Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Remote Work Policies

When Covid happened 9 months ago no one really knew what to expect. I am not sure that anyone still knows what to expect, but it looks like that Work From Home (WFH) is here to stay.

Many companies have decided that it has not negatively impacted productivity and some even say that productivity is better.

Some companies have decided that it is a great employee benefit and helps with recruiting. It also allows companies to recruit talent anywhere in the country (although companies need to watch out for the potential impact of having to comply with personnel, privacy and tax laws in multiple states). Facebook, for example, has said that they anticipate that 60% of their employees will work from home forever.

But it does mean that we should consider security impact of WFH. Here are some thoughts.

#1 – Your employee’s computer, even if it is a company provided one, is operating in hostile territory. You have no control over the rest of the employee’s family, what their computing habits are, whether they ever patch anything, what web sites they go to and even if their wireless has been updated since, say 2013.

This means that you have to assume a zero trust environment. Your employee’s computer is likely operating in a war zone full of land mines and snipers. Are your computers’ protections up to the task?

#2 – If you allow your employees to use their own computers, it is even worse. Not do you not understand the security of your employee’s family’s computers (and phones and video games and IoT devices), but you don’t even know the security setup of your employee’s computer. For example, when was the last time it was patched. Not just the operating system but every application that is installed on the computer.

#3 – If employees have to VPN into your network or into a cloud network, do they have access to the entire network? Does every employee have access to the entire network? Do they need access to everything. This is where sub-netting and segmentation come into play.

#4 – Continue and enhance employee security training, phishing training and now, also, vishing training. Attacks are up and the environment is hostile. Attackers know that and are taking advantage of it.

Some things that you can do:

Provide employees a personal HARDWARE firewall that they are required to place between their computer and the rest of their home network. Not inexpensive, but highly effective. This firewall can establish a VPN tunnel between the employee’s computer and the company’s office or data center transparently.

Create policies about BYOD computers. It is a pain to enforce, but your company is at risk.

Implement network segmentation. It may mean that you need to buy, one time, some consulting expertise, but once it is done, your IT assets are much more secure.

For company owned computers make sure that patching remains a high priority and encourage employees to patch personally owned computers.

Ask employees to, if possible, connect via a network cable and not via wireless. Wireless connections are significantly more vulnerable to attack.

If employees have to use wireless connections, make sure the default router password has been changed and that the router has been patched.

If possible, implement a device management solution such as Microsoft Intune, JAMF for Mac or Airwatch.

The security situation is not going to get any better any time soon. You are in control of your company’s destiny as cyber is a key to protecting your company. I read stories every single day about companies that have been hit by cyber attacks of one form or another and how it is impacting their business. One company I read about today has been down for a month trying to recover. Another can’t ship products. A third has its online services offline. That is just today. Do not be the next news story. Please.

Feds Pass IoT Security Law – Its a Start

The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.

While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.

We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.

The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.

So what does it do?

NIST is Required to Publish IoT Security Standards within 90 Days

This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.

NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days

This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.

Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)

This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.

NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days

NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.

The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted

This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.

This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.

While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online

Inexpensive is not always Good

Apparently Walmart has been selling an affordable Jetstream router. Affordable, apparently, because it has a back door in it that would allow hackers to not only control the router, but also all of the computers on your network.

But Walmart is not alone.

Wavlink routers sold on Amazon also have back doors. In this case it attempts to connect to nearby WiFi connections so that it has a covert way to steal that data.

Similar routers are available on eBay.

Researchers say there is evidence that this is not a theoretical problem, but rather is being used in real attacks.

Also, these back doors are being used to allow your network to attack other networks via the Mirai bot network. Guess who the FBI is going to come visit if YOUR router is found to attacking other networks?

When the researchers talked to Walmart, to their credit, they said (a) it is currently out of stock and (b) they have no plans to replenish it. I will give them credit for dumping this trash even though they felt necessary to spin it. I guess they just couldn’t say “oh, crap, we got duped. Handled!”

Likely these two routers are really made by the same company.

The researchers apparently were bored during the pandemic, so they started buying cheap routers online to see if they could hack them.

The back doors even have a user friendly interface – a different one than the paying users see, of course.

These back doors, according to the researchers, are active and probably enabled on millions of devices. Credit: Cybernews

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Default Passwords on Gov Websites – What Could Go Wrong?

You would think that in 2020 we wouldn’t have to tell people not to use default passwords.

You would certainly think that we wouldn’t have to tell government IT folks not to do that.

But if you thought that, apparently, you would have thought wrong.

We are still telling end users to change the password on their WiFi router. And on their Internet modem or firewall. But those are consumers.

We recently did a penetration test for a client. The client has a lot of locations.

For the most part, their Cisco ASA firewalls were secure.

Except for a couple of them.

Which still had the default password. At that point, we owned their entire network.

Fast forward to last month. The FBI said, privately, that foreign actors had successfully penetrated some government networks and stole source code.

Now we are getting at least some of the rest of the story. We still don’t know which agencies were hacked and what was stolen, but we do know how.

SonarQube is an open source application to help companies or agencies improve code quality through continuous static code analysis.

But if you put that on a public facing web site and you don’t change the default password – which is a really hard to guess “admin/admin”, you kind of have a problem.

I don’t understand enough about how SonarQube works, but it seems to me that it SHOULD NOT be exposed publicly and it probably should not be on production servers.

Here it is, at the tail end of 2020 and we are still telling people – IT people – to change the freaking password.

And security folks have been talking about this specific problem with SonarQube for a couple of years now and not just inside the gov.

Come on folks – get with the program. Hopefully what was stolen was not too sensitive but the fact that they are not telling us who was hacked and what was stolen probably means that it was sensitive. Credit: ZDNet

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed