NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Sextortion Campaign Adds a New Twist

Sextortion is malware that tries to convince you that the attacker has compromised your computer and has videos of you visiting adult web sites.  The attackers promise not to share the videos with your friends if you pay them money.  The videos do not exist, but scared people sometimes pay.

The new variant of the attack tells you to download a sample video to prove their claims.

In fact, the so called video is really malware.  The first piece of malware steals your account passwords, files and more.  The second piece of malware encrypts your data.

Before downloading the sample video you thought you had a problem.  After the download, you really do have a problem.

So, what should you do?

First of all, if you get a threatening email like the above, slow down, take a deep breath and consider things.

For most people – who don’t visit porn sites – keep your curiosity at bay and DELETE the email.  DO NOT OPEN THE ATTACHMENT!

I always recommend covering your webcam on your laptop.  If you have followed this advice, see the above.

For the very small group of people left, it you think that this video actually may exist, consult an expert.  They can safely deconstruct the attachment and figure out if it really what the attacker claims.

Lastly, as I always say, backup early.  And often.  Preferably multiple copies.  If possibly, at least one copy offline.  I keep at least one version of my backups in a bank vault.  Very hard to hack.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.

Undetected.

This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.

Undetected.

How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

Facebooktwitterredditlinkedinmailby feather

Australia Is On The Fast Path to Ban Encryption Without Backdoors

While this is still a bit like Jello (R) waiting to congeal, the Australian Assistance and Access Bill is designed to require back doors in encrypted communications like Whats App and iMessage.

COMPANIES THAT DEVELOP SOFTWARE THAT USE END TO END ENCRYPTION NEED TO PAY ATTENTION TO WHAT HAPPENS SO THAT THEY CAN MAKE APPROPRIATE BUSINESS PLANS.

The party in power is trying to ram the bill through Parliament in 4 days and the opposition labor party is playing politics – maybe supporting it maybe not.

Continuing the political bull-poop, the prime minister said that the Labor party is “happy” for terrorists to plot attacks using encrypted messages.  I don’t recall ever hearing the Labor party ever say anything remotely close to that.

They are saying that if the bill passes, the Australian software industry will be toast as anyone from another country will assume that any Australian software is riddled with security holes to keep the police happy.  Who would buy that software?

One proposal is to limit the back doors to terrorism and child trafficking, but i have no idea how, technically, you could possibly do that.

It is also possible that such a law would conflict with provisions of other foreign laws such as the U.S. Cloud Act and possibly even GDPR.

The bigger question is whether big software players like Apple and Facebook will buckle and build in back doors to protect a tiny bit of the world market to keep Australia happy.

One possibility is what we had in the U.S. in the 90s, which is two versions of software – one for the Australian market, full of security holes but legal in Australia, and one for the rest of the world.  The disadvantage of this is that vendors would need two sets of software and maybe some amount of separate infrastructure.  It is also not clear how you would stop Australians from downloading the other version.

Another possibility, although less likely, is that companies Apple and Facebook will abandon the Australia market.  After all, in the grand scheme of things, it is not a big part of their revenue.  For the moment, they are lobbying against it and other than that, keeping their collective mouths shut.

The Australian government is saying that they need to ram this legislation through Parliament because of the heightened risk during the Christmas holiday, although it is completely inconceivable that even if the bill passes that companies would do anything in time for Christmas.

The government is trying to scare people into passing the bill without any review by saying if they don’t that lives are in jeopardy, but when asked if there is a specific problem they answer no.  After all, they have not had this capability for the last 10 years, why will waiting 30 days mean the end of life on the planet?

The proposed law would require companies to add back doors unless adding back doors would create systemic weaknesses – whatever that means.

Information for this post came from ZDNet and Sky News.

Of course, since politicians are not, for the most part, technically savvy, they appear to have missed the issue of open source software, which we have seen grow in popularity among terrorists in the Middle East.  With open source there is no company to haul into court and it is likely impossible to stop the distribution of open source source located outside of a country’s borders.

Stay tuned.

 

 

 

Facebooktwitterredditlinkedinmailby feather

What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?

Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet.  But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.

Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.

But, you say, you were hit by a ransomware attack and you need your data back.

Sorry, says the government, you are still a terrorist.

Enough, you say, with this riddle.  Explain what the **bleep** is going on.

OK, here is the story and most of it is not news to anyone who has worked in financial services.

The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control.  Predecessors to the current OFAC department have around at least since the 1940s.

The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists.  In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists.  We had special software to do this since we made tens of thousands of payments a day.

OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them.  As of today, that list is contained in a PDF file that is 1254 pages long.

As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list.  The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list.  If you use a service like Coinbase or one of its competitors, they do that for you.  If you arrange for the Bitcoin transfer yourself, they expect you to do it.

Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet.  Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them.  If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.

Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 .  Big range, although $87,000 is still a large number.

There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.

The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list.  Otherwise, check and see if the person you are paying is on the bad guy list. 

We live in interesting times.  Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed