Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Facebooktwitterredditlinkedinmailby feather

Free Credit Freezes For All!

For years the big three national credit bureaus made buckets of money from people who were concerned about thieves stealing their credit.

You could “Freeze” your credit report which made it unavailable to creditors, with certain limited exceptions.  What this meant is that if someone stole your identity and tried to open a bank or credit account and that establishment tried to pull a credit report first, they would get a “no can do!” back from the 3 CRAs or Credit Reporting Agencies.  A smart creditor would not open an account for the fraudster at that point because they could not see if the person had good or bad credit.

This worked pretty good but not perfect because there are a hundred smaller credit bureaus that some small companies used, but, for the most part, it worked.

The only problem was that each of the credit agencies charged you to freeze your credit – as much as $10 at each bureau, each time and they also charged you to remove the freeze, which you would need to do if you were financing a car or buying a cell phone or whatever.

A FEW states prohibited the CRAs from charging for freezes, but still it was a multi-million dollar revenue stream.

Until last month.

After the Equifax breach, there was a demand for free freezes but nothing happened.  Then.

The problem is that the creditors want unrestricted access to your credit report and if you put a freeze on it, they can’t have it.

Until last month.

Now the CRAs cannot charge you to put on or take off a freeze.

What’s more, if you request a freeze online or on the phone, the agency has 24 hours to put the freeze in place.

And if you want to remove that freeze?  They have 60 minutes to do that.

And if they don’t?

The FTC takes complaints at 855-411-2372.

There are a lot more details, all good for consumers, in the link at the end of the post.

Bottom line, finally the credit bureaus are doing a LITTLE something good for consumers.

Information for this post came from the FTC.

Facebooktwitterredditlinkedinmailby feather

Remember the Old Days – When Laptops Had Chargers?

Back in the old days – like 2 or 3 years ago – laptops had power adapters that plugged into a charging connector and USB ports that allowed users to plug in USB peripherals like keyboards and flash drives and other devices.

In an effort to make things easier for users – and, in fairness, easier is good – computer and phone makers are making one universal connector which performs both functions.  This is actually being mandated in Europe.

There is only one problem and that is that the connector can perform both a power function and a data transfer function.

If YOU are the owner of the thingees that you are plugging into your computer or phone, then there is (probably) no security problem.

BUT, if you plug your phone or laptop into a USB-C cable in a public environment like an airport or hotel or something, then that is a different story.

I’m not saying that the airport or hotel is sinister, but how do you know that the cable or what it is connected to was not modified or, maybe, not even provided by the hotel or airport (or other public place)?

Since the connector is one and the same, it could charge your device.  OR, it could steal all your data.

Some operating systems can be set up to not allow data transfers, but that is likely not how most people configure them.  After all, that is inconvenient.

So…. New situation, new threat.

By the way, this is exactly how law enforcement extracts data from locked phones captured as evidence, so we know it works, at least some of the time.

And it could be an interesting attack vector for installing ransomware on your device.

What do you do?

First thing is, if you can, don’t use public charging stations, if possible.    That is not always possible.  Or convenient.

Second option is, if possible, configure your device to always ask if you want to allow charging ONLY or data transfer too.  Again, this may not be convenient or even possible.

The next option is to bring your own charging batteries.  These are affordably priced and come in all sizes.  I always carry one with me.  Here is an example of a pretty large one, although they come even bigger, for about $40 on Amazon.  Smaller ones are less expensive.  They can charge multiple devices at once and this one could charge your phone several times before it, itself, would need to be recharged.

The last option is a USB data blocker.  They come in many flavors such as this one at Amazon.  Some are a cable that you plug into the public charging station to protect yourself.  Others are an adapter.  In all cases, they only allow the charging pins to work and not the data transfer pins.  You will need to figure out what configuration works for you.

The point is that there are several options to choose from – pick the one that works the best for you but do not use a public charger without protection.  Source: The Conversation .

 

Last option is a very small gizmo that you can plug your

Facebooktwitterredditlinkedinmailby feather

Google Plus Breached Last March – Will Shut Down in 10 Months

You have to admire the gall of some marketing departments.

Today, Google announced that it was shutting down the consumer version of Google Plus after a breach of 500,000 users information.  SIX MONTHS AGO.

They said they shut it down because user engagement was low – I guess that means that no one was actually using it and that 90 percent of the sessions lasted less than FIVE SECONDS.

Of course, up until today, Google Plus was wonderful.

Now that they have to deal with a breach – including, likely, an investigation under GDPR (joining Facebook), from the FTC and likely from Congress, they say that it wasn’t important to them.

The good news is that the information that was breached was less sensitive – name, email, gender, occupation and age.

Still, it is hard to spin this in a positive light.

In an effort to do so, they also announced that they are implementing some new privacy controls – more granular ones – to control what developers can with your data.

They are also limiting what apps can do once you give them access to your GMail.

Oh, yeah, the reason that they didn’t tell you before now was because of fear of government regulation and being compared to Cambridge Analytica.  It said that it couldn’t tell exactly which users were affected and didn’t find evidence of misuse.  I am sure that all of this will sit well with regulators and Congress.

As these data platforms get bigger, it is going to be a challenge to deal with any breach.

I can’t see how hiding this for more than 6 months is going to work out well for Google, but stay tuned.

For those few users that logged into it for five seconds – you are going to have to find a new platform.

