iPhone Hack Exposes Camera, Microphone, Texts, Even Passwords

When is a hack not a hack?  When an Israeli company sells it as a feature.  The company, NSO Group, sells the software, to governments among others.

The software allows the attacker to:

  • Control the camera
  • Listen to the microphone
  • Track the phone’s location
  • Intercept text messages
  • Intercept emails
  • Download the calendar data
  • Download your contacts
  • Record phone calls and messages from WhatsApp and Viper
  • Access iMessage, Gmail, Facebook, Skype and Line apps
  • And even extract passwords from the keychain

So much for iPhones being secure.

The software exploits three unknown or zero day bugs; Apple released patches for iOS 9 and iOS 10 beta this week.  iOS 9 users should be on version 9.3.5.

The attack is called Trident since it uses three zero day bugs.

It appears that governments used the software to target journalists and human rights workers.  Given this is a business for NSO, who knows who they went after.  I assume they had to sell many copies to stay in business.

The software gets loaded via text message.  YUP!  The attacker sends the victim a text message that looks like it came from The Red Cross or a news organization or even a tech company (Apple, perhaps).  If the user clicks on the link in the message, it is, as they say, game over.

NSO pleaded ignorance, of course.  They say that their customers sign a piece of paper that says that they are going to use it legally.

Sure, we will work with that.  First, how would NSO ever know if they used it illegally.  Second, what would they do if they did know – sue the government.  No, the piece of paper is cover fire in case they get outed, like it appears that they did last week.

One interesting part of this story is that the software uses 3 zero day exploits.  That is like Stuxnet – which by the way, also came from Israel, supposedly.  Using three zero days at once is very risky because if you get outed you lose three very valuable assets, not just one or two.  And zero days are hard to come by.  At least we think they are.  Maybe not?!

So for all you iPhone users, install the patches right away.

Information for this post came from CNN.



Facebooktwitterredditlinkedinmailby feather

Hotel Chain Learns Of Breach – When Secret Service Pays A Visit

It seems like I write one of these every day.  Today it is Millennium Hotels and Resorts, an international hotel chain based in Colorado.  They are saying customers that used their credit cards at 14 of their hotels between early March and the end of June need to keep an eye on their credit card bills.

What is important here is not that another hotel has less than stellar information security practices.  It is not that the hackers were in the system for 4 months before they were detected (actually, that is less than the average of around 200 days).

What is important about this breach is how they (and we) found out about it is that the United States Secret Service paid Millenium Hotels a visit and, to paraphrase that famous NASA quote said, “err, Boulder, we have a problem!”

What we don’t know is whether this is part of the Oracle Micros breach;  hopefully Millennium  will release more details soon.

What is important to point out is this.  They would not know today that they had been breached if the Secret Service did not pay them a visit.  

Let that sink in for a minute.

The Secret Service can only work on a TINY fraction of all of the breaches out there due to limited resources.  Since this breach is not, in itself, huge, I have a thought that it may be part of a larger breach, hence my comment about Oracle above.

So if your company is not lucky enough (if that is the right term) to be breached in a way that the Secret Service thinks it is important enough to work the case, you might never know that you have been breached.  Credit card fraud is easy to detect.  Stolen intellectual property is ten times harder to detect.

This takes us back to former FBI Director Robert Mueller’ quote:

ž“I am convinced that there are only two types of companies:  those that have been hacked and those that will be.  And even they are converging into one category:  companies that have been hacked and will be hacked again “

So if we take the depressing view that you are going to get hacked at some point in time, what does that mean?

It means you should plan to deal with it –

  • Create a cyber incident response plan
  • Identify and engage the third party resources that you will likely need in case of an incident, in advance.  They last thing you want to do after you have a breach is be negotiating terms of a letter of engagement.
  • Identify your internal breach response team
  • Train that team so that they know what they should do in case of a breach.  Think of this as a cyber fire drill.
  • Review the results and tweak the system

Some of you may be old enough to remember the Cocoanut Grove fire in Boston in 1942.  It was – and still is – the deadliest nightclub fire in history.  492 people lost their lives.

Why did so many people lose their lives?  Because the club was not prepared for an event like this.  Today, many businesses are not prepared for a cyber breach incident and while, for the most part, people won’t die because of this, businesses will spend millions to hundreds of millions of dollars as a result.

After the Cocoanut Grove fire, United States building codes were revised.  Emergency exits were required, signs with independent power were required; flammable decorations were banned along with other changes.

In the cyber security business, we have not had the equivalent of a Cyber Cocoanut Grove, although you would think that Target, Home Depot, Anthem Blue Cross or the Office of Personnel Management would qualify.

What is true is that behind the scenes there are a lot of efforts going on to legislate changes.  When or what we will see is not known.  Many businesses have realized that it makes sense to get in front of that freight train rather than looking at that bright headlight and wondering what is coming their way.

We are also seeing cyber insurance carriers refusing to pay out in case of breaches where they think the companies contributed to the breach in a way that violates the terms of the policy.

