Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Presidents’ 2020 Apps Not Secure

I am not sure whether this is a surprise or not.

The apps for both Biden and Trump are not secure. Does that show up as a surprise to you?

Let’s start with Biden’s App.

Biden’s iOS app did not even validate the email addresses, so anyone, say in North Korea can download and abuse the app.

They take your contact information and merge it with information from Target Smart’s voterbase, using your data to enrich their profile of 250 million consumers. While some of the fields are not exposed in the user interface, they are available to anyone reverse engineering the app. The starting data is public voter rolls data, but where it becomes valuable is when they can add your information (where your is thousands or millions of downloads) to their database.

Of course a bad actor could download the app and corrupt the database with millions of compromised contacts.

When the researchers notified Joe’s team, they fixed the flaws (whatever that means) almost immediately.

Now let’s move on to Trump’s app.

Their first problem was a little worse. They exposed hardcoded secret security keys to their Twitter and Google accounts.

In addition, Don’s app learned a lesson from TikTok. They are scraping every piece of user data off the phone that they can find. I think he called that a national security threat when TikTok did that.

In a very smart move (and perfectly legal), Trump’s app turns raising money for the campaign into a game. People get points for raising money and could wind up on a leader board if they raise enough money OR if they get their friends to install the app.

In both cases, the exposure comes from taking public data and, as the data scientists call it, “enriching it” with non-public data such as data collected by friends or by polluting it, with data collected by foes. It appears that it may be possible for folks to steal some of that enriched data.

The exposed security keys are a different story, of course. That is just a problem.

It just shows that political apps are not any more secure than any other app. Which should not be much of a surprise, but means users should not let their guard down.

No politician wants to spend money on tech, although every politician uses tech. In fact, these days, tech is critical, but so is cost containment.

It also points out that politics, these days, is all about the data and both the red team and the blue team are trying their best to collect the most data while at the same time hoping that no one will corrupt their data, either maliciously or accidentally. Or complain about their practices. Credit: Bleeping Computer

Privacy in the Land of California

For those of you that live in California, work in California or have customers in California, 2021 is going be different.

Probably more complicated for businesses and possibly a little better for consumers.

Act 1: CA AB-1864 creates the Department of Financial Protection and Innovation (DFPI). California is not particularly happy that the Republican administration in Washington has defanged the Consumer Financial Protection Bureau. My personal opinion is that there are people in the legislature who are not happy that Xavier Becerra, the California AG, has been less than enthusiastic about enforcing CCPA.

The result is DFPI, aka California’s own CFPB. The governor is expected to sign the bill later this month.

Like the CFPB was supposed to do, the DFPI will have the power to bring administrative and civil actions, issue subpoenas and create rules and regulations. It also requires that all money collected by the department (AKA fines) will be used to fund the department. If the commissioner wants more staff … issue more fines.

For many of our clients, there is good news. Escrow agents, mortgage originators, broker-dealers, banks and other financial institutions are exempted from this regulation.

Who is not exempted are fin-tech companies. They need to watch out. The text of the bill can be found here.

Act 2: The second bill is SB-908, which will require debt collectors to be licensed. And regulated. Mortgage lenders are NOT exempted from the provisions of this bill. The governor is expected to sign this bill as well.

Given the current financial “troubles” in the country now and in the foreseeable future, there is going to be a lot of non-performing debt. For debtors in California, this bill will attempt to make the debt collection process a little more civil. Given the reputation of the industry as a whole, civil is not a term that I would generally use when describing the process. Of course, there are many exceptions. The text of this bill can be found here.

Act 3: The last bill in the collection is CA AB-376, which establishes a student loan borrower bill of rights. Among other things, this bill, which will be enforced by the new DFPI, requires loan servicers to operate like a fiduciary by managing payments to the benefit of the borrower and to reduce fees to the borrower.

The bill would allow a borrower that suffers damages as a result of a debt collector’s failure to follow this law or other relevant federal laws to sue the debt collector for actual damages, injunctive relief, restitution, attorney’s fees and other relief, including treble damages in some cases. The text of this bill, which the governor is also expected to sign, is available here.

This is not all; there is CCPA 2.0, but I will leave that for another day.

As you can see, for folks living, working or doing business in California, 2021 will be an interesting year.

Also remember, where California leads, the rest of the country follows. If you don’t believe that, check out CA SB 1386, the 2002 law that created privacy rights and the basis of state law in virtually every state in the country.

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

California Appeals Court Holds Amazon Strictly Liable

This is a very interesting situation and could affect some businesses and all consumers. Amazon is likely to appeal to the California Supreme Court, so this is not over.

Amazon and many other online retailers (Walmart and Target just to name two) sell both their own stuff and other vendors’ stuff on their web site. Amazon calls theirs a “marketplace”. In many cases, Amazon even fulfills the order. Amazon’s objective in this lawsuit is to use the same argument that Uber and others use – we are just a technology platform – don’t blame us for what happens there.

That strategy worked ten years ago, but it has been working less and less – just ask Uber how much their legal fees have been lately.

At the core, it is about who is financially liable when something goes wrong in cyber-land. In this case, the product was a battery. The battery was not sold by Amazon, but it was sold on the Amazon web site, Amazon did collect the money and Amazon even shipped the product to the customer.

If you go into a retail store, there is the concept of strict liability which means that if that battery that you bought in, say, Target, explodes, Target is liable. For the most part, up until now, who is liable when that is sold in the online world has been muddy and folks like Amazon liked it that way. They certainly don’t want to be liable.

In a sense, I agree. In a sense. But Amazon would also like to not be responsible if they are the seller either.

It looks like that idea is not going to fly as more courts say that companies that sell online, no matter what their business model, is the seller and therefore liable.

But here is the problem.

The Amazon (and other) marketplace is a very dynamic place. Vendors come and go and there are literally millions of products on the marketplace at any one time. If Amazon and others are required to test every product, it can’t be done.

If they ask some vendor to certify that the product is safe, there is no way to validate that. And no way to verify that the vendor can defend Amazon and pay a judgement.

Amazon could buy insurance to cover the risk and just charge marketplace vendors an even higher percentage than they already do.

Or they could just decide that the marketplace model is not worth the pain and dump it.

So what is the upshot –

If you run an online business and you allow third party merchants to sell on your platform, understand the risk.

If you are a merchant who uses an online platform, know that your business model could be at risk.

If you are a consumer, understand that your choices may decrease.

While this only affects California and could be overturned, it isn’t looking good for Amazon. The Assembly passed a bill this year (but the Senate did not) that would have made this law.

Since California is like the world’s 5th or 6th biggest economy, other states are watching and will probably follow suit.

If this is of interest to you, I invite you to read Professor Goldman’s extremely detailed analysis. While he is a law professor, he writes, amazingly, in English that humans can comprehend. Credit: Eric Goldman

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed