Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Is Cyber Risk Insurance a Cure?

Let me cut to the chase – the answer is no.  It is a way to help pay for the damage, but that is about all.

In the article referenced below, the author thoughtfully explains the role of cyber risk insurance –  a post-fail risk offset.

The key word there is fail.

Failing in the sense of failing to avoid the breach in the first place.

The after affects of most breaches is damage control and lawsuits that go on for years.  Some percentage of companies – a small percentage – go out of business after a breach.  Usually there are scapegoats – someone or some people have to be fired.

While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years.  Depending on the cost of the litigation, it might not even pay for all of the costs of litigation.  It won’t pay for you to find a new job and it won’t make customers come back to your brand.

Cyber risk insurance is an important tool but just a tool.  Like every other tool, it is important that it is the right tool.  While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.

And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer.  Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered.  In the case of cyber risk insurance this happens more often than with some other forms of insurance.  This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage.  My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies.  Insurance sales people are commissioned.  If cyber risk insurance represents a small part of their paycheck, you can figure out the rest.  If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area.  It is a bit of a wild west.  You are pretty much on your own.

All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.

Most of the time, cyber crime is an opportunistic crime.  Believe it or not, Equifax was not specifically targeted.  But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.

I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole.  It will reduce the pain, but that is not the same time.

So what should you do?

#1 – implement a great cybersecurity and privacy program

#2 – get some cyber risk insurance because stuff happens.

But do it in that order.

Source: Dark Reading

 

Facebooktwitterredditlinkedinmailby feather

Expect Cellular Prices to Go Up; Service to go Down

This is really an informational piece, along with some whining on my part, since there is not much you can do about this.

The FCC today approved the merger between Sprint and T-Mobile, thereby reducing the number of cell carriers from 4 to 3.

The republican members of the FCC said that history not withstanding, this is good for you and me.

Somehow, they think, with less competition, carriers will be more motivated to spend billions of dollars upgrading their networks to support 5G.  They didn’t explain their logic.

It is likely true that the remaining cell phone companies will install some 5G cell towers in super densely populated areas like in the downtown areas of major cities, but beyond that, they have zero motivation to attempt to keep up with countries like China, which already has 10,000 operational 5G cell base stations.

Here is a map of each city where at least one carrier has one 5g cell site.  Colorado’s was in front of Denver City Hall, but the carriers are working on turning on more sites.  Remember that (a) you must  have a 5G capable phone (Apple is rumored to be releasing one mid next year) and (b) be located OUTSIDE within a few hundred yards of that 5G cell site.

5G Coverage

 

For example, taking Denver (cuz I am partial to that), Verizon claims to have at least one cell tower live in 5 areas: Potter Highlands, Highlands, LODO, Central Business District, Capitol Hill and the Denver Tech Center.

Contrary to the FCC’s claims, none of these are rural;  rural customers should expect to see 5G cell sites sometime after never.  After all, I can’t even get broadband Internet and I am  only 20 miles from downtown Denver, but in a sparsely populated area.

Expect the combined T-Mobile/Sprint to fire about 10,000 to 20,000 people (according to Wall Street) as they close redundant stores and merge back office operations.  The union says the number is likely closer to 30,000.  You can’t really blame T-Sprint for doing that.

According to insiders, the FCC actually approved the merger in May, months before the Justice Department said the merger was anti-competitive, but the current administration is more willing to allow the market to do whatever it does.

The FCC did require Sprint to sell it’s prepaid phone business (used by people who don’t enough money to buy a traditional phone plan, hence not very profitable to anyone) to Dish and also to sell Dish some spectrum.  Dish is now planning on getting into the phone business as the satellite TV business continues to decline.  For the moment, since Dish has, well,exactly, zero towers, it is going to buy service from the 3 carriers who do have towers, but within the next 5-10 years, they will build out networks, likely in the same densely populated areas as where the current 5 G build-out is being done.

After all, the deregulation of Ma Bell worked well.  That business is completely in the toilet now and will probably disappear in a few years.

By the way, both Canada and Ireland reduced the number of cell carriers in their countries from 4 to 3 and prices went up for consumers in both cases.  I am sure it will be different here.

Sprint has been trying to merge itself into profitability for years now, but this time, they were smarter.  They hired a number of ex-FCC commissioners to lobby for them and dramatically ramped up their use of Trump’s DC hotel.   Hmmm.  What could possible be wrong with this?

Stay tuned.  This deal is still not completely done as a dozen State Attorneys General have filed suit to block the merger.  Whether the courts say that they have any standing in the matter is to be determined.  Source: Vice

 

Facebooktwitterredditlinkedinmailby feather

What is YOUR Guess of the Losses From Cybercrime? TOO LOW!

How much does cyber crime cost us anyway?  I rant about it all the time, but really, in dollars, what does it cost?  Different researchers give different answers and your mileage may vary, but here are some answers:

  • Cybercrime makes, AT LEAST, $1.5 trillion more than the drug trade
  • Cybercrime would rank as the 13th largest economy in the world based on GDP, just behind Russia and if other estimates are correct, it would be the 5th largest economy,  bigger than the UK, France, Brazil and 180+ other countries
  • Cybercrime is expected to reach $6 trillion by 2021, right behind the US and China.

Assuming you use the Internet, or at least a computer, you are likely part of the $1.5 trillion figure.  Or at least potentially.

The challenge is to get people to take the problem seriously.

A recent example in Denver was the story of a guy in the grocery store who took his eyes off his wallet for a minute (it was, apparently, in his shopping cart).  90 minutes later the crook had run up a $23,000+ bill on the stolen credit cards.  Worse yet, his bank, initially, would not give him back his money.  (After the story aired, including an interview with me,  on the local Fox affiliate, the bank changed its mind and credited his account).

I suspect he has a new appreciation for cybersecurity.

This story is repeated in our world on a daily basis.  After all, the $1.5 trillion loss does not happen to one person (unless he has a really large credit limit).  It happens via millions of small losses.

Rarely, people are targeted, but for the most part there is so much easy money out there that the bad guys don’t have to work very hard.

For example –

  • you do have two factor authentication turned on for your
  •    email?
  •    Bank account?
  •    Retirement account?
  •    Brokerage account?
  •    Amazon (Crooks have figured out how to get Alexa to buy them credit cards.  The technique is pretty cool)?
  • You don’t reuse passwords between sites, do you?
  • Do you use a password manager?

Just doing the simple stuff makes you a much less attractive target.

Source: Cybersecurityventures

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Country of Georgia Hacked

Well it seemed like the whole damn country.

Over 15,000 website have been hacked, including, not surprisingly, newspapers, government offices and TV stations.

After the sites were defaced by the hackers, they were taken offline.

Newspapers said it was the biggest attack in the country’s history, even bigger than the 2008 attack by Russia.

This attack even affected some of the country’s courts and banks.

Needless to say, and based on the history with Russia, there was some panic around.

However a web hosting company, Pro-service, admitted that their network was attacked.

By late in the day more than half of the sites were back online and they were working on the rest.

The hackers defaced the sites with a picture of former president Mikheil Saakashvili, with the text “I’ll be back” overlaid on top.

Saakashvili is in exile in Ukraine now but was generally thought to be anti-corruption, so it is unlikely that Russia did it this time, but it seems to be politically motivated.

At least two TV stations went off the air right after the attack.

Given that Georgia (formerly known as the Republic of Georgia) is not vital to you and me on an everyday basis, why should we care.

The answer is that just because hackers attacked them today — if it could be done there, it could be done here too.  Oh.  Wait.  They already did that (see here).  In that case, it was the Chinese and the damage was much greater.

The interesting part for both the Chinese attack on us and the <whoever did it> attack on Georgia is that one attack on a piece of shared infrastructure can do an amazing amount of damage.

Think about what happens when Amazon, Microsoft or Google go down – even without a cyberattack.

The folks in DC are already planning how to respond to an attack on shared infrastructure like banking, power, water, transportation and other critical infrastructure.  You and I don’t have much ability to impact that part of the conversation, but we do have impact on our own infrastructure.

Apparently this attack was pretty simple and didn’t do much damage, but that doesn’t mean that some other attack will also be low tech or do little damage.  What if an attack disabled one or a few Microsoft or Amazon data centers.  Microsoft is already rationing VMs in US East 2 due to lack of capacity.  What would happen if they lost an entire data center?

This falls under the category of disaster recovery and  business continuity.  Hackers are only one case, but the issue of shared infrastructure makes the impact much greater.  If all of your servers were in your office like they used to be, then attacks would be more localized.  But there are many advantages to cloud infrastructure, so I am not suggesting going back to the days of servers in a closet.

Maybe Microsoft or Amazon are resilient enough to withstand an attack (although it seems like self inflicted wounds already do quite a bit of damage without the help of outside attackers), but what about smaller cloud providers?

What if one or more of your key cloud providers had an outage?  Are you ready to handle that?  As we saw with the planned power outages in California this past week, stores who lost power had to lock their doors because their cash registers didn’t work.  Since nothing has a price on it any more, they couldn’t even take cash  – assuming you could find a gas station to fill your car or an ATM to get you that cash.

Bottom line is that shared infrastructure is everywhere and we need to plan for what we are going to do — not if, but when –, that shared infrastructure takes a vacation.

Plan now.  The alternative may be to shut the doors until the outage gets fixed and if that takes a while, those doors may be locked forever.

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed