In recent months, privacy violations have continued without pause. Among the noteworthy developments, we find that “uncrackable” iPhones passwords can be cracked for the right price, hacker’s multitools were being sold, mobile phone networks had more security flaws than expected, and poor IT housekeeping contributed to massive Distributed Denial of Service (DDoS) attacks.
Cellebrite, a mobile device specialist can probably unlock all iPhone models, including the iPhone X. Another vendor called, Grayshift offers similar services priced at $15,000 for 300 unlocks. Access into locked iPhones had been a source of contention between Apple and the Department of Justice (DOJ), when Apple refused to unlock the phone of a terrorist. Now that it knows what to expect, the DOJ is unlikely to ask publicly for help unlocking a phone, unless a media spectacle is a big part of what it wants. The privacy of consumers is probably secure unless the DOJ thinks they committed a crime where phone evidence is worth $500, a very low bar for invading privacy.
An Arkansas hacker developed and sold a cyber multi-tool to aid other hackers in their criminal enterprises. He named the tool set NanoCore and sold it on Hack Forums. NanoCore includes these tools criminals usually need: a keylogger to record all keystrokes typed; a password stealer for extracting saved passwords; remote turn on of webcams; the ability to view, delete and download files; ransomware; and a mechanism to force a computer to participate in DDoS attacks.
Huddleston confessed that NanoCore was used in a massive “spear phishing” scheme intended to infect thousands of victims’ computers. Huddleston was convicted and sentenced to 33 months in jail and 2 years of supervised release. As is too often the case, the prosecutor and court neglected to require full restitution to the victims of hackers using Huddleston’s tool. Making consumer victims whole is more important than coddling the criminal.
Mobile network engineers are scrambling to address flaws in the 4th Generation LTE mobile phone networks. The concerns come from “bugs in some carriers’ 4G LTE implementations and flaws in parts of the standard [that] could make anyone nationwide a target for hacks and surveillance.” In a review of the networks, 19 types of exposures were found that could be used to track device owners, eavesdrop on texts and sensitive data, and spoof location and warning messages like those used by government agencies and weather services. The flaws were unintentional and a little difficult to find since they were sometimes a result of slightly different implementations chosen by the competing networks. As mobile networks deploy 5G investments, we assume they will avoid reproducing these security exposures.
DDoS attacks have often used a force multiplier consisting of convenient, unsecured hardware not owned by the attackers. Earlier, DDoS attackers used low-level, unsecured, networked cameras and household devices (also called IoT) to magnify the force of the DDoS. The latest highspeed DDoS follows the same pattern, but it harnesses ultra-fast Memcached storage to take full advantage of high speed connections.
Memcached refers to data cached in RAM memory instead of in an API, a database or a hard drive. Memcaching returns the sought data ultra-quickly by avoiding repeatedly reading from APIs, or databases, or hard drives.
When used in a recent series of DDoS attacks, the attacker sent batches of instructions to unsecured, ill-configured Memcached RAM which reflected those instructions at very high speed to the targeted websites. “GitHub was first hit by a 1.35-Tbps memcached DDoS attack, and then a 1.7-Tbps attack on March 5.” While under DDoS attack, websites cannot perform the services their customers expect.
Aside from law enforcement’s unlocking of iPhones, all of the specific privacy exposures are being addressed. But similar attacks will recur. Design and implementation flaws in mobile networks require continual research and checking. The public needs hacker sentencing that includes full restitution — hackers should be unable to walk away while any of their victims still suffer losses.
While the sites operating unsecured Memcached storage may have been inconvenienced, the target websites and their users sustained the most disruption. The high-speed attack would have been thwarted if the Memcached RAM had been properly configured and secured. Enforcing proper cyber security procedures among the internet’s commercial users is an unresolved problem. The right security procedures are known, but the right coercion to motivate compliance is elusive.