Router Vulnerability and the VPNFilter Botnet

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it’s a harbinger of the sorts of pervasive threats ­ from nation-states, criminals and hackers ­ that we should expect in coming years. VPNFilter is a sophisticated piece of malware that infects mostly…

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats ­ from nation-states, criminals and hackers ­ that we should expect in coming years.

VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. (For a list of specific models, click here.) It's an impressive piece of work. It can eavesdrop on traffic passing through the router ­ specifically, log-in credentials and SCADA traffic, which is a networking protocol that controls power plants, chemical plants and industrial systems ­ attack other targets on the Internet and destructively "kill" its infected device. It is one of a very few pieces of malware that can survive a reboot, even though that's what the FBI has requested. It has a number of other capabilities, and it can be remotely updated to provide still others. More than 500,000 routers in at least 54 countries have been infected since 2016.

Because of the malware's sophistication, VPNFilter is believed to be the work of a government. The FBI suggested the Russian government was involved for two circumstantial reasons. One, a piece of the code is identical to one found in another piece of malware, called BlackEnergy, that was used in the December 2015 attack against Ukraine's power grid. Russia is believed to be behind that attack. And two, the majority of those 500,000 infections are in Ukraine and controlled by a separate command-and-control server. There might also be classified evidence, as an FBI affidavit in this matter identifies the group behind VPNFilter as Sofacy, also known as APT28 and Fancy Bear. That's the group behind a long list of attacks, including the 2016 hack of the Democratic National Committee.

Two companies, Cisco and Symantec, seem to have been working with the FBI during the past two years to track this malware as it infected ever more routers. The infection mechanism isn't known, but we believe it targets known vulnerabilities in these older routers. Pretty much no one patches their routers, so the vulnerabilities have remained, even if they were fixed in new models from the same manufacturers.

On May 30, the FBI seized control of toknowall.com, a critical VPNFilter command-and-control server. This is called "sinkholing," and serves to disrupt a critical part of this system. When infected routers contact toknowall.com, they will no longer be contacting a server owned by the malware's creators; instead, they'll be contacting a server owned by the FBI. This doesn't entirely neutralize the malware, though. It will stay on the infected routers through reboot, and the underlying vulnerabilities remain, making the routers susceptible to reinfection with a variant controlled by a different server.

If you want to make sure your router is no longer infected, you need to do more than reboot it, the FBI's warning notwithstanding. You need to reset the router to its factory settings. That means you need to reconfigure it for your network, which can be a pain if you're not sophisticated in these matters. If you want to make sure your router cannot be reinfected, you need to update the firmware with any security patches from the manufacturer. This is harder to do and may strain your technical capabilities, though it's ridiculous that routers don't automatically download and install firmware updates on their own. Some of these models probably do not even have security patches available. Honestly, the best thing to do if you have one of the vulnerable models is to throw it away and get a new one. (Your ISP will probably send you a new one free if you claim that it's not working properly. And you should have a new one, because if your current one is on the list, it's at least 10 years old.)

So if it won't clear out the malware, why is the FBI asking us to reboot our routers? It's mostly just to get a sense of how bad the problem is. The FBI now controls toknowall.com. When an infected router gets rebooted, it connects to that server to get fully reinfected, and when it does, the FBI will know. Rebooting will give it a better idea of how many devices out there are infected.

Should you do it? It can't hurt.

Internet of Things malware isn't new. The 2016 Mirai botnet, for example, created by a lone hacker and not a government, targeted vulnerabilities in Internet-connected digital video recorders and webcams. Other malware has targeted Internet-connected thermostats. Lots of malware targets home routers. These devices are particularly vulnerable because they are often designed by ad hoc teams without a lot of security expertise, stay around in networks far longer than our computers and phones, and have no easy way to patch them.

It wouldn't be surprising if the Russians targeted routers to build a network of infected computers for follow-on cyber operations. I'm sure many governments are doing the same. As long as we allow these insecure devices on the Internet ­ and short of security regulations, there's no way to stop them ­ we're going to be vulnerable to this kind of malware.

And next time, the command-and-control server won't be so easy to disrupt.

This essay previously appeared in the Washington Post

EDITED TO ADD: The malware is more capable than we previously thought.

from https://www.schneier.com/blog/

Will the Roberts Court Defend Online Fake News?

A professor at the University of California Davis School of Law predicts Supreme Court justices will defend the First Amendment principles of free speech against government attempts to curb Internet abuses—even when those abuses involve promoting falsehoods online.

How will the Roberts Supreme Court weigh in on the emerging debate over how to prevent the abuse of online media and social networks?

A forthcoming paper argues that, although the justices are now evenly divided between “technology optimists and technology pessimists,” they are likely to defend the principles of free speech against attempts to regulate content on the Internet.

Ashutosh Bhagwat, a law professor at the University of California Davis School of Law, bases his prediction on several recent rulings—although he notes that it is “astonishing” that Internet and free speech issues have rarely been addressed in the 12 years since Chief Justice John Roberts was appointed.

“It seems inevitable that going forward, this is going to change,” Bhagwat writes in an article scheduled for publication this month in the Washington University Law Review.

“Recent calls to regulate ‘fake news’ and otherwise impose filtering obligations on search engines and social media companies will inevitably raise important and difficult First Amendment issues.”

Basing his analysis on reviews of several cases brought before the Roberts Court, Bhagwat identifies Justices Roberts and Samuel Alito as the “pessimist” justices most in favor of stricter regulation; and Justices Anthony Kennedy, Sonia Sotomayor, Ruth Bader Ginsburg, and Elena Kagan as those most aligned with defending free speech.

The remaining justices—Clarence Thomas, Stephen Breyer and Neil Gorsuch—are somewhere in the middle, he writes.

According to Bhagwat, the court’s future rulings on Internet issues can be gleaned from an analysis of several recent cases that touched on free speech and technology, most recently Brown v Entertainment Merchants Association (2011), and Packingham v. North Carolina (2017).

Packingham concerned a challenge to a North Carolina statute that forbade any registered sex offender from accessing a commercial social networking Web site where the sex offender knows that the site permits minor children to become members or to create or maintain personal Web pages.

The Court upheld the challenge, ruling the statute unconstitutional. Justice Kennedy, writing for the majority, held that First Amendment protections could be constitutionally extended to the “vast democratic forums of the Internet…and social media in particular.”

The Court’s decision in a non-Internet case, United States v. Alvarez, which upheld an individual’s right to make a false claim that he had received the congressional Medal of Honor, made clear that “even intentional falsehoods are entitled to some level of First Amendment protection, and there is no reason to expect that principle not to be extended” to cyberspace, Bhagwat wrote.

“Given the enormous risk of self-serving political manipulation or bias posed by government regulation of social media falsehoods on political topics, I would expect all the Justices to balk” at similar attempts to discipline the use of so-called fake news, he added.

Why Supreme Court Justices lean one way or another is uncertain, but Bhagwat argues the Roberts Court’s approach to free speech issues reflects the “longstanding tension in American political thinking between Jeffersonians who embrace change and individual autonomy at the cost of occasional disorder; and Hamiltonians, who embrace order at the cost of occasional limits on liberty.”

But the paper finds that more Justices lean in the direction of free speech and openness when it comes to regulating technology.

“I think it likely, but not certain, that a working majority of the Roberts Court will vote to fend off heavy-handed efforts to assert state control over new technology such as the Internet and social media,” he writes.

He cautions that for the “technology optimists” to succeed in future cases they only have to persuade one of the three “uncertain” Justices, whereas the technology pessimists would have to persuade all three.

Nevertheless, he adds, the most critical element in shaping how the Constitution is interpreted on these issues will be the regulatory initiatives emanating from Congress, the Federal Communications Commission (FCC), and state legislatures.

“If past history is any guide, content-neutral structural regulations such as the Net Neutrality policy adopted by the Obama-era FCC (and recently repealed by the Trump-era FCC) are likely to fare well in courts and the Court, especially given the existence of precedent, authored notably by Justice Kennedy, upholding similar structural regulations of cable television,” writes Bhagwat.

The full report can be downloaded here.

This summary was prepared by TCR news intern John Ramsey. Readers’ comments are welcome.

Internet Security Threats at the Olympics

There are a lot: The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof that this is a North Korean operation. The victim organizations include ice hockey teams, ski suppliers, ski…

There are a lot:

The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof that this is a North Korean operation. The victim organizations include ice hockey teams, ski suppliers, ski resorts, tourist organizations in Pyeongchang, and departments organizing the Pyeongchang Olympics.

Meanwhile, a Russia-linked cyber attack has already stolen and leaked documents from other Olympic organizations. The so-called Fancy Bear group, or APT28, began its operations in late 2017 --­ according to Trend Micro and Threat Connect, two private cybersecurity firms­ -- eventually publishing documents in 2018 outlining the political tensions between IOC officials and World Anti-Doping Agency (WADA) officials who are policing Olympic athletes. It also released documents specifying exceptions to anti-doping regulations granted to specific athletes (for instance, one athlete was given an exception because of his asthma medication). The most recent Fancy Bear leak exposed details about a Canadian pole vaulter's positive results for cocaine. This group has targeted WADA in the past, specifically during the 2016 Rio de Janeiro Olympics. Assuming the attribution is right, the action appears to be Russian retaliation for the punitive steps against Russia.

A senior analyst at McAfee warned that the Olympics may experience more cyber attacks before closing ceremonies. A researcher at ThreatConnect asserted that organizations like Fancy Bear have no reason to stop operations just because they've already stolen and released documents. Even the United States Department of Homeland Security has issued a notice to those traveling to South Korea to remind them to protect themselves against cyber risks.

One presumes the Olympics network is sufficiently protected against the more pedestrian DDoS attacks and the like, but who knows?

from https://www.schneier.com/blog/

Israeli Scientists Accidentally Reveal Classified Information

According to this story (non-paywall English version here), Israeli scientists released some information to the public they shouldn’t have. Defense establishment officials are now trying to erase any trace of the secret information from the web, but they have run into difficulties because the information was copied and is found on a number of platforms. Those officials have managed to…

According to this story (non-paywall English version here), Israeli scientists released some information to the public they shouldn't have.

Defense establishment officials are now trying to erase any trace of the secret information from the web, but they have run into difficulties because the information was copied and is found on a number of platforms.

Those officials have managed to ensure that the Haaretz article doesn't have any actual information about the information. I have reason to believe the information is related to Internet security. Does anyone know more?

from https://www.schneier.com/blog/

Australia Considering New Law Weakening Encryption

News from Australia: Under the law, internet companies would have the same obligations telephone companies do to help law enforcement agencies, Prime Minister Malcolm Turnbull said. Law enforcement agencies would need warrants to access the communications. "We’ve got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and pedophile…

News from Australia:

Under the law, internet companies would have the same obligations telephone companies do to help law enforcement agencies, Prime Minister Malcolm Turnbull said. Law enforcement agencies would need warrants to access the communications.

"We've got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and pedophile rings are up to because of the very high levels of encryption," Turnbull told reporters.

"Where we can compel it, we will, but we will need the cooperation from the tech companies," he added.

Never mind that the law 1) would not achieve the desired results because all the smart "terrorists and drug traffickers and pedophile rings" will simply use a third-party encryption app, and 2) would make everyone else in Australia less secure. But that's all ground I've covered before.

I found this bit amusing:

Asked whether the laws of mathematics behind encryption would trump any new legislation, Mr Turnbull said: "The laws of Australia prevail in Australia, I can assure you of that.

"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia."

Next Turnbull is going to try to legislate that pi = 3.2.

Another article. BoingBoing post.

EDITED TO ADD: More commentary.

from https://www.schneier.com/blog/

San Francisco Transit System Target of Ransomware

It’s really bad. The ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet. Slashdot thread….

It’s really bad. The ticket machines were hacked.

Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet.

Slashdot thread.

How Different Stakeholders Frame Security

Josephine Wolff examines different Internet governance stakeholders and how they frame security debates. Her conclusion: The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes…

Josephine Wolff examines different Internet governance stakeholders and how they frame security debates.

Her conclusion:

The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes these debates significant and unique in the context of internet governance is not that the different stakeholders often disagree (indeed, that is a common occurrence), but rather that they disagree while all using the same vocabulary of security to support their respective stances. Government stakeholders advocate for limitations on WHOIS privacy/proxy services in order to aid law enforcement and protect their citizens from crime and fraud. Civil society stakeholders advocate against those limitations in order to aid activists and minorities and protect those online users from harassment. Both sides would claim that their position promotes a more secure internet and a more secure society -- ­and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.

While vague notions of security may be sufficiently universally accepted as to appear in official documents and treaties, the specific details of individual decisions­ -- such as the implementation of dotless domains, changes to the WHOIS database privacy policy, and proposals to grant government greater authority over how their internet traffic is routed­ -- require stakeholders to disentangle the many different ideas embedded in that language. For the idea of security to truly foster cooperation and collaboration as a boundary object in internet governance circles, the participating stakeholders will have to more concretely agree on what their vision of a secure internet is and how it will balance the different ideas of security espoused by different groups. Alternatively, internet governance stakeholders may find it more useful to limit their discussions on security, as a whole, and try to force their discussions to focus on more specific threats and issues within that space as a means of preventing themselves from succumbing to a façade of agreement without grappling with the sources of disagreement that linger just below the surface.

The intersection of multistakeholder internet governance and definitional issues of security is striking because of the way that the multistakeholder model both reinforces and takes advantage of the ambiguity surrounding the idea of security explored in the security studies literature. That ambiguity is a crucial component of maintaining a functional multistakeholder model of governance because it lends itself well to high-level agreements and discussions, contributing to the sense of consensus building across stakeholders. At the same time, gathering those different stakeholders together to decide specific issues related to the internet and its infrastructure brings to a fore the vast variety of definitions of security they employ and forces them to engage in security-versus-security fights, with each trying to promote their own particular notion of security. Security has long been a contested concept, but rarely do these contestations play out as directly and dramatically as in the multistakeholder arena of internet governance, where all parties are able to face off on what really constitutes security in a digital world.

We certainly saw this in the "going dark" debate: e.g. the FBI vs. Apple and their iPhone security.

from https://www.schneier.com/blog/

DDoS Attacks against Dyn

Yesterday’s DDoS attacks against Dyn are being reported everywhere. I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That’s okay, really, because we don’t know anything much of anything about the attacks. If I had to guess, though, I don’t think it’s China. I think it’s…

Yesterday's DDoS attacks against Dyn are being reported everywhere.

I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks.

If I had to guess, though, I don't think it's China. I think it's more likely related to the DDoS attacks against Brian Krebs than the probing attacks against the Internet infrastructure, despite how prescient that essay seems right now. And, no, I don't think China is going to launch a preemptive attack on the Internet.

from https://www.schneier.com/blog/