Information for this post came from CNBC, The Verge  and CNBC again.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Oct. 5, 2018

Web Page Load Times Double Due to Trackers

Trackers, those microscopic bits of pixie dust that web pages and advertisers insert into web pages to track our activities, make a significant negative contribution to user experience.

Full disclosure – this study was done by Ghostery, who makes software – free software – that blocks these trackers.

Ghostery looked at the page load time of the top 500 US web sites as defined by Alexa and discovered that it took, on average, 10 seconds longer to load with trackers enabled than when blocked by Ghostery.

The 10 slowest of the top 500 sites loaded 10x faster without trackers, saving users 84 seconds on average.

Obviously you could run their free software to reduce your page load times and I have run it for years.  It is amazing how many trackers can exist on one web page.  Source: Ghostery

Feds Issue Alert Regarding Remote Deskup Protocol

Sometimes it takes the feds a little while to realize what we have known for years.  Remote Desktop Protocol or RDP is a Microsoft mechanism for remotely logging in to another computer.  Sometimes people (not very wisely) enable this capability over the Internet.

RDP was designed for LAN administrators to remotely access a user’s computer or a server on the same network, so security considerations were never a top priority.  Over the years Microsoft has improved the security of RDP but still – my opinion – it is foolish to enable this so that a hacker in Timbuktu can try to hack into your network.

Finally, after several years of these widespread attacks, the FBI has issued an alert telling people this is not a good practice.  There are ways to secure that RDP connection, the easiest of which is to require remote users to establish a VPN connection first.  Source: Homeland Security.

Adobe Patches 85 Vulnerabilities in Acrobat and Reader

Adobe has released patches for 85 vulnerabilities in Acrobat and Acrobat Reader for both Windows and Mac.  85 is a pretty big number.  Some of the vulnerabilities allow for remote code execution while others allow for information disclosure or privilege elevation.  In other words, an entire buffet of problems.

This points to why it is so critical to understand what apps you have installed and make sure that they are patched quickly.  Every single time patches are released.  On every device in the network.  Desktops.  Laptops.  Servers.  Phones.  Tablets.  Everywhere.  As of today, Adobe says they are not being exploited in the wild – that they know of.  Tomorrow, at a minimum, every foreign intelligence agency in the world will have reverse engineered them and figured out how to use them as a weapon.  That doesn’t count the hackers.  Source:  The Register.

FBI Forces Child Abuse Suspect To Look at His Phone

In August, for the first time ever that we know of, the FBI obtained a warrant to force a person to look at his iPhone X to unlock it using Apple’s face recognition.  A month later he was charged with receiving and possessing child porn.

While no sane person is going to suggest that the judge should not have issued the warrant in this case, it points to the assumption that people have that stuff on their mobile devices is private.  A bad guy could put a gun to your head and that would likely have the same effect as the warrant.

Privacy is a relative term and as long as everyone understands that, we are all good.  Source: Forbes.

DoJ Indicts 7 Russian Hackers;  Odds of Them Standing Trial Are Almost Zero

The Department of Justice announced criminal charges against 7 Russian intelligence operatives this week, charging them with wire fraud, money laundering, identity theft and hacking.

Russia is unlikely to hand them over to the United States to stand trial and unless the Intelligence agents are not very intelligent, they will never visit any country that has an extradition treaty with the U.S.

That being said, a couple Russian criminal hackers (who are likely not as intelligent as GRU officers) have been known to visit countries friendly to us, so it is, technically possible, that they could wind up on trial in the U.S.  Just not very likely.

These indictments add more fuel to the fire that Russia is hacking us, although this is not specifically tied to the elections.  Source: CNN

 

Given that the President has

Facebooktwitterredditlinkedinmailby feather

Visit New Zealand – Fork Over Your Passwords or Risk Being Prosecuted

In what is thought to be the first country to do this, travelers entering New Zealand who do not turn over their phone passwords during searches could be arrested, prosecuted and fined more than $3,000.  This includes citizens and foreigners.

A New Zealand customs spokesperson said that the new fine is an appropriate remedy to balance individual’s privacy and national security.  I am not sure what the balance is here.

In many countries law enforcement can examine your digital devices, but it is up to them to figure out how to hack into them if you don’t unlock them.

I suspect that this will become a bit of a trend.

Once law enforcement has the phone, unlocked, you have to assume that whatever is on the phone – from nude selfies to business trade secrets – has been compromised.  There is no way to know whether that data is secure or not.  Given most government’s security track records, this is probably a sad reality.

In the case of New Zealand, the customs agent has to have some undefined suspicion of wrong doing in order to invoke the new law.

Things that you can do to minimize the pain –

Large companies that are concerned about security are giving their employees burner phones and burner laptops when they travel abroad.

These same companies require employees to get approval for any data files that they load onto these devices.

For private citizens, this applies as well.  Don’t take your laptop and buy a burner phone at Walmart or Best Buy and only load what you need.

Alternatively, store the data that you will need while abroad in the cloud, encrypted, download it while abroad, upload changes before you cross any borders and overwrite the deleted files with software like the free program CCleaner.

If you believe Snowden, intelligence analysts like sexy photographs and swapped them internally like baseball cards.  I would suspect that practice applies to customs agents as well.  If it isn’t there, they cannot do that.

It is likely that you will pass through customs unmolested – in the U.S. last year, customs only searched several tens of thousands of devices compared to the hundreds of millions of travelers –  but if you are concerned, there are some easy and inexpensive steps that you can take.

Source: NY Times.

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed