The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Only YOU can prevent a VPN Filter malware attack. That's a problem for the FBI.

with Bastien Inzaurralde


The FBI’s move to seize control of a network of half a million wireless routers and other devices infected with malicious software threw a wrench into a massive hacking campaign by a group linked to the Russian military. 

But the FBI is limited in how much it can do to disrupt the global botnet on its own. While the bureau got a court order last week to take over a domain at the botnet's core that allows the connected devices to launch attacks, it's now up to owners of the infected equipment to take active steps to prevent hackers from hijacking the devices again. 

That's not likely to happen anytime soon. In fact, ridding the infected devices of malware dubbed VPN Filter “is likely to take at least a year, if not multiple years,” said Vikram Thakur, technical director of the security response team at the cyberecurity firm Symantec. “To remove the malware, and update the router to be free of known security vulnerabilities, requires a degree of end user interaction with the router that is unlikely to happen in the short term."

It seems staggering that an average person needs to help the FBI disrupt a threat the U.S. government has blamed on the same Russian military-linked hacking group that breached the Democratic National Committee in the 2016 election. The group is sophisticated and usually targets government and military organizations. The malware it deployed could be used for a range of malicious purposes, including spying on the communications in industrial control systems used by power plant operators, water treatment facilities and other critical infrastructure operators. It also has a destructive component, capable of permanently disabling any infected device. And experts say the mass of zombie devices was apparently powerful enough to carry out a sequel to the NotPetya attack by Russian military hackers that wiped data from financial firms, government offices and other institutions around the world.

The fix the FBI is pushing is relatively simple: All people have to do is reboot their router or other devices. That will direct information from the infected routers to the FBI, instead of the hackers. As my colleague Hayley Tsukayama notes: "Simply hitting the power button without updating their router would leave users at risk, software experts warned. As a next step, they should download the latest firmware for their devices and change their password to further guard themselves against infection." The FBI and security researchers are issuing instructions, and they will also pressure Internet service providers to notify users about what they need to do, according to Thakur. 

But let's be honest: How likely is it that people will follow through? Or even get the message? Even if you're a security pro reading this, your less tech savvy relative -- let's say, your grandmother -- may need to heed this warning. So will any one of the hundreds of thousands of users in 54 countries across the globe potentially affected by the malware. 

The Trump administration acknowledged how hard it is to motivate consumers when law enforcement seeks their help to bring down botnets, in a long-awaited report on botnet threats released Wednesday. It’s tough to get people to care -- often, they’re simply unaware that their devices have been compromised, the report found.

“From the consumer’s perspective, the webcam is still streaming, or the refrigerator is still chilling,” the report read. “For this reason, it may be challenging to hold owners responsible if their devices are used in a botnet. This lack of clear consequences of infection creates a challenge in motivating consumers to take steps to improve security — for example, to update those devices that are updateable.”

But the threat is everywhere, and average people's buying habits are to blame. The proliferation of Internet-connected devices has paved the way for a surge in increasingly sophisticated and disruptive botnet attacks in recent years, including a 2016 attack that rendered major sites such as Twitter and PayPal inaccessible to users around the world.

The U.S. was concerned enough to commission the report, which was released by the Department of Commerce and the Department of Homeland Security. It was a major component of the executive order on cybersecurity President Trump issued last May, which broadly sought to hold top agency officials more accountable for responding to cyber incidents.

One way to address the problem, the report found, would be to encourage manufacturers to equip their devices with security features such as automatic updates before they bring them to market and avoid asking users to make upgrades themselves. “It is unrealistic to expect home users and small business proprietors to become security experts,” it read. “Ideally, devices marketed toward consumers should be designed with security built in.”

But for now, things may move slowly. If past botnet attacks are any indication, Thakur said, the devices “remain vulnerable for years, until maybe one day the hardware itself fails and the owner decides to go to the store and buy a new one.”


PINGED: The Department of Homeland Security told Sen. Ron Wyden (D-Ore.) in a letter that the agency has received reports that “nefarious actors may have exploited” the SS7 messaging system, which allows cellphone users to switch networks while traveling, to spy on Americans' communications, The Washington Post's Craig Timberg reports. “I don’t think most Americans realize how insecure U.S. telephone networks are,” Wyden said in a statement. “If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren't just hypotheticals.”

“Researchers say that SS7 tracking systems around the world now create millions of 'malicious queries' — meaning messages seeking unauthorized access to user information — each month,” Timberg writes.

Wyden also said in a letter on Tuesday that “one of the major wireless carriers” told his office that it reported to law enforcement a breach linked to SS7. Customers' data was accessed in that incident, Wyden said in his letter to Federal Communications Commission Chairman Ajit Pai. Wyden slammed the FCC, saying it “has done nothing but sit on its hands, leaving every American with a mobile phone at risk.”

“Although the security failures of SS7 have long been known to the FCC, the agency has failed to address this ongoing threat to national security and to the 95% of Americans who have wireless service,” Wyden wrote.

PATCHED: Kaspersky Lab's troubles in the United States continue. U.S. District Judge Colleen Kollar-Kotelly of Washington on Wednesday dismissed two lawsuits by the Russian firm that challenged a U.S. government ban on the company's software, CyberScoop's Patrick Howell O'Neill reports. “Kaspersky filed the lawsuits after its products were banned from U.S. government systems in both a Binding Operational Directive from the Department of Homeland Security and the 2018 National Defense Authorization Act. That ban goes into effect on Oct. 1, 2018,” Howell O'Neill writes. Kaspersky argued that the ban was unconstitutional and unduly harmed the company.

Kollar-Kotelly wrote that the portion of the NDAA banning Kaspersky software from U.S. government systems isn't a punishment of the Russian firm. “The law does not impose any form of historically recognized legislative punishment,” the judge wrote in her opinion. “It has an obvious and eminently reasonable nonpunitive purpose and, although the law has negative effects on Plaintiffs, those effects are not out of balance with the goal of protecting the Nation’s cybersecurity.”

In a statement, Kaspersky vowed to “vigorously pursue” an appeal of the decision and said the government bans “were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding.” DHS said in a September statement that the company could pose a threat to national security due to its ties to Russian intelligence agencies.

PWNED: Add a big name to the list of people who are frustrated by the European Union's new online privacy rules. "Commerce Secretary Wilbur Ross introduced a fresh irritant into strained transatlantic ties Tuesday when he complained that the E.U.’s new General Data Protection Regulation, which took effect last week, will prompt major changes in American companies’ responsibilities to protect consumers’ privacy," The Washington Post's David J. Lynch and Damian Paletta report.

Ross wrote in a Financial Times op-ed that the Trump administration supports GDPR's “goal of protecting personal online data while continuing to enable transatlantic data exchange.” Then he proceeded to list the things he found problematic about the law and said European authorities have failed to provide clear guidelines on how the law works: "The guidance on GDPR implementation is too vague,” Ross wrote. “EU authorities must provide clearer rules and a more predictable regulatory environment to support investment and innovation. We ask them to act quickly so that GDPR can be properly implemented.”


— Report-o-rama: The Trump administration on Wednesday released several reports as directed by Trump’s May 2017 cybersecurity executive order in addition to its report on botnets. The Commerce Department and the Department of Homeland Security released a report calling for “immediate and sustained improvements” in the way that the public and private sectors recruit and train cybersecurity professionals. There were almost 300,000 job openings in the field of cybersecurity as of August 2017, according to the report. Here are other takeaways from the report:

  • “Employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations.”
  • “Expanding the pool of cybersecurity candidates by retraining those employed in non-cybersecurity fields and by increasing the participation of women, minorities, and veterans as well as students in primary through secondary school is needed and represents significant opportunities.”
  • “Hiring considerations—including lengthy security clearance delays and onboarding processes—severely affect the sufficiency of the cybersecurity workforce.”

— The other cybersecurity reports issued on Wednesday explore modernizing federal IT, supporting entities that are considered critical infrastructure, promoting transparency in the marketplace and assessing the impact of an extended power outage following a cyber incident. "DHS has recommended ways to improve our federal risk posture and modernize the federal IT enterprise," Homeland Security Secretary Kirstjen Nielsen said in a statement. "Additionally, the Department has outlined how it will prioritize private sector access to tailored intelligence and capabilities in order to mitigate risk where a cybersecurity incident could result in catastrophic effects. Lastly, DHS worked closely with the Department of Commerce in crafting recommendations to improve the resilience of the Internet of Things ecosystem and dramatically reduce the ever-growing botnet threat."

— Sen. Amy Klobuchar (D-Minn.) and 18 other Democratic senators on Wednesday expressed alarm at national security adviser John Bolton's decision to end the White House cybersecurity coordinator position and asked him to reconsider the move. “Our country’s cybersecurity should be a top priority; therefore, it is critically important that the U.S. government present a unified front in defending against cyberattacks,” they wrote. “Eliminating the Cybersecurity Coordinator role keeps us from presenting that unified front and does nothing to deter our enemies from attacking us again. Instead, it would represent a step in the wrong direction. Again, we urge you to send a strong signal to the rest of the world that cybersecurity is a top priority by reconsidering the elimination of the Cybersecurity Coordinator.”

The other Democratic senators who signed the letter are Christopher A. Coons (Del.), Tammy Baldwin (Wis.), Tina Smith (Minn.), Cory Booker (N.J.), Elizabeth Warren (Mass.), Jeff Merkley (Ore.), Kirsten Gillibrand (N.Y.), Ron Wyden (Ore.), Sherrod Brown (Ohio), Chris Van Hollen (Md.), Bill Nelson (Fla.), Jeanne Shaheen (N.H.), Edward J. Markey (Mass.), Tim Kaine (Va.), Richard J. Durbin (Ill.), Michael F. Bennet (Colo.), Mark R. Warner (Va.) and Jack Reed (R.I.).

— “The annual defense policy measure advancing in the Senate authorizes U.S. military hackers to go on the offensive against Russian attacks on the United States in cyberspace, while also mandating a cyber deterrence doctrine after lawmakers were disappointed in the Trump administration's latest policy,” Justin Doubleday writes in Inside Cybersecurity. “The Senate Armed Services Committee's fiscal 2019 defense authorization bill designates clandestine military operations in cyberspace as 'traditional military activities,' affirming the secretary of defense's ability to order cyber operations, according to a summary of the legislation released last week.”

Doubleday also writes that the bill incorporates Senate Armed Services Committee Chairman John McCain's (R-Ariz.) “cyber doctrine.” “The doctrine authorizes the defense secretary 'to develop, prepare, coordinate, and, when appropriately authorized to do so, conduct military cyber operations in response to cyber attacks and malicious cyber activities' by foreign powers,” according to Doubleday.

— More cybersecurity news about the public sector:

Special Operations Command Takes Aim At Enemies Hiding Files Inside Seized Electronics (Defense One)

California Senate defies AT&T, votes for strict net neutrality rules (Ars Technica)


— Private companies should not engage in "hacking back," not just because it's illegal but because it's a bad idea, the Council on Foreign Relations' Robert K. Knake wrote in a blog post on Wednesday. "Private companies hacking back scares many people in the cybersecurity policy community because, particularly in the current context, it could have companies starting wars that U.S. military will need to finish,” Knake writes. "We should all want to avoid an outcome where a company that under-invests in its own cybersecurity starts a conflict that will cost far more in blood and treasure than upgrading its firewalls.”

It doesn't mean that companies should just sit back while hackers attack or spy on them, Knake argues. He says one possible solution would be to create a mechanism for federal agencies to share threat intelligence with critical infrastructure companies, adding that the federal government already runs such a system called DIBNet that involves defense contractors.

"Creating a similar program for other critical infrastructure sectors, run by the Department of Homeland Security but connecting to the intelligence community and U.S. Cyber Command, would provide what the private sector wants, intelligence on threats and a counter offensive capability, while maintaining government responsibility for these activities,” Knake writes.

— More cybersecurity news about the private sector:

The Privacy Lawyer Giving Big Tech an $8.8 Billion Headache (The New York Times)

Mobile Malware Moves to Mine Monero (and Other Currencies) (Dark Reading)


New Zealand privacy watchdog seeks greater power over Facebook (Reuters)



Coming soon


White House Press Secretary Sarah Sanders chokes up answering a kid’s question about school shootings:

White House press secretary Sarah Huckabee Sanders held back tears responding to a child’s question about school shootings in the briefing room on May 30. (Video: Reuters)

This journalist faked his own death. Then he showed up at a news conference:

Russian journalist Arkady Babchenko shocked the world by turning up at a news conference in Ukraine the day after Ukrainian police had reported him dead. (Video: Sarah Parnass/The Washington Post)

How the Pusha T and Drake beef unfolded:

The Internet exploded on May 29 when rapper Pusha T released a dis track titled “The Story of Adidon,” aimed at his longtime rival Drake. (Video: Victoria Walker/The Washington Post)