Tag Archive for VZ

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Who Rules the Internet?

Who Rules the Internet?Singapore based ISP Vodien published an infographic which lists the 100 highest ranking websites in the U.S. by traffic, according to website analytics company Alexa. There are over 1.1 billion websites on the internet, but the majority of all traffic actually goes to a very small number of firms. Seven companies control 30% of the top 100 web sites and the related web traffic.

100 highest ranking websitesNot surprisingly Alphabet controls the most popular sites on the web, Google and YouTube. Surprisingly, Microsoft controls the most sites in the top 100. Redmond controls seven of the top web properties including recently purchased LinkedIn, Bing and Microsoft.com. For a long time, MSFT’s online efforts were a disaster. That seems to have changed with Azure, but I still hate Bing. According to the Vodien infographic Alphabet controls four of the most popular sites.

The Visual Capitalist points out that Google.com gets an astounding 28 billion visits per month. The next closest is also a Google-owned property, YouTube, brings in 20.5 billion visits.

Facebook (FB) controls two of the most popular web sites; Facebook (#3) and Instagram (#13).

Jeff Bezo’s firm Amazon (AMZN) directs four popular web sites;

The infographic says Verizon (VZ) now controls the Huffington Post (#49) and AOL (#59) and will control Yahoo (#5) and Tumlr (#12) if the deal closes in 2017 Q2.

Reddit.com comes in at #7 and Reddituploads.com is #61.

Online retailer eBay comes in as the #8 website.

POTUS favorite Twitter (TWTR) is the 9th ranked website and t.co is #25.

Video streamer Netflix comes in ranked #10 by Vodien.

Microsoft (MSFT) controls 7 of the top 100 web sites with recently purchased LinkedIn at #11, Live.com #14. so-so search engine Bing is #17, followed by Office.com (#23), Microsoft Online Services (#24), MSN (#37) and Microsoft.com (#41).


100 Websites that Rule the Internet

rb-

The consolidation of all of this web traffic is troubling. The current administration is going to allow online firms to sell all the personal information they collect to the government, data aggregators or anybody else to make a buck.

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Hey Tech Spender

Hey Tech Spender-Update 04-26-2016- As if to prove my point, Democratic Presidential candidate Bernie Sanders just named Verizon one of America’s Top Ten Tax AvoidersVZ has a corporate tax rate of -2% for the last 6 years according to the post.

Just in time for the U.S. tax deadline, the Business Insider has a report which details the amount of money the tech titans spent on bribing lobbying the politicians in DC. Thanks to one of the small bits of transparency in the gooberment, the U.S. House of Representatives requires companies to file  government lobbying records. You can search their disclosures here at the Office of the Clerk of the House. (rb- Use this while you can, its likely to be shutdown at any time by politicians with things to hide.)

LobbyingThe most aggressive tech spender on lobbying in 2015 was Amazon (AMZN) according to research by Consumer Watchdog. The company spent $9.07 million (a company record) on lobbying in 2015, an incredible 91.4% surge from its 2014 spend dedicated to influencing federal regulations last year according to BI. Amazon lobbied Washington about:

LobbistsDespite Amazon’s aggressive lobbying, Google (GOOG) topped the list of tech companies for the second year in a row. Google spent $16.6 million in 2015 vs $16.83 million in 2014. The biggest spending tech firms spent over $122M lobbying Washington politicians. Here’s how the tech titans stacked up their money.

  1. Google: $16.6 million in 2015 vs $16.83M in 2014.
  2. Comcast (CMCSA): $15.63 million vs $16.8M in 2014
  3. AT&T (T): $14.86 million, up from $14.56M in 2014
  4. Verizon (VZ): $11.43 million, up 1.9% from $11.22M in 2014.
  5. Facebook (FB): $9.85 million from $9.34M in 2014, a company record.
  6. Amazon (AMZB): $9.07 million up 91.4% from 2014 .
  7. Microsoft (MSFT): $8.49 million vs $8.33M in 2014.
  8. Time Warner Cable (TWC): $6.8 million in 2015, down 13.2% from 2014.
  9. T-Mobile (TMUS) $6.14 million, up 1.7% from 2014.
  10. Apple (AAPL): $4.48 million in 2015 compared to $4.11M in 2014.
  11. IBM (IBM): $4.63 million, a 6.5% decrease from $4.9M in 2014.
  12. Intel (INTC): $4.55 million in 2015, up 19.7% from $3.80M in 2014.
  13. Oracle (ORCL): $4.46 million in 2015, down 23.5% from $5.83M in 2014.
  14. Cisco (CSCO): $2.69 million compared to $2.35M in 2014.
  15. Yahoo (YHOO): $2.84 million in 2015 vs $2.94M in 2014.

LobbyingBI reminds us that these may seem like big numbers, they’re a tiny part of these companies’ overall expenditures — in the third quarter of 2015, Google spent $3.47 billion on traffic acquisition costs (such as the price of its deal to remain the default search on Apple’s iPhone), and another $6.93 billion on other operating expenses.

rb-

I haven been writing about the tech’s industry lobbying efforts since 2010. Many of the names have remained the same, ATT, Verizon, Google, IBM, Yahoo and Intel have been bribing lobbying the gooberment for a very long time.

However just 5 years ago, Apple and Facebook were barely in the lobbying racket.  In 2015, they both ranked in the top in lobbying spending.

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

T-Mobile Ordered to Turn Over Most Customer Info

T-MT-Mobile Ordered to Turn Over Most Customer Infoobile received the most government requests for subscriber data in 2014 according to a report from CNET. U.S. governments made nearly 351,940 requests for data from T-Mobile (TMUS) in 2014. The author, Roger Cheng states that the 351,940 government requests for data is the most out of any of the four national wireless carriers.

T-Mobile logoThe number 4 U.S. carrier by subscriber base recently released its first transparency report. The article breaks down the government requests for T-Mobile information:

  • 177,549 criminal and civil subpoenas
  • 17,316 warrants
  • 3,000+ wiretap orders
  • Between 2,000 and 2,250 national security requests,
  • 8 requests from foreign governments.

These numbers represent an 11% increase in government demands for subscriber information over last 2013.

The article claims that Verizon and AT&T each have twice as many customers, but T-Mobile fielded more requests than its rivals.

  • Verizon (VZ) with 132 million subscribers in Q4 of 2014, saw 287,559 government requests.
  • AT&T (T), with nearly 121 million subscribers in Q4 of 2014, saw 263,755 government requests,
  • Sprint (S) with 55.5 million subscribers in Q4 of 2014, saw 308,937 government requests.
  • T-Mobile with just over 55 million subscribers in Q4 of 2014, saw 351,940 government requests.

Here is how the four wireless carriers government information requests compare.

CarrierSubscribersSupeanasWarrantsWireTap OrdersTotal Requests
Verizon132 million138,158`31,2141,433351,940
AT&T121 million201,75420,9852,420263,755
Sprint55.5 million308,93713,5403,772308,936
T-Mobile55 million177,43917,3163,087251,940
Totals358.5 million826,28883,05510,7121,176,571

Transparency reports have become increasingly popular over the past year as civil liberties groups, shareholder and consumer advocates have pressured companies to be more open about when they disclose customer information. The article claims T-Mobile was the last of the four national carriers to issue a transparency report, which comes amid continued scrutiny of surveillance programs run by U.S. three letter agencies and friends— including the bulk collection of phone call data — that were revealed when former NSA contractor Edward Snowden leaked classified government documents.

The author notes that companies aren’t under legal obligation to show the data in transparency reports, but have been willing to share with the hope that the reports will help repair their reputations, which have been damaged by the Snowden revelations of the past two years.

rb-

surveillance programs This data only represents data requests where they bothered to follow U.S. laws to legally request data. How much more is there sitting in a data warehouse in the sky?  

Why is the T-Mobile number so high? Is it bad luck? Do they fight the requests the most? Are they playing ball with the TLA’s?  We may never know. VentureBeat speculates that the best way to measure how willing T-Mobile works with the government is by looking at the percentage of government requests to which T-Mobile delivered data. But T-Mobile refused to offer that information to VentureBeat.

“Regarding the additional question on breaking out the numbers further than what’s currently provided in the report, our systems were not designed to track the kind of detailed reporting that other companies engage in today,” a T-Mobile spokesperson wrote to VentureBeat.

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Mobile Malware FUD?

Mobile Malware FUD?Just last week, I wondered out-loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?

Mobile malwareThe author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise is overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.

• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
hit by lighting• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better change of getting hit by lighting than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.

Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.

Walled gardenThese reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cyber criminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?

The truth of the matter is that mobile users tend to get their apps from high quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread. (rb- I noted the advantages of Apple’s Walled Garden here),

remotely wipe devicesThe article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out like many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.

rb-

What so you think?

Is mobile malware over-hyped FUD?

View Results

Loading ... Loading ...

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.