If your company is not ready for a Cyber Cocoanut Grove, now is the time to get started.

And, equally importantly, if your key vendors are not ready for a Cyber Cocoanut Grove, it is your tushy that is going to be in  tight spot.  The stories this week and last about all of these hotel and retail breaches that are tied to a third party should bring this part home.

If you need help with this, please contact us.

Information for this post came from the Denver Business Journal.

Information on the Cocoanut Grove fire can be found here.


Facebooktwitterredditlinkedinmailby feather

VW Vulnerability Affects Almost Every VW Sold Since 1995

A few years ago, computer researchers discovered a problem with the VW keyless ignition system.  VW sued the researchers rather than fixing the problem and delayed the release of the information about the vulnerability for two years.   In VW’s defense, maybe it was difficult to close the vulnerability and it certainly would take time.

Apparently that ticked off the researchers, so they continued to dig and now they have found two other vulnerabilities – this time it affects the door locks of a hundred million cards.

The vulnerability affects almost every VW sold since 1995.

Researchers at the Usenix Security Conference revealed two different vulnerabilities.  One would allow attackers to unlock almost every car VW has sold in the last 20 years;  the other affects other brands too – ones that use the VW system – like Alfa Romeo, Fiat, Ford, Mitsubishi, Nissan and others.

The two attacks are relatively easy to do – intercept the radio signal and clone it.  You could do it with a laptop or an Arduino board shown below (Photo from Wired Magazine).

VW Hack

The first hack, the one that affects the VW cars, is vulnerable because VW hard coded a secret key into the car.  When you press the button to unlock the car, it sends a car unique code – the same code every time.  The attacker’s laptop or Arduino combines the unique code with the secret code and voila.  You own the car.

Apparently there is more than one secret key, but only a  handful.  The four most common keys will unlock almost a hundred million cars,  The VW Golf 7 is different in that it uses a unique key!

The second attack breaks the HiTag2 crypto system.  It apparently uses  rolling set of keys that changes unpredictably with every button press.  The researchers say that they found a vulnerability in HiTag2 which allows them to break in within 60 seconds.

The HiTag2 system is almost 20 years old and the manufacturer, NXP,  told car companies to replace it, but, apparently, VW hasn’t listened to them – yet.

While this particular hack only allows hackers to unlock your car and steal all of its contents with no tell tale signs – something that has been stumping cops for years – it could be combined with other hacks to steal the car as well.

The challenge is that for those 100 million cars, they may wind up being vulnerable until they are crushed unless VW can come up with a fix.

One workaround would be to disable the key fob, if that is possible, and lock and unlock the car with a metal key.  Security. Convenience. Pick one.  If your car or your possessions wind up being stolen as a result of this hack, your convenience factor might change.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

A Warning About Cell Carriers Lack of Security And What It Means To You

All of the cell phone carriers such as Verizon, AT&T, Sprint and T-Mobile are in the business of selling you stuff.  Sometimes stuff you don’t want or need, but still stuff they would like to sell to you.

As a result, when decent security gets in the way of them being able to separate you from your money, the sales opportunity wins.

Brian Krebs’ story (see link at the end) is very dramatic and the worst case scenario that anyone could imagine.

In February of this year, 84 year old James Schwartz was caring for his wife, who had end stage cancer when he had a heart attack.  When his wife tried to use her cell phone to call for help, she found out that it had been shut off and she could not call for help.  After 40 minutes of struggling, she was able to get to her husband’s phone and call for help, but by that time, he had passed away.  She died 17 days later.

What is unclear is that a call to 911 should have gone through anyway, so there is at least one bit of missing info. Perhaps she was trying to call a friend or family member.

As I said, this is a very dramatic situation which happens very rarely, but the underlying issue is what is important to you and me.

A scammer had gone into a premium authorized Verizon store (that would be a store that has the Verizon logo on it, but is not actually owned or run by Verizon) and pretended to be James’ wife and bought a shiny new iPhone, which he scammer put on James’ account.  When the phone number was transferred, James’ wife’s phone went dead.

After the two of them were deceased the scammer went back into the store and bought a tablet the same way.

The FTC said that over 2,600 people REPORTED similar scams in January 2016 alone, including Lorrie Cranor, chief technologist for the Federal Trade Commission.

Using a little known provision of the Fair Credit Reporting Act, she demanded in writing the the carrier provide her information about the transaction.  While the FCRA requires that they provide this information in 30 days, it actually took her carrier 60 days.

In both of these cases, the people who’s accounts were hacked lost cell phone service and then had to convince the carrier that they did not buy new phones.

While in concept this is similar to credit card fraud, the process is more complex because federal law does not protect you in the same way.  For credit card transactions, if you report the fraud within 60 days, you get your money back, period.  In the case of Sprint or one of the other carriers, you have to convince them that you are the victim of identity theft and fraud.  It is completely up to the carrier as to how they handle that.  While you can certainly sue them, even in small claims court (where you are almost certain to win because they won’t show up), it is a time consuming process.

One thing to consider is that we now use our cell phones for two factor authentication and even account password recovery and if an identity thief gets a new phone tied to your phone number, they have that data too.

So, what can you do?  Brian has a graphic in his blog post, but the short version is that every carrier has either the option or a requirement for you to set up a PIN on your account.  The PIN, in theory, should be required in order for you to add lines, change lines and do other account related things.

In reality, the sales reps in stores work on commission (or a quota) so they are not going to push too hard and will try real hard to sell you that new phone or tablet – even if that means bending the security rules.

AT&T just sent out an email that said even if you don’t know your PIN you can still spend money in their retail stores using their forgotten password feature.  This means that they will identify you some other way – maybe asking you for the last 4 of your Social or something else really secret.  Remember, their goal is to sell you stuff, as I said earlier, and security just gets in the way of that.

Still, I recommend adding the password or PIN and don’t make it 1234 please.  Pick something longer and harder to guess.  While it is not perfect it is better than not having it.

The time required to clean up the mess is significant.  You are going to have to go to the carrier’s store – this is not something that they will deal with over the phone or online.  You will have to get a new SIM card for your phone and deal with the charges on your bill.  In the case of Lorrie Cranor, the thief bought cell phone insurance too and she had to cancel that.  In the case of the Schwartz’s whoever was the executor of the estate had to clean up the mess.

In Lorrie’s case, she had two phones, they programmed one of the replacement phones incorrectly which required yet another trip to the store and they screwed up the voice mail on the other.  Then she had to fill our identity theft reports.  Lastly, if all the scammer wanted to do is sell the phones on the black market, then you are in better shape than if they wanted to impersonate you.  In the latter case, you would need to figure out what they did while they were in possession of your phone number.  In one case, they used the phone to make payments from the phone owner’s bank account, which the owner had to clean up.

Suffice it to say,  it is a frequent occurrence, with somewhat limited protections under federal law and which will consume a significant amount of your time to clean up.  While the PIN/Password is not perfect, it is better than nothing.

And, if your cell phone goes dead, at least you have some ideas about questions to ask.

Information for this post came from Brian Krebs.


Facebooktwitterredditlinkedinmailby feather

NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

Facebooktwitterredditlinkedinmailby feather

Eddie Bauer Leads The Oracle Micros Breach Story

On Monday I wrote about two new Point of Sale breaches, one at HEI hotels and the other at Oracle.   I said that it was only Monday and we already had two POS breaches.

Well the week is almost over and I am going to bookend the week with another POS breach.  Eddie Bauer stores, the clothing chain, announced on Thursday that the POS system in all of its stores had been compromised.   That represents 350 or more stores.  In their effort to control the spin, Eddie Bauer said that the breach did not affect their web site.

While Eddie Bauer stores, in a press release, said that the security of our customer’s information is a top priority for Eddie Bauer (see press release here),  Brian Krebs reported this week that when he contacted the chain on July 5th, the spokesperson told Brian thanks, but they had not heard of any fraud complaints for their banks.  Unlike the ortho clinic I wrote about two days ago, Eddie Bauer is offering identity theft protection to their customers who were affected.

In today’s world of competition and lawsuits, companies are loathe to provide any information about what happened if there is any way to avoid it.  As a result, other stores and end customers have very little guidance on what happened and what to look for.

Eddie Bauer did say that they thought that the hackers were in their systems from January 2, 2016 to July 17th, 2016.

Curiously – and possibly coincidentally but maybe not – July 2016 is also the date that Eddie Bauer rolled out a chip based point of sale system.   While we cannot say with certainty that if they had the chip based system in place last November when the Visa/Mastercard deadline to deploy chip based point of sale systems came and went that the hackers would not have succeeded, but it may well have blunted the effect of the hack.  The issue there is that not only are retailers way behind in deploying chip based POS systems, but the banks are way behind in mailing out chip cards, but that is a story for another day.

What we can say is that IF they had chip based solutions in place, at least for those customers who had chip cards, their credit card information would not have been visible to the hackers inside the POS system.

Eddie Bauer has not yet said that they are running the Oracle Micros software that I wrote about on Monday as having 300,000+ locations compromised, but if you look at Jeff Piller’s Linkedin profile, you find some relevant details.  Jeff, his profile says, is the Director – Technology & Architecture at Eddie Bauer and has been for the last roughly 4 years.

in his accomplishments, he says that he “implemented Oracle Point of Sale to U.S. and Canadian Stores to replace legacy IBM solution” and that he is “currently implementing EMV [that means chip credit cards – mitch] for ORPOS [or Oracle POS – mitch] and Mobile Point of Sale”.

To me, that is certainly a strong indication that Eddie Bauer is using the Oracle software and got swept up in the Oracle Micros mess.

ANYONE who is running a POS system needs to be reviewing the security of that system with some significant urgency.

Information for this post came from Krebs On Security, Linkedin and an Eddie Bauer press release.



Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed