible to serve up spoofed websites. One network security engineer who asked not to be named as they were not authorized to speak to the media questioned whether DNSSEC would be effective at all against a top-level domain hijack.

At least in this case, it’s nothing a calendar reminder can’t solve.

Ubiquiti says customer data may have been accessed in data breach

Ubiquiti, one of the biggest sellers of networking gear including routers, webcams and mesh networks, has alerted its customers to a data breach.

In a short email to customers on Monday, the tech company said it became aware of unauthorized access to its systems hosted by a third-party cloud provider. Ubiquiti didn’t name the cloud company, when the breach happened, or what caused the security incident. A company spokesperson did not respond to requests for comment.

But the company confirmed that it “cannot be certain” that customer data had not been exposed.

“This data may include your name, email address, and the one-way encrypted password to your account,” said the email to customers. “The data may also include your address and phone number if you have provided that to us.”

Although the email says passwords are scrambled, the company says users should update their passwords and also enable two-factor authentication, which makes it harder for hackers from taking the stolen passwords and using them to break into accounts.

Ubiquiti account users can remotely access and manage their routers and devices from the web.

The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.

Scraped Parler data is a metadata goldmine

Embattled social media platform Parler is offline after Apple, Google and Amazon pulled the plug on the site after the violent riot at the U.S. Capitol last week that left five people dead.

But while the site is gone (for now), millions of posts published to the site since the riot are not.

A lone hacker scraped millions of posts, videos and photos published to the site after the riot but before the site went offline on Monday, preserving a huge trove of potential evidence for law enforcement investigating the attempted insurrection, many of which allegedly used the platform to plan and coordinate the breach of the Capitol.

The hacker and internet archivist, who goes by the online handle @donk_enby, scraped the social network and uploaded copies to the Internet Archive, which hosts old and historical versions of web pages.

In a tweet, @donk_enby said she scraped data from Parler that included deleted and private posts, and the videos contained “all associated metadata.”

Metadata is information about a file — such as when it was made and on what device. This information is usually embedded in the file itself. The scraped videos from Parler appear to also include the precise location data of where the videos were taken. That metadata could be a goldmine of evidence for authorities investigating the Capitol riot, which may tie some rioters to their Parler accounts or help police to unmask rioters based on their location data.

Most web services remove metadata when you upload your photos and videos, but Parler apparently wasn’t.

Parler quickly became the social network of choice after President Trump was deplatformed from Twitter and Facebook for inciting the riot on January 6. But the tech giants said Parler violated their rules by not having a content moderation policy – which is what drew many users to the site.

Many of the posts made calls to “burn down [Washington] D.C.,” while others called for violence and the execution of Vice President Mike Pence.

Already several rioters have been arrested and charged with breaking into the Capitol building. Many of the rioters weren’t wearing masks (the pandemic notwithstanding), making it easier for them to be identified. But thanks to Parler’s own security blunder, many more could soon face an unwelcome knock at the door.

These 6 browser extensions will protect your privacy online

The internet is not a private place. Ads try to learn as much about you to sell your information to the highest bidder. Emails know when you open them and which links you click. And some of the biggest internet snoops, like Facebook and Amazon, follow you from site to site as you browse the web.

But it doesn’t have to be like that. We’ve tried and tested six browser extensions that will immediately improve your privacy online by blocking most of the invisible ads and trackers.

These extensions won’t block every kind of snooping, but they will vastly reduce your exposure to most of the efforts to track your internet activity. You might not care that advertisers collect your data to learn your tastes and interests to serve you targeted ads. But you might care that these ad giants can see which medical conditions you’re looking up and what private purchases you’re making.

By blocking these hidden trackers from loading, websites can’t collect as much information about you. Plus by dropping the unnecessary bulk, some websites will load faster. The tradeoff is that some websites might not load properly or refuse to let you in if you don’t let them track you. You can toggle the extensions on and off as needed, or you could ask yourself if the website was that good to begin with and could you not just find what you were looking for somewhere else?

HTTPS Everywhere

We’re pretty much hardwired to look for that little green lock in our browser to tell us a website was loaded over an HTTPS-encrypted connection. That means the websites you open haven’t been hijacked or modified by an attacker before it loaded and that anything you submit to that website can’t be seen by anyone other than the website. HTTPS Everywhere is a browser extension made by the non-profit internet group the Electronic Frontier Foundation that automatically loads websites over HTTPS where it’s offered, and allows you to block the minority of websites that don’t support HTTPS. The extension is supported by most browsers, including Chrome, Firefox, Edge, and Opera.

Privacy Badger

Another extension developed by the EFF, Privacy Badger is one of the best all-in-one extensions for blocking invisible third-party trackers on websites. This extension looks at all the components of a web page and learns which ones track you from website to website, and then blocks them from loading in the browser. Privacy Badger also learns as you travel the web, so it gets better over time. And it requires no effort or configuration to work, just install it and leave it to it. The extension is available on most major browsers.

uBlock Origin

Ads are what keeps the internet free, but often at the expense of your personal information. Ads try to learn as much about you — usually by watching your browsing activity and following you across the web — so that they can target you with ads you’re more likely to click on. Ad blockers stop them in their tracks by blocking ads from loading, but also the tracking code that comes with it.

uBlock Origin is a lightweight, simple but effective, and widely trusted ad blocker used by millions of people, but it also has a ton of granularity and customizability for the more advanced user. (Be careful with impersonators: there are plenty of ad blockers that aren’t as trusted that use a similar name.) And if you feel bad about the sites that rely on ads for revenue (including us!), consider a subscription to the site instead. After all, a free web that relies on ad tracking to make money is what got us into this privacy nightmare to begin with.

uBlock Origin works in Chrome, Firefox, and Edge and the extension is open source so anyone can look at how it works.

PixelBlock & ClearURLs

If you thought hidden trackers in websites were bad, wait until you learn about what’s lurking in your emails. Most emails from brand names come with tiny, often invisible pixels that alerts the sender when you’ve opened them. PixelBlock is a simple extension for Chrome browsers that simply blocks these hidden email open trackers from loading and working. Every time it detects a tracker, it displays a small red eye in your inbox so you know.

Most of these same emails also come with tracking links that alerts the sender which links you click. ClearURLs, available for Chrome, Firefox and Edge, sits in your browser and silently removes the tracking junk from every link in your browser and your inbox. That means ClearURLs needs more access to your browser’s data than most of these extensions, but its makers explain why in the documentation.

Firefox Multi-Account Containers

And an honorary mention for Firefox users, who can take advantage of Multi-Account Containers, built by the browser maker itself to help you isolate your browsing activity. That means you can have one container full of your work tabs in your browser, and another container with all of your personal tabs, saving you from having to use multiple browsers. Containers also keep your private personal browsing separate from your work browsing activity. It also means you can put sites like Facebook or Google in a container, making it far more difficult for them to see which websites you visit and understand your tastes and interests. Containers are easy to use and customizable.

Chris Krebs and Alex Stamos have started a cyber consulting firm

Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds .

The two have been hired as consultants to help the Texas-based software maker recover from a devastating breach by suspected Russian hackers, which used the company’s software to set backdoors in thousands of organizations and to infiltrate at least 10 U.S. federal agencies and several Fortune 500 businesses.

At least the Treasury, State and the Department of Energy have been confirmed breached, in what has been described as likely the most significant espionage campaign against the U.S. government in years. And while the U.S. government has already pinned the blame on Russia, the scale of the intrusions are not likely to be known for some time.

Krebs was one of the most senior cybersecurity officials in the U.S. government, most recently serving as the director of Homeland Security’s CISA cybersecurity advisory agency from 2018, until he was fired by President Trump for his efforts to debunk false election claims — many of which came from the president himself. Stamos, meanwhile, joined the Stanford Internet Observatory after holding senior cybersecurity positions at Facebook and Yahoo. He also consulted for Zoom amid a spate of security problems.

In an interview with the Financial Times, which broke the story, Krebs said it could take years before the hackers are ejected from infiltrated systems.

SolarWinds chief executive Sudhakar Ramakrishna acknowledged in a blog post that it had brought on the consultants to help the embattled company to be “transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements.”

Decrypted: How bad was the US Capitol breach for cybersecurity?

It’s the image that’s been seen around the world. One of hundreds of pro-Trump supporters in the private office of House Speaker Nancy Pelosi after storming the Capitol and breaching security in protest of the certification of the election results for President-elect Joe Biden. Police were overrun (when they weren’t posing for selfies) and some lawmakers’ offices were trashed and looted.

As politicians and their staffs were told to evacuate or shelter in place, one photo of a congressional computer left unlocked still with an evacuation notice on the screen spread quickly around the internet. At least one computer was stolen from Sen. Jeff Merkley’s office, reports say.

