News Bites for the Week Ending March 27, 2020

Hacker Sells 538 Million Weibo Accounts

Karma is a B**tch.

With all of the Chinese hacking efforts, someone is hacking back.  Is it us?  Not clear.  In any case, the data includes information like real names, site names, location, etc. and 172 million of the 538 million records include users’ phone numbers, but not passwords.  The data is available for $250.  Given China’s iron grip on the Internet, they should be able to catch this guy.  Unless he is not in China.  Source: ZDNet

Pentagon Increases Progress Payments to Primes

The Pentagon is trying to keep the Defense Industrial Base afloat during these trying times by increasing so-called progress payments to primes and other measures.  Whether it will be enough to keep small subs in business is not clear, but what we have seen is that the bankruptcy courts have seen that these companies’ intellectual property as an asset and sells it off during liquidation – even selling defense information to the Chinese.  In theory, CFIUS should allow the government to stop these (and it absolutely can if it moves fast enough) and FIRRMA (aka CFIUS 2.0) gives the government even more power to stop it but the bankruptcy courts have, for the most part, thumbed their noses at it, possibly (kindly) because they are clueless about the risk.  Source: National Defense Magazine

Experts See Over 600 Percent Spike in Malicious Emails During Covid-19

Barracuda Networks researchers saw a 667% spike in malicious emails using Coronavirus.  The goal is to get you to click on malicious links or download attachments that include viruses.  They saw almost 10,000 coronavirus linked emails attacks in the last three weeks compared to 1,800 in February and less in January.  Phishing attacks are nothing if not tied to current events. Source: The Hill

Netflix Reduces Video Quality in Europe Over Bandwidth Crunch

According to Variety, Netflix uses one out of every eight bits traversing the Internet (12%).  As general  Internet usage goes up, Europe has asked Netflix and other streaming video providers to reduce their video quality from HD to SD.

“As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators.”

Netflix has agreed to reduce its video stream bitrate by 25% for the next month.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

FBI: Building Digital Defense with Browsers

As more of our computing world lives inside a browser, the risk goes up.

As we move to Work From Home, the risk goes up again because we no longer have corporate infrastructure to chop off the top few layers of attacks.  Also many of us have kids that either share our computer or share our network.

The FBI has launched an initiative to protect political campaigns and voters from foreign influence campaigns and cyber attacks called Protected Voices.

The Portland office of the FBI adapted some of the recommendations from that program into recommendations for everyone.

Before I give you the list, let me warn you that it is going to expose that always issue – security or convenience – PICK JUST ONE!

Here are the FBI’s recommendations:

Note: How you implement these will be browser and system specific

  • Disable AUTOFILL
  • Disable remember passwords
  • Disable browsing history

Disabling these features makes it more difficult for malware on your system to steal sensitive data

  • Do not accept cookies from third parties

Note that some browsers do this by default.  Doing this reduces the ability of third parties to track you and aggregate your browsing habits.  And sell them.

  • Clear browsing history when you close your browser or use incognito mode

Note that this means that you actually have to close your browse.  Again, this reduces your fingerprint and makes it more difficult for advertisers (and hackers) to track you.

  • Block ad tracking
  • Enable do not track (there has to be at least one site on the web that honors this)

There are a number of good ad blockers.  Apple and Firefox have built in ad blocking.  Not only does this make it harder to track you but it stops malware laden ads from running on your system.

  • Disable browser data collection

All browsers like your digital exhaust;  that is why they collect it, but it is none of their business.

  • Make sure that if a web site wants your digital certificate, you have to approve each request

Your digital certificate *IS* your signature.   Protect it.

  • Disable caching

Caching makes browsing faster, but apps and web pages can find out what is in the cache and figure out what you are doing and where you have been.

  • Enable browser features to block malicious, deceptive and dangerous content.  Different browsers do this in different ways; some more privacy friendly than others.

What is true about all of these features is that they will have some impact on your browsing experience.  You don’t have to implement all of them, but each one makes things a little more difficult for the bad guys.

It is your call.

Source: FBI

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Fintech Provider Gets Hacked?

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks.  Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others.  Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks.  Banks are regulated.  For the most part, fintechs are not regulated.

Okay, so why am I talking about this?  Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup.  They have 10,000 employees and 9,000 customers  in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago.  Today they said it was ransomware.

So what does all this mean?

Well, a couple of things.  People are using more fintech technology.  Mobile apps.  Data aggregators.  Many other things.

These apps and web sites have your financial data.

Maybe they have decent security.  Maybe not.  For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked.  I know;  I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on.  Many ransomware variants steal data in addition to encrypting it.  Was this one of those?  We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up.  Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this.  These data centers are off line in addition to being powered off.  As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important.  For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised?  Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss.  Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs.  You could be arguing for a while.  Worst case, you might have to sue them.  You might not win in court.  It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked.  They don’t have the money or the insurance to make their clients whole.  They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart.  Understand the risk.  Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending March 20, 2020

Senate Kicks the Can Down The Road Again With FISA Renewal

Last week it looked like Congress was going to renew the parts of the Foreign Intelligence Surveillance Act that DID EXPIRE last weekend.  But Congress being Congress, they didn’t.  On Monday the Senate agreed to kick the can down the  road for 77  days.  Now the House has to agree.  In the meantime, I am not sure what the NSA is doing about those expired provisions and they only plan to kick the can down the road on two of the three expired provisions.  In fairness, Trump wants to reign in the Intelligence Community since he doesn’t trust them and never has.  This could work to the advantage of the privacy advocates.  Source: Reuters

Covid-19 Web Site President Said Google Would Bring Online Monday is Online But Not Like he Said

Google/Alphabet subsidiary Verily launched its Project Baseline Coronavirus website, but it is not national, it only covers two counties in the San Francisco Bay area.  It was supposed to allow people to make appointments to get tested, but the few slots that were available filled up instantly.  Only people living in those two counties are even allowed to use the site.

Google says that they are working on a nationwide INFORMATION ONLY site and it will be released sometime in the future.  Source: Bleeping Computer

Open Source Vulnerabilities Surge in 2019

Some people say that open source software is more secure.

Reality is a little different than that.

In 2019 DISCLOSED open source vulnerabilities surged from 4,000 to 6,000 last year.  The good news is that the open source community is good about fixing the vulnerabilities once they are found.  85% of the vulnerabilities  have a fix once they are responsibly disclosed.

Bottom line, make sure that you have an effective open source software patching program to keep your company safe. Source: Help Net Security

U.S. Census Figures Coronavirus Will Be Over in Two Weeks

The Census, that every 10 year event, was supposed to start this week.  But there is kind of an issue.  I think there is some kind of virus going around.  Part of how the Census works is that Census workers go around collecting information from people.  Given the current situation, (a) Census workers are probably not going to be willing to risk their health for a few bucks, (b) people that they visit are likely not going to let them in the door or (c) some other less than nice thing might happen.

So what did the geniuses at the Census  bureau decide to do?  They decided that they are going to send out Census workers in 13 days on April 1st. WHAT, EXACTLY, DO THEY EXPECT TO BE DIFFERENT IN 13 DAYS?

Ya gotta wonder about those folks in Washington.  Source: Reuters

OCR Lifts Penalties For Telehealth Use During Covid-19

Its all hands on deck.  HIPAA has a number of provisions that allow a healthcare provider to bypass certain HIPAA rules.  A pandemic is not one of those options.  Of course since the Feds make the rules, they can change them.  In light of the current situation, HHS says that they will not penalize Covered Entities for using telehealth providers who are not fully HIPAA compliant.  They are not saying using those providers is legal;  they are just saying, given the circumstances, they are not going to go after providers who do so.  This will allow providers to use apps like Facetime or Google Chat to diagnose patients instead making them come into the office and potentially infect dozens of other people.  It seems like a reasonable trade off.  Source: HealthIT Security

Facebooktwitterredditlinkedinmailby feather

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed