Tag Archive for FB

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Over Half the World Connected to the Internet

Over Half the World Connected to the InternetNew statistics show that over half of the worlds population is now using the Internet. The 2017 Q2 Global Digital Snapshot Report on social media and digital trends released by Hootsuite, a social media management platform, and We Are Social, a social media agency, found that more than 3.8 billion people around the world now use the internet. This means that global internet penetration is 51%. The report’s author flips the number and points out that people who don’t use the Internet are now in the minority.

How are these people getting online? The report says that the total number of unique mobile users now stands at 4.96 billion. The use of a mobile phone is now ‘normal’ around the world. Almost 66% of the entire global population regularly uses a mobile phone. More and more of these users now own a smartphone too, and the latest data suggest that more than half of the world’s population now uses one of these powerful devices.

Global Digital Snapshot

The rapid spread of smartphones has led to significant growth in the number of mobile internet users. The number of people around the world accessing the internet via mobile reached almost 3.4 billion during early April 2017 according to the author.

Total mobile users now stands at 4.96 billionAdditionally, 93% of all internet users now go online via mobile devices (phones or tablets), and with the majority of new internet users now ‘phone first’, mobile’s share is likely to increase even more.

With all of this increased access, We are Social, writes that global social media users total to more than 2.9 billion users. This means that social media users are still increasing at a rate of more than 1 million per day – that’s 14 new users every second.

Global Internet Use and Penetration

The article observes that mobile social media continues to see the fastest growth across all our key data points. In the past 3 months mobile social media users grew by more than 1.6 million new users every day. The total number of people around the world accessing social media via mobile devices now stands at just under 2.7 billion, representing global penetration of 36%.

Where do all of these mobile social media users go? Of course, they go to Facebook (FB). The research says that Facebook dominate the social world. The latest data suggests that the world’s favorite social platform adds more than a million new users every day.

Facebook Usage Analysis

Asia is the center of Facebook’s growth. Much of that growth came from India. With almost 250,000 new users in the country every day, the author speculates there’s a good chance that India will overtake the US to become Facebook’s most active market by July 2017.  Bangkok is Facebook’s most active city, with roughly 30 million people in Thailand’s capital using the platform.

 

rb-

It should be obvious to any marketer that firms need to remake their customer engagement plans and implement real-time interaction with their customers. Simon Kemp, We Are Social said.

“Half of the world’s population is now online, which is a testament to the speed with which digital connectivity is helping to improve people’s lives … Given this latest data, it’s probably time for us to stop referring to social as ‘new media’, and integrate it more seamlessly into our day-to-day activities.”

I think Mr. Kemp is too optimistic when he says that “digital connectivity is helping to improve people’s lives.” Followers of the Bach Seat know that too much social media is bad for you.

 

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Whats a Lifetime on Social Media?

Whats a Lifetime on Social Media?From the scary stats department – In 2015, time spent on mobile apps exceeded time spent watching TV for U.S. consumers according to TechCrunch.  And now influencer marketing agency MediaKix has calculated more scary social media statistics. Social media users will now spend years online during their lifetime.

Time spent on social media is increasingGrowth on many of the top social media platforms continues to rise as each network rolls out new features and functionalities to better compete for users’ daily time. It must be working, not only is the number of people using social media increasing, and the time people are spending each day on social media is increasing. MediaKix says that just  Facebook (FB) users are spending an average of 50 minutes each day on the site.

In order to see how much the average person will spend on social media through out their life, MediaKix calculated the time spent across today’s most popular social media platforms. Across today’s most popular social media platforms, people are spending the following daily averages:

A lifetime on social mediaThe advertising firm says these social media consumption rates, across a lifetime will total up to:

  • YouTube: 1 year, 10 months
  • Facebook: 1 year, 7 months
  • Snapchat: 1 year, 2 months
  • Instagram: 8 months
  • Twitter: 18 days

Cumulatively, this adds up for a total of 5 years and 4 months spent on social media across a lifetime. Compare the time spent on social media against more mundane life activities.

  • Social Media: 5 years, 4 months
  • Eating & Drinking: 3 years, 5 months
  • Grooming: 1 year, 10 months
  • Socializing: 1 year, 3 months
  • Laundry: 6 months

The Santa Monica, CA firm projected the social media figures across an entire lifetime and put the numbers into the infographic below.

 

How much time do people spend on social media?

 

rb-

I have argued for a while that the social media fake news issue is a result of the American educational system. They are obsessed with teaching the common core, that they don’t teach any analytical skills. Schools need to reinstate current events and media literacy classes.

Quartz cited a survey that found that teens prefer Facebook as a news source (41%), while tweens break between YouTube (41%) and Facebook (37%). By huge margins, girls prefer Facebook for news, and boys, YouTube.

The converging trends of more time spent online, preferring social media as a news source and no education is putting democracy at risk.

Search Engine Journal offers some good suggestions on how to evaluate if a story is real or fake.

What is the Site? most major recognized sources for news journalism are not going to be producing clickbait fake news. Most of the fake news that go for “shock” value and produce fake stories are not as recognized. Look into the source itself and see whether it is a website that can be trusted.

Check the Domain – Many fake news stories use similar URLs and domain names to mimic reputable news sources, but rather than using a .com they use .com.co endings

What are the Authors’ Sources? – Good news stories contain links to other reputable reporting by respected organizations. Be wary of sources that cannot substantiate their claims.

Fact Check! – When in doubt, fact-check the information that you read! You can start with a simple search to look into the keywords or the event that is being reported on. You can also use sites like PolitiFactFactCheck, and Snopes.

Examine the Website Closely – Look at the full spectrum of details on the site. Are there other fake-looking or shocking headlines? What does the overall website look like? How is the user experience? Sometimes doing just a little further digging will make it clear if a news story is fake.

Act! – Once you identify if a story is real or fake, you can make a big difference. Do not share stories on social media that are fake and make them more visible. If you notice a friend or family member share a fake story on a social media outlet, do them a favor and comment or message them showing how you found out it was fake so they don’t repeat the same mistake.

If you come across a fake news article, comment on it stating how you arrived at the conclusion it was fake. If everyone does their part to distinguish fake news stories and make them known, then they won’t be shared as easily.

 

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Your Mobile is Leaking

Your Mobile is LeakingThere is a vulnerability in the global phone system that allows hackers to get access to others’ telephone data using nothing but a phone number. The flaw is in the Signaling System 7 (PDF) or SS7 which is a set of telephony signaling protocols that exchanges information telephone networks.

listen to phone callsThe Register points out that SS7 signalling technology was developed in the 1970s and hasn’t been updated since, since the systems became accessible over the internet. The reported weakness in SS7 allows hackers or TLA’s to exploit the vulnerability with the phone number of the user they’re targeting to listen to phone calls, read text messages and track the user’s location.

A white paper (PDF) by independent cyber-security company Positive Technologies explains:

The process of placing voice calls in modern mobile networks is still based on SS7 technology which dates back to the 1970s. At that time, safety protocols involved physical security of hosts and communication channels, making it impossible to obtain access to an SS7 network through a remote unauthorised host. In the early 21st century, a set of signalling transport protocols called SIGTRAN were developed. SIGTRAN is an extension to SS7 that allows the use of IP networks to transfer messages.

However, even with these new specifications, security vulnerabilities within SS7 protocols remained. As a result, an intruder is able to send, intercept and alter SS7 messages by executing various attacks against mobile networks and their subscribers.

The real world result of the SS7 flaw as Alex Mathews, technical manager EMEA of Seoul Korea based Positive Technologies explained is:

Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers.

send SMS messages via the SS7 networkSMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook (FB), and is also part of second factor authentication for Google (GOOG) accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient.

If chat history is stored on the server, this information can also be retrieved.

The hack first came to light in 2014 when security researcher Karsten Nohl demonstrated it at a convention in Germany according to FierceWireless. CBS 60 Minutes (rb- That’s still on?) caused a mild ripple after they engaged Mr. Nohl to show the vulnerability to track a new iPhone that had been given to U.S. Rep. Ted Lieu (D-CA). Mr. Lieu, who holds a degree in computer science from Stanford, agreed to use the phone to talk to his staff knowing it would be hacked. From his office in Berlin, Mr. Nohl was able to track Mr. Lieu’s movements in Los Angeles as well as to read messages and record phone calls between Representative Lieu and his staff.

U.S. cellphone networks were secureCBS correspondent Sharyn Alfonsi contacted representatives from CTIA who said that there have been reports of SS7-related security breaches abroad, “but (they) assured us that all U.S. cellphone networks were secure,” although Mr. Lieu was on a U.S. network when his phone was hacked from Germany.

The flaw “is an open secret among the world’s intelligence agencies — including ours — and they don’t necessarily want that hole plugged,” Ms. Alfonsi reported. The four major U.S. wireless operators declined to discuss more specific questions from FierceWireless. When asked whether the flaw may threaten the privacy and security of subscribers, AT&T (T) and Verizon (VZ) to CTIA, while Sprint (S) and T-Mobile (TMUS) declined to discuss SS7.

listen to phone calls,Representative Lieu has called for a congressional investigation of the vulnerabilities in SS7, writing that, “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials.” Lieu said the investigation should be conducted by the House Oversight and Government Reform Committee, of which he is a member.

The Register reports that Senator Ron Wyden (D-OR) recently joined Representative Lieu to send an open letter [PDF] to Homeland Security Secretary John Kelly asking for an update on its progress in addressing the SS7 design shortcomings. It also asks why the agency isn’t doing more to alert the public about the issue. The letter states in part:

We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones,” “We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.

 rb-

It is important to understand that the wired and wireless telephone network that your phone connects to is not secure and probably never will be.

Telephone networks were not designed to be secure.

In the most recent draft of the new Digital Identity Guidelines requirements from NIST warns that:

Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

You really have to wonder if this is related to the SS7 hole and why it is only being considered for removal. Maybe some of its TLA friends want the hole to stay in place.

I previously covered the SS7 flaw implications to SMS here.

 

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

What to Think About Before You Click

What to Think About Before You ClickReaders of the Bach Seat know that the Internet can be a risky place. The typical advice to stay safe on the Intertubes is to think before you click. But why should you care and what should you think about before you click on a link in your email or on Facebook?

Email is the leading source of attacks at home and at work. Kaspersky reports that over 2/3 of emails sent in 2014 were SPAM. Merely clicking on a SPAM link can lead to password and data theft, and even “drive-by” malware downloads. In order to stay safe at work and at home ESet wants you to ask yourself these questions before you click on any link:

1.Do you trust the person posting the link? Do you trust the person sending or posting the link? People have gotten better at distinguishing good emails and links from bad. Nonetheless, you still need to be alert, so the first question to ask yourself is:

  • Do I trust the person sending or sharing this link? If you don’t recognize the name, the email account, or the content, delete it.

2. Do you trust the platform? Here’s what we mean by “platform”: A link shared on your company’s private Intranet is likely to be safe. But anybody can send you an email — so be skeptical.

social media sites have been hit by copious amounts of spam.Pay special attention to Twitter (TWTR) and Facebook (FB), as both social media sites have been hit by copious amounts of spam. Online security experts have found that many social media accounts are fake and pose a risk to anyone they come in contact with.

  • Researchers say that an average of 40% of Facebook and 20% of Twitter accounts claiming to represent a Fortune 100 brand are fake. 99% of malicious URLs posted on social media channels led to malware or phishing attacks.

3. Does this link coincide with a major world event? Cybercriminals seize any opportunity to get someone to click a link. They commonly use news events like natural disasters, Olympics and World Cups to lure victims to identity-theft or malware sites.

4. Do you trust the destination? Look at tDo you trust the destination?he link that has been shared. Does it go to a website you recognize? If you don’t trust, or don’t know, the destination, don’t click the link.

5. Is it a shortened link? The rise of social media, especially Twitter, has prompted people to shorten links for convenience. Bad guys can easily shorten scam links, making them harder to spot.

  • With shortened links, the advice is clear; ask yourself the above four questions and if you’re unsure still, use LongURL and CheckShortURL, to restore the shortened link to its original length.

rb-

Even if you follow this advice, you still need to be alert. If, for whatever reason, you’re unsure, you could pick up a phone and call them (Did you remember that you can talk to people on phones?) to verify that they did indeed send that information and maybe talk about something else too.

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.