Security News for the Week Ending August 7, 2020

Microsoft Considering Buying TikTok

In light of President Trump’s threats to ban TikTok, Microsoft says that it is considering buying the company from its Chinese owners. That would be a win-win-win for Microsoft. They would add another social media platform to their inventory. The can probably buy it at fire sale prices and they would be doing something nice for the Republican administration. Credit: NY Times

Republicans Say TikTok is a National Security Risk

The current Republican administration says that TikTok is a national security risk and it may well be, but not for any of the reasons that they are talking about. Secretary of State Pompeo says that the TikTok and other Chinese owned software might be feeding the Chinese your address, your facial image, phone number or friends. First of all, they likely have all of that already. Second, they can get all that information from Twitter or Facebook, so what is special about TikTok and third, they can buy or steal all of that and a whole lot more from any one of a thousand data brokers and it is all legal.

Why is this only a China problem and not, say, a Russia problem? One reason is that we don’t tend to use Russian software. But in the bigger picture, if the Republicans don’t think that Russia, North Korea, Iran, as well as friendly countries like France, Israel and Germany, among many others, they are wrong. After all, we are doing this, both to our citizens and theirs.

The bigger problem is that the TikTok software, along with a lot of other software running on your computers (PC or Mac) and phones (iPhone and Android) is horribly unsecure and is leaking WAY MORE data than just that. And that assumes that the software does not have malicious intent. *THAT* is a national security risk that the Republicans don’t want to talk about because it cost American businesses money to fix that problem. What if a malicious update to a piece of software vacuumed whatever data it could off your phone – contacts, texts, photos. It is probably more realistic than you think. Credit: Fox News

Papers Leaked Before UK Election Linked to Russia

Classified US-UK trade documents that were leaked before the recent UK election in an attempt to manipulate the elections are now being linked to Russia. They were stolen from former British trade minister Liam Fox. The Brits say that they have a “very robust” system to protect classified documents and are investigating how the Russians access Fox’s email multiple times between July and October of last year in spite of this so-called robust system. This is a classic technique that all intelligence services try to use – steal documents. Cherry pick which ones to leak. Use social media to generate outrage. Rinse and repeat. Score one for Russia. Credit: US News

Shocking News: Voting Machine Security Improves When you Work With Researchers

Voting machine maker ES&S has a horrible reputation when it comes to security. Organizers at Defcon bought used ES&S (and other) voting hardware and let people hack it. I don’t think any piece of their hardware lasted 5 minutes. What was ES&S’s response? They threatened to sue. Recently, they have begun to change that strategy. They are now going to offer a bug bounty program managed by an independent third party and are actually listening to the researchers. Did the gov threaten to blackball their machines? Who knows? Whatever they did, it is good for voting security. Credit: The Register

Feds Fine Capital One for Shoddy Cloud Security

Dial back your wayback machine to September of last year. Capital One announced a hack of their Amazon environment by an ex-Amazon employee the previous July that was possible to due an incorrect configuration of their security settings.

Fast forward to today and the feds announced an $80 million fine for bad cloud hygiene.

The feds (the OCC) fined Capital One for Failure to establish effective risk management processes” prior to migrating some of their systems to the cloud.

The OCC said that they considered the bank’s notification and remediation processes favorably in assessing the fine, meaning that the fine would likely have been larger if they hadn’t responded as well after the breach as they did.

On the other hand, they said that the bank glossed over numerous weaknesses in an internal audit.

On top of that, the OCC said that they didn’t report the flaws that they found appropriately to their Board’s audit committee. This means that internal processes were not sufficient to allow the Board to perform it’s fiduciary responsibility. Rather than blaming the Board, in this case they blamed management.

They also claim that Capital One failed to patch security vulnerabilities, violating regulations that banks must follow (GLBA).

After Capital One got caught, the bank decided this was a good time to spend some money on cybersecurity and start fixing the problems.

There is a moral here, I think.

This is a bank, so the expectations for security are high, but still …..

You could wait for a breach and the ensuing regulators and lawsuits. And fines. Or you can start looking at cyber risk management as a business problem and decide that it is probably cheaper to spend the money pre-breach. Last year Capital One said the breach could cost them $150 million. Whether this $80 million fine is in addition is not clear. Credit: The Register

NSA Offers Recommendation to Reduce Cellphone Exhaust

If you didn’t know better you would think the NSA is trying to turn over a new leaf. Credit Anne Neuberger.

A couple of years ago the NSA dissolved the Information Assurance Directorate – the group that helps the good guys. To me, this was an incredibly stupid move on the part of the NSA.

Fast forward to late last year and the NSA reincarnated IAD and called it the Cybersecurity Directorate. Same mission.

But the NSA had a horrible rep that they spent most of their effort on OFFENSIVE cyber and very little on DEFENSIVE cyber.

Anne Neuberger is the new head of the Cybersecurity Directorate and she has been working hard to change that reputation.

Photo of Anne Neuberger
Anne Neuberger

Fast forward to this week. The Cybersecurity Directorate released a memo on reducing the exposure from your cellphone data. What we affectionately call your digital exhaust.

They rightfully say that you cannot eliminate your digital exhaust but you can reduce it. While this article is targeted at government employees, it is useful to anyone who is concerned about their digital footprint.

They explain that just having your phone turned on, even if location tracking and your GPS are off, gives location information to apps, who collect and sell it. Even if you phone is in airplane mode, you could be giving away your location.

The whole idea of telling people how to reduce their footprint goes against the NSA’s offensive mission. Kudos to Anne Neuberger.

The memo also talks about tracking you from your fitness device and other items like this. The feds had a virtual heart attack recently when a bunch of data appeared from, I think, Fitbits, that showed this strange activity pattern in a place where no one should be. Like, perhaps, a secret base run by special operations soldiers. Oops.

So if this is a subject that is of interest to you, check it out.

Even if it is just out of curiosity. Credit NSA via Cyberscoop

Here is a Match – Lawyers+Security Pros

There are an amazing number of misconfigured Amazon S3 buckets. I have no clue why. No company should be in this boat any more.

Truffle Security said that a team of there security pros STUMBLED across about 4,000 of them.

What was in them?

Login credentials – not great.

Security keys – even worse.

API keys – worse yet.

Also SQL server passwords, Coinbase API keys. Even login info for other AWS S3 buckets.

But what I like is capitalism.

Some enterprising researchers are teaming up with law firms. Why?

The researchers find the leaky buckets.

The law firms sue the owners (and pay a commission).

Sounds like a win-win-win deal. Win 1 – the lawyers get a payday. Win 2 – the researchers get a commission. Given there are so many leaky buckets, everyone gets rich.

What is the third win for? Win 3 – the companies get to close the leaky buckets.

Mind you it might have been cheaper if they just used the tools that Amazon has made available, but whatever gets the job done.

I am only being slightly a smartass. If this isn’t a great reason to hunt for leaky S3 buckets, I can’t think of a better one. Find those leaks. And close them. Avoid those lawsuits. P-L-E-A-S-E!!!!!! Credit: The Register

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

Planning for a Ransomware Attack

You know that if publications like Forbes are running pieces on preparing for ransomware attacks that things must be getting bad.

The Forbes piece, written by former Deputy Undersecretary for Cybersecurity at DHS Mark Weatherford is good, but it leaves out a few things (I am guessing that Forbes gave Mark a word limit).

We continue to see multi million dollar ransoms being paid. Garmin is reputed to have paid $10 million and the University of California at San Francisco paid $1.1 million. Those are just a couple of very recent, very public ransoms paid.

We seem to hear every day of a new attack: Opus Capital Markets (Freddie Mac vendor), Honda, Fresenius, 41 health care providers. This is just a sample of the attacks.

So what do you do – how do you prepare?

These are Mark’s recommendations. I will add some of my own.

  1. Have a business continuity plan. When Travelex got hit by ransomware earlier this year they were literally out of business for a month. They can afford that – can you?
  2. Focus on the data. Mark says systems can be replaced. Not so easy when it comes to the data. How much data are you willing to lose? A week? A day? An hour? Many times the backups are accessible online. Convenient. And easy for the hackers to destroy or encrypt. If that happens, you have nothing.
  3. Regularly educate your users. That means, for example, you need to be phishing your users regularly and the fake phishes need to be very convincing. Regular means weekly. Different phishes for different people. This includes the executive team.

Okay, so that was end of Mark’s list. Here are a few of mine to add to the mix.

4. Make sure that everything is patched. Computers, servers, cloud, phones. While that may not stop hackers, no sense making it easy for them.

5. Have a TESTED incident response plan. When Equifax announced their breach, they gave out the wrong web site and the right web site, when they finally got that out – it was not even owned by Equifax. It was set up after the breach by someone at their marketing vendor. He owned it personally. Doesn’t inspire confidence by your customers who may have just had the worst day of their business life.

6. Have cyber insurance. This is your last resort. These days it is still pretty affordable. Norsk got paid $3.5 million by their insurance and they spent $60 million to recover. Make sure that the insurance covers all of the situations that might occur (they often don’t) and that you have enough.

Finally, plan, test and plan some more. A few months before the Sony attack that was blamed on North Korea, there was a very similar attack on the Sands Hotel and Casino empire. Didn’t hear about the Sands attack? That is because they were prepared.

Are you? The rate of attack and the price of ransom are both escalating. Don’t wait; prepare now.

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed