Two Factor Authentication is not Security Magic

While any form of two-factor authentication is better than none, there are still security holes.

In a story I read tonight, a tech-savvy user fell for a social engineering attack. He received what he thought was an Instagram message from a friend and responded to it. It turns out it was a social engineering attack.

Combine this with really crappy security services on the part of social media companies.

Then combine that with their effectively non-existent tech support.

In this particular case, the attack vector was a password reset attack. Most companies – and not just social media – opt for the least possibly secure password reset mechanism. Because they don’t have any tech support. After all, since you are paying zero dollars and zero cents for the service, they can’t give you a lot of tech support.

In the case that I will link to at the end, the user never did get his account back.

In my case, I might be a little sad – probably not – if I lost my Facebook account, but if you are a business and you depend on your social media presence, that could be a real problem.

So what do you do?

The first thing is to make sure that you have a CURRENT OFFLINE backup of any cloud data you care about. DO NOT count on your cloud provider to keep a backup and make it available. Especially if your account is compromised.

Make sure that you implement the best of the crappy security your cloud provider offers. This is not just social media. If you do not like that provider’s security AND YOU HAVE A CHOICE TO MOVE, do so. Vote with your feet. That is about the only thing they understand.

Train any user who has access to the account about security. In the case today, it was a very subtle mistake the user made. It didn’t seem like a security problem, but it was.

Finally, hope that good luck goes your way.

The problem is that online services are not responsible when things go badly and that is not likely to change without legislation. You can rest assured that if there is legislation, they will fight it tooth and nail because it means real money to them. And a precedent. They don’t want to be liable.

That means that you have to be careful enough for the both of you.

Credit: ZDNet

Security News for the Week Ending May 20, 2022

Flaw in uClibc Allows DNS Poisoning Attacks

A flaw in all versions of the popular C standard libraries uClibc and uClibc-ng can allow for DNS poisoning attacks against target devices. The library is likely used in millions of Internet of Things devices that will never be patched and will always be vulnerable. This is where Software Bill of Materials is kind of handy. Credit: ThreatPost

Cyberattack on Hawaii Undersea Cable Thwarted

Homeland Security Thwarted an attempted hack of an under-ocean cable that connects Hawaii with other parts of the Pacific region. While Homeland is not releasing any details of the attempted attack, if the attack shut down traffic, that would be really bad for the region. Just one cable, for example, the Hawaiki Transpacific Cable, runs for 15,000 KM and has a capacity of 67 Terabits per second. Credit: Star Advisor

Will the Mickey Mouse Protection Law Go Up in Flames

Full disclosure: I have never been a fan of this law, so if it goes away, it won’t bother me. As some Republicans try to hurt Disney (trying to abolish the Reedy Creek special district, for example), Senator Hawley (R-Mo) introduced legislation to roll back the insane copyright “terms” that companies have used to make money off characters created a century ago. The downside of Hawley’s move is that it likely will anger a lot of people who make money off that 120 year copyright term and they might choose to make donations to the other team to get even. Given that Washington runs on “contributions” and those donors are likely going to explain that fact, I would say the odds of this passing are not great, but who knows. Credit: MSN

Feds Write Memo That Says They Pinky Promise Not to Charge Security Researchers Under CFAA

Sometimes I probably come across as cynical. That is because I am. While it is great that finally the DoJ wrote a memo that says that they are not going to charge security researchers for finding security holes, that memo only has just a little bit more weight of law than if I wrote that memo. There is nothing binding on the DoJ. Still, I guess, it is better than nothing. Credit: The Daily Swig

Sanctions Have Some Effect on Russia’s Tech Sector

Since Russia can no long buy AMD and Intel processors, they had to find an alternative. The solution seems to be a KaiXian KX6640MA. This is an Intel compatible chip, but it is a bit slow. One CPU Benchmark reported that a 4 core, 4 thread chip scored 1,566 points on the CPU benchmark. By comparison, an Intel Core i3, which is the slowest of the current Intel family, scored 14,427. Not exactly a match and for anything that is time critical, that is a problem. Guess how you would feel if someone replaced your computer with one that was 1/10th as fast. Credit: PC Magazine

N. Korea Has Yet Another Way to Fund Terror

We all know that North Korea has been funding their terrorism – and their economy – using ransomware attacks and other malware. Now they have a new way and it is pretty creative.

According to an advisory from the feds, North Korean IT workers have been trying to get IT jobs in the United States – both in the government and private sectors.

The money they earn from working for U.S. companies and government agencies goes back to North Korea to fund WMD and ballistic missiles.

And apparently, we are not talking about 1 or 2 IT workers. According to the feds, they are sending thousands of these IT workers out to countries across the world.

Sometimes they act as freelancers, where the checks are less strict.

Or they look for telework, so they never have to meet a coworker in person.

Both perfect in a pandemic/post-pandemic world.

A team of DPRK IT workers can make $3 million a year. To fund North Korea.

To support this, the country has a whole network of high end university programs to train around 30,000 students at a time.

The fed’s advisory provides detailed information on how the North Korean IT workers operate, red flags to look for, payment platforms that they use and general mitigation measures companies can take.

Yes they are interested in your money.

But stealing your intellectual property is a side benefit.

Not to mention sharing your credentials with hackers at home.

The details in the advisory are fascinating as to how sophisticated they are at creating false identities and false locations. They never leave North Korea.

While you are not likely going to be prosecuted for hiring one of these people (unless it is obvious they are North Korean), it certainly is within the rules of engagement for the Office of Foreign Asset Control (OFAC) to do that. The rest of it – that could be really bad for your company.

Credit: Data Breach Today

Advisory: DoJ/Treasury Guidance

Bluetooth Spec Says it is not Secure – They Are Right

There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.

In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.

A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.

Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.

While they only tested a model 3, they think the attack will also work on a model Y.

Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.

It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”

Credit: The Register

These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).

Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.

The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.

This is one of those cases where convenience won out over security. Credit: Helpnet Security

Preserving Text Messages

CIOs have always had to worry about the challenges of preserving evidence, but now we have a whole new class of challenges.

The so called Duty to Preserve comes into play when one party learns about the possibility of litigation. This happens, many times, before any lawsuit is actually filed. Once a party has reasonable knowledge of potential litigation, they have to make sure that potential evidence is not deleted (note: I am not a lawyer, so this may not, exactly, be technically correct, but it is close).

So lets assume that you are the CIO of a company. It is relatively easy to preserve emails – there are many solutions for what is called a litigation hold.

It is much harder to deal with employees’ personally owned computing devices, which includes phones.

Most companies, unless they are in a particular industry like financial services, don’t have a requirement to preserve anything absent pending litigation. Once you think there could be pending litigation, things change.

Think about these things –

  • Facebook Messenger UNSEND
  • iMessage TAP BACK
  • iMessage (and many other platforms) automatic delete function
  • Signal and Telegram’s delete functions

In Fast v. GoDaddy, Fast used the unsend feature to stop disclosure of 109 messages. The court was not happy with this and sanctioned them. The court even fined them $10,000. Eventually, they did cough up 108 of the messages, but the last one never appeared.

The court concluded that the failure to produce this message warranted the court’s issuance of an adverse inference instruction at trial. Basically, this means that the judge will tell the jury that because of the failure to produce this evidence, you can assume the contents were not favorable, or worse (again, I am not trying to be a lawyer here, but you get the idea).

The iMessage tapback feature allows an iPhone user to send back an emoticon in response. But if the recipient is an Android user, they get a copy of the message again. Which if you intended to delete the message, is not what you want. At a minimum, it could signal the existence of a deleted message. Again, the judge issued an adverse inference instruction because messages were selectively deleted, but because of the tap backs, forensics could see that messages had been deleted.

If you use a messaging platform that either can or does automatically delete old messages and you have a duty to preserve, the courts can, again, issue sanctions.

That included ephemeral messages that go away after a few seconds.

So now the IT department has to manage preserving evidence on user owned devices. Doesn’t that sound like fun. Credit: Prof. Eric Goldman’s blog, guest post by Philip Favro

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed