Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.


Your Home Internet Router May Have Caused the Xbox-Playstation Outage On Christmas Day

I have been meaning to write about this for a week now, but a conversation I had last night with a security-geek friend (thanks, Tim!) allows me to combine two posts.  Happy Friday!

First, the subject line.  Lizard Squad, the group that claimed responsibility for shutting down the Microsoft xBox and Sony Playstation networks on Christmas Day said that the shutdown was an advertisement for their web site stressing service (called a Stresser or Botter).  For literally a few bucks, you can subscribe to their service and “stress test” your web site.  Of course, if you “accidentally” point the stresser to someone else’s web site you get to say “gee, my bad!”.

Of course the cops might not be very happy with you, but they have to find you.  If you use anonymisers and TOR and pay for the service with bitcoins, etc., etc. and you do all that right, you might be hard to find.  Of course, the stresser service, located in Bosnia, is not going to help the police, so you don’t have to worry about them outing you.  Anyway, you get the idea.

So how did the Lizard Squad group generate enough traffic to take down both Sony and Microsoft – two companies that probably have pretty robust networks and data centers?  Now I am back to the subject line of this post.  They hacked your home internet router!  Really, no kidding.  I wrote several weeks ago about Rompager, the bug in the web interface in millions small office/home office routers that allows an attacker to take over the router.  In addition to that, many people don’t bother to change the default userid and password of their SoHo router and voila, Lizard Squad has millions of routers to do their bidding.  According to Brian Krebs, Lizard Squad hacked into bunches (that is a technical term) of vulnerable routers and added some code that allows them to command your router to attack whomever they want.  Even though this malware is pretty crude, it does not give itself away if you log in to the web interface of the router, so you have no easy way to tell if your router has been hacked.

To add insult to that, they are sucking up your bandwidth, reducing the performance of your internet connection and contributing to your bandwidth cap if you have one.

Nice, huh?

Brian and others have several suggestions like making sure that you patch your router, change the default password and turn off WPS, if you can.  What the heck is WPS you ask?  Well, let me tell you.  It gets a bit technical and this post is getting long, so here is a link if you want more details.

The second part is that the router manufacturers thought that all this password stuff was too complicated for users, so they said that instead of remembering that password, we will print an 8 digit pin on the bottom of the router and if you have that, you can just ignore that pesky password and connect to the router.

To make matters worse, the way they implemented it, they did it as two 4 digit passwords and many routers just allow you to try all 10,000 combinations to complete the first part and then another 10,000 combinations to get the second part and you are in.  Any idea how long it takes a computer to try 20,000 4 digit numbers?  Not very long.  Seconds to minutes and the attacker is now in your router.  Combine that with the fact that the router doesn’t lock you out if you try, say, 1,000 bad PINs (that would be inconvenient for the user, of course) and you have a hacker’s paradise.

An alternative that some router makers have come up with is a red button on the router that you push when you want to connect.  This is more secure because it is only active for a couple of minutes after you push the button and you have to have physical access to the router.  BUT, in order to get the WPS logo, you MUST implement the totally unsecure PIN mechanism.

Some routers do not allow you to disable WPS (the PIN approach).  Other routers, like some Cisco and Linksys routers, allow you to disable WPS, but don’t ACTUALLY disable it – in order words, they just make you think WPS is disabled.  Some routers do actually let you disable either the PIN portion of WPS or all of it.  Some routers don’t have WPS.  Those are probably the most secure.  Bottom line is that you have to be way too much of a geek if you want to protect yourself.

This post is already way too long – especially for a Friday.  Feel free to contact me if you have questions.



Justice Department Continues Push To Get Rid Of Encryption

The Justice Department continues to push for the ability to bypass encryption (see here). Leslie Caldwell, one of the assistant AGs said that the DoJ is very concerned that Apple and Google have turned on encryption by default.  I guess that must point to the fact that if people have to do something to turn it on, they won’t, which makes eavesdropping that much easier for them.

FBI Director Comey has said before that he wants to push Congress to make automatic encryption illegal – again pointing to the fact that many people won’t bother to encrypt if it requires an extra click or two.

On the other hand, the government is saying that we have to be more concerned about cyber security – it seems like they are trying to have it both ways.  Encryption is one of the easiest and simplest ways to make it harder for the bad guys to do you in.  It also makes it harder for the FBI and NSA to vacuum up massive amounts of data to look for the needle that they want to find in the data haystack.

Caldwell actually said that encryption makes data too safe.  Really?  Too safe?  Isn’t that kind of like being too rich?  Or too happy?  Seems a bit self serving.

Caldwell also said that she hopes that companies will build a back door (‘cuz if they do, certainly the Chinese won’t figure that out) so that the FBI can mail the phone to Apple or Google to decrypt.  Really.  MAIL THE PHONE.  I think she is a bit out of touch with the digital age.

Some people have gotten hung up on the term back door, meaning an intentionally introduced mechanism that allows someone who knows about it to compromise the encryption.  Lets assume that what they really mean is that they want a copy of your encryption keys and they promise to keep them safe.  Is that really possible for them to keep safe?  And what about the data vacuuming that the agencies are doing – doesn’t that require them to use those keys every time you get online?  How, exactly, do you keep that secure.

If I have the key and they want it, then they have to go to a judge and get a warrant and I can disagree and try to convince the judge that they shouldn’t get it.  And, I can change the key so that sharing that key won’t compromise my future conversations.  Key escrow or back doors don’t allow any of that to occur.

The DoJ is also not happy with the TOR network.  They say they are making some progress at hacking it, but I *think* mostly they are taking advantage of people’s poor personal security hygiene (people make mistakes and the feds capitalize on that).

Clearly, encryption and TOR and similar tools can be used for bad purposes, but so can hammers and I don’t see a demand to outlaw hammers.

I am quite sure that encryption makes it harder for the government to do massive data collection and correlation, but we managed to track down criminals before and we can continue to track down criminals after.

Three thoughts and I will allow you to draw your own conclusion –

1. Are bad guys likely to use encryption software that has a back door vs. software that is available for free on the black market that does not have a back door?  Or software that is created by developers in any other country that doesn’t require them to add a back door.  Surely the dumb ones will and you may therefore catch them, but what about the really dangerous ones?

2. What is the financial impact on the U.S. economy if the rest of the world (RoW) knows that the U.S. government can look at their stuff without them knowing about it.  eWeek reported that U.S. Cloud providers said their business could shrink by 25 percent as a result of the NSA data collection. That could be a direct loss to the U.S. economy of $25-$100 billion over three years depending on who you believe.  That doesn’t include secondary effects (if the providers sell less services, they will buy less computers and hire fewer people, for example).  If the RoW thinks that the U.S. has a crypto back door, how many U.S. jobs will that cost and how many billions in business will we lose.

3. A lot of the crypto is controlled by service providers (like SSL and Facebook), but much more of it is controlled by the end users.  If Joe and I are talking to each other, we share a secret that only we know and that is used as the key.  The fact that the key is secret is what makes it secure.  If that key gets out, then all traffic past, present and future, that was protected with that key, is compromised.  And the feds would like businesses to give that to them freely.  I don’t think that is going to happen.  I have been known to be wrong before.  I think I was once in 1997.  Or maybe 1998.

The government has been trying to build back doors into encryption since at least 1993 when they came out with the idea of the Clipper chip.  It didn’t sell then and it is not likely to sell now.  My two cents.


Baby Monitor Hacked – Sorta

The news is reporting that a nanny in Houston said that she heard voices coming from the baby monitor while she was changing her baby’s diaper last week.

Apparently, someone was watching them and talking to them over the built in speaker in the baby monitor.  That speaker is designed so that the parents, using a smart phone, can talk to the baby if they are not there (I assume that they are not leaving the baby alone – that there is someone watching the baby – just not them).

Here is the rub and I have certainly spoken about this before.  I know that security is a pain, but if you don’t want someone watching you while you are having “mommy and daddy time” then (a) don’t have a camera where you are doing it and (b) follow decent security practices.

So what else does the article say?

  1. The camera was not password protected – I have never heard of a home security camera that does not allow for a password.  This one, from the pictures in the news, looked like a relatively high end consumer camera, so I am sure that it supported a password.
  2. The camera, from the pictures on the news, was wireless, so the combination of wireless access and no password is probably not a great parenting choice.  Whether the mother was breastfeeding while the perp was watching was not disclosed.
  3. The family had wifi in the house.  That connection was password protected, however if the perp was within range of the camera’s wifi, the fact that the house wifi was password protected would be irrelevant.   The news did not disclose what the password on the home wifi was, but given the camera had no password, maybe the house wifi had the default password.  These are usually difficult to guess – like admin or password or possibly Password .  For any given manufacturer, you can find the manual on the Internet and in the manual is the default password.

There are search engines like Shodan ( that will allow you to search for web cams.  You can even specify which brand of camera you are interested in.  It will give you a list.  No password and poof, you are on the list.

Or the perp could be driving around the neighborhood looking for open wifi cams.  Sounds like if he did that, he would have no problem here.

So, if you are going to use wireless technology, whether it is a camera or an access point, you MUST do some basic stuff.  Make sure that it is patched.  Make sure that it is password protected. And don’t make your password 123456.  If you are making the device available on the internet through one of the many camera sharing web sites, make sure your credentials for that site are not easy to guess.

This is no different from any other password situation.

You, the user, have to make good choices.  There is nothing that the manufacturer or Internet service provider can do other than suggest you  make good choices.  You bought the camera;  now make good choices.

One other thing I want to point out.  Maybe you are an exhibitionist and are ok with some creeper watching you and your kids.  Remember, that camera is on the same network as all the other devices that you have in your house (unless you are like me and that is a whole other blog post).  If the camera is compromised then, potentially, every other device in the house can be compromised.  That is how both the Target and Home Depot attacks started.



In Honor Of Super Bowl Week – NFL Mobile App Is Like Swiss Cheese

Dark Reading is reporting that the NFL mobile app has a few problems in it – not so much different than NFL officiating.

Wandera performed a scan of the app and discovered that after a successful login, the app leaks your credentials in an unencrypted API call.  In addition, it leaks your login name and email address too (which is probably enough to do a password reset).

That is enough, they say, to get the hacker into the user’s NFL web page, which is also unencrypted, which would allow the hacker to siphon off your address, phone number, occupation, date of birth, gender, if the user entered that in their profile.

As a side note, all they use that for is to push ads to you, so if possible, I recommend NOT entering that data and if they require you to do so, then enter bogus data. You may have to enter an occupation, but who says that you are not a mortician or clean septic tanks for a living.  There is no data validation.  And, as you go from site to site, enter different information – just to mess with the ad data people.

Anyway, back to the NFL.  Wandera did not try making a purchase, but given the above information, the security there is pretty suspect as well.

Since many users reuse passwords, getting their password may give the hacker access to someone’s email or Amazon account too.

I recommend that if you are going to reuse passwords, break them into categories.  One category I call trash sites are sites that have the lowest possible security needs and least sensitive data (at least as long as you told them that you were 92, female, lived in Paris, France and were a jockey).  The site would fall into that category.  At least that way, if that password was compromised, nothing else important would be compromised.

But here is the best part.  The NFL, like politicians, love to spin things.  Their answer to this issue was:

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

Obviously, this answer is total bulls&*t, but they probably figure most fans will trust them implicitly – like they trust the referee’s calls.  There is NOTHING they can do, technically, on the back end to fix this problem.  Can’t be done.  Total lie.

My suggestion is don’t fill out your profile and don’t purchase anything from their web site – buy stuff somewhere else.


How Does Your Anti Virus Software Stack Up?

Redmond Mag is reporting that AV-Test has ranked 28 Anti Virus software products against 153 pieces of zero day (meaning previously unknown) and 12,000+ pieces of known malware.

AV-Test, based in Germany, has gotten sideways with Microsoft before.  Microsoft has come in ranked very low on their tests several times.

Microsoft says that the firm ranks anti virus software based on how well it detects malware.  Microsoft says they prioritize “real world malware uses”.  I guess that means that they only worry about the major pieces of malware.

Microsoft’s product is free and unfortunately, this may be one case where you get what you pay for.  In 2013, Microsoft said that most of the malware that they didn’t stop either didn’t hurt users or wasn’t out there in the wild.

Anti virus software is pretty cheap.  Trend Micro, one of the vendors that scored 100 percent on the test, is available today on Amazon for $25 for 3 PCs (per year).  That would work out to $8 and change per PC at home if your family has several computers.

What I don’t know is whether the reason that Microsoft says that their users don’t see the malware that they don’t detect because that malware is not common or because they don’t detect it, hence Microsoft does report it as being found on user’s computers?

In any case, to me, if I could get something that detects all 12,000+ samples for $8 per computer per year – the cost of 1 or 2 Starbucks –  that sounds like a reasonable expense.

The three anti virus products that scored 100 percent in their tests are:

  • Avira’s Antivirus Pro 2015,
  • F-Secure Internet Security 2015 and
  • Trend Micro Internet Security 2015

The complete test is available here.