Perpetual IT

What do you do when you need to send a file to someone you don’t interact with a lot?

Many of us use email attachments for small files, because it’s quick and easy to share modest amounts of data that way.

Sure, the attachment will probably lie around in the recipient’s mailbox for days, or months, or even years, which might not be quite what you had in mind…

…but when you send someone else a file, you can’t control what they do with it anyway, or how long they keep it, or how widely visible it is on their corporate network after they save it.

But email is no good for large files such as audio data or videos, because most email servers quite reasonably have a low limit on message sizes to stop the system getting clogged up by attachments.

So the usual fallback for sending files that you can’t or don’t want to transmit via email is to use a file sharing service instead, which is rather like using webmail, only without the messaging part.

You upload the file to a file sharing site, optionally setting various options that describe which other users can see it, and for how long, and then send the recipient an email that contains a download link where they can fetch the file at their leisure.

That worrying feeling

If you routinely use file sharing services, however, we’re sure you’ve experienced that worrying feeling that comes whenever you browse through the list of files you’ve shared in the past, especially if you were sending a file to someone you don’t deal with often.

What on earth was that file test-footage-march-unedited.mov you once sent, and who on earth are the four users on the access control list?

Can you delete the file temporary-backup-of-event-pics.zip that you shared two years ago, and did you ever make a permanent backup, and if so, where did the file backup-to-keep-forever.zip end up anyway?

The annoyance – and the small but ever-present cybersecurity risk – in leaving a litter of old files behind in various third-party websites is one that affects many of us…

…which is why we are occasional but enthusiastic users of Firefox Send, a free service from Mozilla that aims to let you share large files easily, but without the worry of what gets left behind and forgotten about.

When you upload a file to send DOT firefox DOT com, it gets encrypted in your browser before any data is send into the cloud; the decryption key is encoded into the URL for downloading the file; and the link thus generated is (by default, at least) valid for one download or 24 hours, whichever comes first.

If the recipient downloads the file using the link you send them, the data gets decrypted in their browser only after it has been downloaded, and then it vanishes from Mozilla’s servers forever.

If both you and the recipient forget about the uploaded file altogether, then it vanishes anyway and you don’t have to wonder if it’s still sitting around somewhere for someone else to download.

While the file is still on Mozilla’s servers, the pre-upload encryption means that even Mozilla can’t decrypt the file anyway, because only the encrypted data was uploaded and not the key.

(In fact, given that the temporarily stored files are no more use than shredded cabbage to Mozilla – or to any network hackers, law enforcment agents, data protection regulators and so on – there is every incentive for Mozilla delete the files as promised, in order to recover disk space that would be completely wasted otherwise.)

What’s good for the goose

Unfortunately, as with so many simple, free and effective online services, what’s good for the goose is good for the gander, too.

In other words, crooks love Firefox Send just as much as we do, because it lets them generate short-term links based on trusted URLs for sharing arbitrary files without leaving any leftover data in the cloud.

The problem is that in the case of the crooks, they’re typically using Firefox Send for what you might call “data infiltration” – a way of importing malware files or attack tools onto a network they’ve already broken into without drawing undue attention to themselves.

That sort of operational tactic goes by the name of living off the land – a slightly misplaced metaphor, to be sure, but one that is now widely used in the cybersecurity industry to mean “fitting right in with everyday behaviour on the network”.

By using Firefox Send, the crooks don’t need to set up a file sharing server of their own at a legitimate-looking URL, and they don’t have to worry about making sure their URLs expire automatically after use.

Links that work only once are a thorn in the side of security researchers, because even if you manage to acquire a full URL as an indicator of compromise, you can’t go back to the URL to investigate what malevolent baggage it might have served up when it was used.

The crooks also make themselves harder to track because their malicious content is effectively hiding in plain sight at an IP number operated by Mozilla.

What now?

Hats off to Mozilla and the Firefox team: following recent suggestions from cybersecurity researchers that some tweaks to the service might be a good idea, such as a [Report Abuse] button to make it quick and easy to get dodgy links blocked…

…the company has suspended its service temporarily to address the issues, rather than simply handing out vague promises to look at changes in the future:

Firefox Send is temporarily unavailable while we work on product improvements.

We appreciate your patience while we make the Firefox Send experience better.

The holding page doesn’t actually say that the outage relates to the problem of abuse by cybercriminals, but Mozilla has issued a statement to say:

Before relaunching, we will be adding an abuse reporting mechanism to augment the existing Feedback form, and we will require all users wishing to share content using Firefox Send to sign in with a Firefox Account.

Until now, you could use Firefox Send without creating a Firefox account, although that limited your links to at most 24 hours, but it looks as though the days of free-in-all-senses use of Firefox Send are over.

We’re not sure quite how much of a dent Mozilla will make in the abuse of the service by requiring even occasional users to stump up email addresses and create yet another cloud account, but the organisation seems determined to keep the service alive while addressing the community’s geniune concerns.

What do you think?

Does your organisation block sites like Firefox Send anyway?

If so, do you think these changes will make you rethink your policy, given that Send’s auto-encrypt-before-upload and auto-purge-after-download features gives you two less things to worry when sending files via the cloud?

There are gut-churning tales of online child sexual abuse material (CSAM).

Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section: a man had “expressed excitement for his soon-to-arrive ‘new material,’ sharing an in-utero picture of his unborn child with an online network of abusers.”

Now that the EARN-IT Act has crept closer to a full Senate hearing, we’re that much closer to finding out whether the bill can really help stem the flood of online CSAM, whether it’s a barely veiled attack on online privacy and end-to-end encryption, or all of the above.

During Thursday’s hearing on the bill, which they’d amended the day before, the proposed law’s co-sponsors stressed that it’s not a wooden stake to stick in encryption’s heart. Senator Richard Blumenthal claimed that the bill “is not about encryption and it never will be.” The other co-sponsor, Senator Lindsey Graham, said that his goal “is not to outlaw encryption”. Well, at least not at this point, maybe: he called that “a debate for another day.”

The critics of the proposed law aren’t swallowing it.

The day before the hearing, the co-sponsors amended the act to make it appear, at least, to be more of a nudge than a cudgel. As explained by the Electronic Frontier Foundation (EFF)— – a staunch critic of the bill – the new version now gives state legislatures the power to regulate the internet in the quest to battle CSAM, as opposed to a 19-person federal commission.

Nonetheless, it still threatens encryption, its critics say, albeit less blatantly.

In its first iteration, the EARN-IT Act proposed a commission to come up with best practices to battle CSAM. That commission would have been controlled by Attorney General William Barr. Given how often Barr has said that he thinks that encrypted services should be compelled to create backdoors for police, it was easy to see the legislation as an embodiment of a threat from Graham and other senators to regulate encryption in lieu of tech companies willingly creating those backdoors.

A reminder of what Graham threatened in December 2019, while grilling Facebook and Apple:

You’re going to find a way to do this or we’re going to go do it for you. We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.

But the Manager’s Amendment that was approved by the Senate Judiciary Committee didn’t eliminate the threat to encryption. Rather, as the EFF put it, the approved amendment instead “empowers over 50 jurisdictions to follow Barr’s lead in banning encryption.”

The amended bill also includes protections that purportedly keep the states from focusing on encryption. An amendment from Senator Patrick Leahy prohibits holding companies liable because they use “end-to-end encryption, device encryption, or other encryption services.”

That’s an improvement, but the threat to encryption hasn’t disappeared. The bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient. Known as client-side scanning, the approach would allow some messages to be selected and sent to the government, thereby sidestepping the protections of end-to-end encryption.

Section 230

The latest draft of the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act is still tinkering with a legal framework that’s already been tinkered with anyway: Section 230 of the Communications Decency Act (CDA).

In 2018, Congress passed the Fight Online Sex Trafficking Act (FOSTA) bill, with a carve-out meant to make it easier to prosecute online sex traffickers. Critics lambasted FOSTA for flattening the differences between sites that sell trafficked victims and sites that support victims who’ve escaped their captors, as well as for failing to differentiate between consensual and non-consensual sex work. Its passage led to Craigslist personals and some subreddits getting yanked and carried no real protection for victims of trafficking.

Similar to FOSTA, the EARN-IT Act would create a carve-out in Section 230 for fighting CSAM.

See you in court?

Under the changes made last week, the best practices created by the National Commission on Child Sexual Exploitation would be advisory. Does that mean that your liability won’t increase if you aren’t able to decrypt data? Not necessarily, given that complying with best practices won’t automatically trigger Section 230 immunity.

In short, service providers who do everything “right,” by forwarding secrecy properly and by properly using ephemeral keys (i.e., temporary, single-use keys discarded after use), can’t count on being able to say, “sorry, we’ve doing end-to-end encryption, can’t help.”

Instead, they’ll wind up having to defend themselves in court, according to the American Civil Liberties Union (ACLU):

The previous version of the bill suggested that if online platforms want to keep their Section 230 immunity, they would need to ‘earn it,’ by following the dictates of an unelected government commission. But the new text doesn’t even give them a chance. The bill’s sponsors simply dropped the ‘earn’ from EARN IT. Website owners—especially those that enable encryption—just can’t ‘earn’ their immunity from liability for user content under the new bill. They’ll just have to defend themselves in court, as soon as a single state prosecutor, or even just a lawyer in private practice, decides that offering end-to-end encryption was a sign of indifference towards crimes against children.

Where does this leave CSAM victims?

“We’re going to act,” Graham said. “This committee’s going to act.”

And so it did. Whether the amended act will help stop the spread of CSAM is another question, however. Wyden had urged the committee to table the bill so lawmakers could have more time to vet the proposal, to determine whether it would in fact do more harm than good.

Last week, Wyden was still calling for Congress to pass legislation that would, instead, boost funding and modernize IT systems for the National Center for Missing and Exploited Children.

His take on the EARN-IT Act:

By allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.

The US has dragged a fancy-pants, Instagram-star, high-fashion-flaunting, alleged Nigerian scammer out of the United Arab Emirates (UAE) and into Chicago to face charges that he helped launder beaucoup bucks gouged out of businesses in email compromise (BEC) scams.

His name is Ramon Olorunwa Abbas, aged 37, also known as “Ray Hushpuppi” and “Hush.” Abbas, a Nigerian national, arrived in Chicago Thursday evening after being extradited from the UAE. He made an initial court appearance in Chicago on Friday, but his case is expected to be transferred to Los Angeles in coming weeks.

As of Monday, you could still check out his public, uber-blingy Instagram account, where Abbas has 2.4 million followers. It lists him as a real estate developer. The photos show him slouching on pricey couches in luxury hotels, riding in charter jets, wearing fancy sneakers and designer clothes, sporting expensive watches, posing in or with Richie Rich cars – think Bentleys, Ferraris, Mercedes and Rolls Royces – and lavishing pictorial love on Dior this and Gucci that.

So much Gucci. In fact, Abbas’s Instagram account listed his Snapchat contact name as “The Billionaire Gucci Master!!!”

Here are the photos the DOJ featured in its criminal complaint:

Where did all that moolah come from?

The FBI doesn’t think Abbas the real estate agent was selling solid-gold chateaus to fund this Gucci-rama. The DOJ is charging Abbas with allegedly conspiring to launder hundreds of millions of dollars in BEC and other scams that targeted a US law firm’s client, a foreign bank and an English Premier League soccer club, among others.

As the criminal complaint explains, BEC frauds often involve hackers gaining unauthorized access to a business’s email account, blocking or redirecting communications to and/or from that email account, and then using the compromised email account, or a spoofed email account, to communicate with targeted employees. They’ll try to wheedle a targeted company’s employees into placing unauthorized wire transfers to accounts they control – often, with help from money mules. After that, the crooks often launder the money by wiring or transferring it through numerous bank accounts, or by quickly withdrawing it.

FBI Special Agent Andrew John Innocenti writes in the complaint that Abbas and his alleged conspirators allegedly ripped off an unnamed client of a New York law firm for a whole lot of shopping-spree cash: around USD $922,858. Abbas and co-conspirators allegedly tricked one of the law firm’s paralegals into wiring money intended for the client’s real estate refinancing, redirecting the money to a bank account under their control.