A supporter of U.S. President Donald Trump leaves a note in the office of U.S. Speaker of the House Nancy Pelosi as the protest inside the U.S. Capitol in Washington, D.C, January 6, 2021. Demonstrators breached security and entered the Capitol as Congress debated the 2020 presidential election Electoral Vote Certification. Image Credits: SAUL LOEB/AFP via Getty Images

Most lawmakers don’t have ready access to classified materials, unless it’s for their work sitting on sensitive committees, such as Judiciary or Intelligence. The classified computers are separate from the rest of the unclassified congressional network and in a designated sensitive compartmented information facility, or SCIFs, in locked-down areas of the Capitol building.

“No indication those [classified systems] were breached,” tweeted Mieke Eoyang, a former House Intelligence Committee staffer.

But the breach will likely present a major task for Congress’ IT departments, which will have to figure out what’s been stolen and what security risks could still pose a threat to the Capitol’s network. Kimber Dowsett, a former government security architect, said there was no plan in place to respond to a storming of the building.

The threat to Congress’ IT network is probably not as significant as the ongoing espionage campaign against U.S. federal networks. But the only saving grace is that so many congressional staffers were working from home during the assault due to the ongoing pandemic, which yesterday reported a daily record of almost 4,000 people dead from COVID-19 in one day.


THE BIG PICTURE

U.S. blames “ongoing” federal agency breaches on Russia

FBI, NSA say ongoing hacks at US federal agencies ‘likely Russian in origin’

The U.S. government says hackers “likely Russian in origin” are responsible for breaching the networks of at least 10 U.S. federal agencies and several major tech companies, including FireEye and Microsoft.

In a joint statement published Tuesday, the FBI, the NSA, and Homeland Security’s cybersecurity advisory unit CISA said that the government was “still working to understand the scope” of the breach, but that the breaches are likely an “intelligence gathering effort.”

The compromises are “ongoing,” the statement said.

The statement didn’t name the breached agencies, but the Treasury, State, and the Department of Energy are among those reported to be affected.

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement said. “The [joint agency effort] will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people,”

News of the widespread espionage campaign emerged in early December after cybersecurity giant FireEye, normally the first company that cyberattack victims will call, discovered its own network had been breached. Soon after it was reported that several government agencies had also been infiltrated.

All of the victims are customers of U.S. software firm SolarWinds, whose Orion network management tools are used across the U.S. government and Fortune 500 companies. FireEye said that hackers broke into SolarWinds’ network and pushed a tainted software update to its customers, allowing the hackers to easily break in to any one of thousands of companies and agencies that installed the backdoored update.

Some 18,000 customers downloaded the backdoored software update, but the government’s joint statement said that it believes only a “much smaller number have been compromised by follow-on activity on their systems.”

Several news outlets have previously reported that the hacks were carried out by a Russian intelligence group known as APT 29, or Cozy Bear, which has been linked to several espionage-driven attacks, including attempting to steal coronavirus vaccine research.

Tuesday’s joint statement would be the first time the government acknowledged the likely culprit behind the campaign.

Russia had previously denied involvement with the hacks.

T-Mobile says hackers accessed some customer call records in data breach

T-Mobile, the third largest cell carrier in the U.S. after completing its recent $26 billion merger with Sprint, ended 2020 by announcing its second data breach of the year.

The cell giant said in a notice buried on its website that it recently discovered unauthorized access to some customers’ account information, including the data that T-Mobile makes and collects on its customers in order to provide cell service.

From the notice: “Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

Known as customer proprietary network information (CPNI), this data can include call records — such as when a call was made, for how long, the caller’s phone number and the destination phone numbers for each call, and other information that might be found on the customer’s bill.

But the company said that the hackers did not access names, home or email addresses, financial data, and account passwords (or PINs).

The notice didn’t say when T-Mobile detected the breach, only that it was now notifying affected customers.

A spokesperson for T-Mobile did not respond to requests for comment, but told one news site that the breach affects about 0.2% of all T-Mobile customers — or approximately 200,000 customers.

It’s the latest security incident to hit the cell giant in recent years.

In 2018, T-Mobile said as many as two million customers may have had their personal information scraped. A year later, the company confirmed hackers accessed records on another million prepaid customers. Just months into 2020, T-Mobile admitted a breach on its email systems that saw hackers access some T-Mobile employee email accounts, exposing some customer data.