That’s what BEC scammers do: they spoof emails to convince a target that they’re supplying product X in order to receive payment Y, so please make sure to send payment to bank account number “kiss it goodbye.”

Another USD $14.7 million came from a foreign financial institution. Plans were in the works to launder tens, and at times hundreds, of millions of dollars and UK pounds sterling from other schemes and computer break-ins, including one that entailed stealing money from an English Premier League football club.

The Department of Justice (DOJ) said on Friday that Abbas was arrested last month in Dubai before being handed over to the FBI.

Dubai, Paris, UK, US: like most BEC scams, the money flowed through a tangle of countries and banks, making it tough to investigate and making the con artists tough to bust, US Attorney Nick Hanna said in the DOJ’s release.

BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system.

This case targets a key player in a large, transnational conspiracy who was living an opulent lifestyle in another country while allegedly providing safe havens for stolen money around the world.

Paul Delacourt, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, noted that in 2019 alone, the FBI recorded $1.7 billion in losses by victimized companies and individuals who were targeted in BEC scams. If Abbas is found guilty, it will mean that one major BEC player will have been knocked offline, but there are plenty more out there, ready to pounce on those who don’t know how to protect themselves:

BEC scams represent the most financially costly type of scheme reported to the FBI. I urge anyone who transfers funds personally or on behalf of a company to educate themselves about BEC so they can identify this insidious scheme before losing sizable amounts of money.

Maximum prison sentences are rarely handed out. But if Abbas gets convicted of conspiracy to engage in money laundering, and if he happens to be the unlucky exception to this general rule, he’ll be looking at a maximum sentence of 20 years in federal prison.

How to keep from being fleeced

There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.

As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

North Carolina’s Cabarrus County, which fell for a BEC scam to the tune of $1,728,083 that it paid to a scammer posing as a building contractor in August 2019, has said that it’s doing just that: it hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes, has held training for staff, and has implemented external checks to validate data received by the county.

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Here are more tips for both individuals and businesses:

Watch out for typos

As we saw in the case of crooks who nabbed the proceeds from a $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.

Watch out for weird requests.

In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed instead of snail-mailed. As Paul noted, that makes sense … for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

Report it.

Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?

It’s simple: Boston doesn’t want to use crappy technology.

Boston Police Department (BPD) Commissioner William Gross said last month that abysmal error rates – errors that mean it screws up most particularly with Asian, dark or female skin – make Boston’s recently enacted ban on facial recognition use by city government a no-brainer:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Thus did the city become the second-largest in the world, after San Francisco, to ban use of the infamously lousy, hard-baked racist/sexist technology. The city council voted unanimously on the bill on 24 Jun – here’s the full text, and here’s a video of the 3.5-hour meeting that preceded the vote – and Mayor Marty Walsh signed it into law last week.

The Boston Police Department (BPD) isn’t losing anything. It doesn’t even use the technology. Why? Because it doesn’t work. Make that it doesn’t work well. The “iffy” factor matters most particularly if you’re Native American, black, asian or female, given high error rates with all but the mostly white males who created the algorithms it runs on.

According to a landmark federal study released by the National Institute of Standards of Technology in December 2019, asian and black people are up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search. Commercial facial analysis systems vary widely in their accuracy, but overall, Native Americans had the highest false-positive rate of all ethnicities.

The faces of black women were often falsely identified in the type of search wherein police compare their images with thousands or millions of others in hopes of hitting a match for a suspect. According to an MIT study from 2018, the darker the skin, the higher the error rates. For the darkest-skinned women, two commercial facial-analysis systems had an error rate of nearly 35%, while two systems got it wrong nearly 47% of the time.

Boston city councilors put it this way: do we want to adopt this type of error-pockmarked surveillance, even as we’re attempting to untangle the knots of systemic racism? Councilor Ricardo Arroyo, who sponsored the bill along with Councilor Michelle Wu, had this to say ahead of the city council hearing:

It has an obvious racial bias, and that’s dangerous. But it also has sort of a chilling effect on civil liberties. And so, in a time where we’re seeing so much direct action in the form of marches and protests for rights, any kind of surveillance technology that could be used to essentially chill free speech or … more or less monitor activism or activists is dangerous.

Wu said that in the days of Black Lives Matter (BLM) protests and rising awareness, the last thing that Boston needs is a technology that’s part of the problem:

We’re working to end systemic racism. So ending the … over-surveillance of communities of color needs to be a part of that, and we’re just truly standing with the values that public safety and public health must be grounded in trust.

A recent, real-world example of a wrongful arrest came up during the city council’s discussions: that of Robert Williams. Williams, a black man living in Michigan, was arrested in January when police used automatic facial recognition to match his old driver’s license photo to a store’s blurry surveillance footage of a black man allegedly stealing watches.

As he described in an editorial published in the Washington Post last month, Williams spent the night on the floor of a filthy, overcrowded jail cell, lying next to an overflowing trashcan, without being informed of what crimes he was suspected of having committed. He’d simply been hauled away, handcuffed, as his wife and daughters watched.

I never thought I’d have to explain to my daughters why Daddy got arrested. How does one explain to two little girls that a computer got it wrong, but the police listened to it anyway?

The ACLU has lodged a complaint against the Detroit police department on Williams’ behalf, but he doubts it will change much.

My daughters can’t unsee me being handcuffed and put into a police car. But they can see me use this experience to bring some good into the world. That means helping make sure my daughters don’t grow up in a world where their driver’s license or Facebook photos could be used to target, track or harm them.

His wife said that she’d known about the issues with facial recognition. She never expected it to lead to police on her doorstep, arresting her husband, though.

I just feel like other people should know that it can happen, and it did happen, and it shouldn’t happen.

The Detroit Police Department (DPD) claims that it doesn’t make arrests based solely on facial recognition. It’s just one investigative tool that is “used to generate leads only.” The DPD had conducted an investigation that involved reviewing video, interviewing witnesses, conducting a photo line-up, and submission of a warrant package containing facts and circumstances, to the Wayne County Prosecutors Office (WCPO) for review and approval.

The WCPO in return recommended charges endorsed by the magistrate/judge for Retail Fraud – First Degree. A DPD spokeswoman told the Washington Post that since Williams’ arrest in January, the department has tweaked its policy, which now only allows the use of facial recognition software “after a violent crime has been committed.”

Boston’s “no, thanks” isn’t new

According to Boston-based WBUR, the BPD is currently using a video analysis system that could be used for facial recognition if the department opted to upgrade. The department has no intention of doing so: The BPD said at a recent city council working session that it wasn’t going to sign up for that part of the software update.

The bill comes with exceptions. It allows city employees to use facial recognition as user authentication to unlock their own devices, for one. Boston officials can also use the technology to automatically redact faces from images – but only if the automatic software doesn’t have the capability to identify people.

Boston might be one of the biggest cities to ban facial recognition, but it’s playing catchup with the communities that surround it in the Greater Boston area. That includes Somerville, Brookline, and Cambridge. Outside of Boston but still in Massachusetts, Northampton has enacted a ban, and Springfield moved to impose a moratorium on the technology as of February.

Without a national moratorium on the technology, though, facial recognition can still be carried out by federal agencies such as the FBI in any of those cities. Or in any other cities in Massachusetts. Or in their west-coast counterpart – besides San Francisco, that includes Berkeley and Oakland, while Washington state has also passed a bill to rein in use of the surveillance tool.

At the federal level, the day after Boston city council voted to kick facial recognition to the curb, a bill was introduced that would put a moratorium on face recognition systems. It’s currently pending before the joint judiciary committee.

Facial recognition wasn’t reliable enough for Boston, or San Francisco, or Oakland, or Washington, or any of the other cities that have reined it in.

With its demonstrated problems, why would any other community want anything to do with this technology? And, to echo Williams’ question, Why are police allowed to use it, in spite of its well-documented, pathetic performance?

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 29 June 2020

Tuesday 30 June 2020

Wednesday 1 July 2020

Thursday 2 July 2020

Friday 3 July 2020

Latest video

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Newsletter

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.