M&A Cyber Due Diligence Gaining More Momentum

McGuire Woods (McGuire Woods Firm Profile) writing this week says that cyber risk due diligence is an important part of the merger and acquisition process. In fact, they say, that failure to address these issues during due diligence could expose both buyers and sellers to a litany of adverse consequences (Cyber due diligence important during M&A process).

Potential consequences include lawsuits, fines, audits, suspensions, breaches of contract, reputational damage and even lawsuits against directors and officers.

The article suggests that data privacy and security concerns need to be addressed during the due diligence period, where you need to discover the facts, during the negotiation period, where you will try to obtain the broadest reps and warrants and the seller will try to give the narrowest reps and warrants and even post-closing, where you get to deal whatever is left.

They close the article with this ominous warning (that I completely agree with):

Buyers and sellers that ignore this area do so at their peril, as security and privacy vulnerabilities have the potential to significantly and adversely affect the value and continued attractiveness of a particular transaction.

While the seller may eventually be sued, the buyer gets to deal with the situation directly and live with it, often for years.  As a result, the buyer, in my opinion, is the one that needs to demand that cyber due diligence is part of the transaction.


Crazy iOS Security Flaw Allows Hackers To Crash Any iOS 8 Device

Researchers at the RSA conference this week disclosed an interesting iOS hack that would allow an attacker to put an iPhone into an endless reboot loop with no way for a user to get out of it.

The attacker would need to set up a bogus WiFi hotspot near the target iPhone.  This hotspot can even force the iPhone to connect to it.  Then it sends the iPhone bogus SSL certificates which force it into an endless reboot loop.  The user cannot even power off the phone since no cell phone really has a power switch any more – merely a button that tells the software that it should power the phone off. But since the phone is busy endlessly rebooting, it will ignore that request.

I think, but the article does not say, that if you leave the radius of the hotspot you should be able to regain control of your phone.

An interesting attack would be to deploy some of these hotspots, which could easily be hidden in a briefcase, at an airport, or other public venue.  It would disable all iPhones within a couple hundred yard radius and if you have several of them strategically located, the range could be quite large.

The researchers have told Apple about the problem, but as of yet, there is no comment from Apple, never mind a fix.

More Stingray cell site simulator stories

Ars Technica reported about yet another case where prosecutors dropped charges against 4 suspects who robbed 7 people, including one who needed 18 stitches, rather than disclose information about the use of a Harris Stingray.

Or at least that’s what we think.  The cops told the press that is was not related to “technology” (preferring not to admit that Stingrays exist), but they did not say what magic event occurred on the eve of a police officer being deposed about Stingray use in the case to cause them to drop the case.

The D.A. also did not tell the victims, who were not too happy, why they dropped the case, other than to say legal issues had developed.

A copy of an unredacted Harris NDA has surfaced here, which includes language that says that prosecutors will drop charges rather than talk about the Stingray.

In St. Louis, search warrants do not say they are using a cell site simulator but rather say this:

“Twenty-four hour a day assistance to include switch based solutions including precision location pursuant to probable cause based information queries and all reasonable assistance to permit the aforementioned Agencies to triangulate target location, including but not limited to terminating interfering service on the target telephone.”

I am not sure I understand that.

It’s all very interesting.  Likely not illegal.  But interesting.

The article also pointed out that this is an example of why businesses are leery of the new information sharing laws that have been making their way in Congress (there are a half dozen floating around this year alone).  Businesses think that the government will be happy to TAKE your information but less likely to give anything in return.

iPhone/iPad user’s turn in the SSL bug spotlight

For those of you who read the security news, you know that this last 12 months has brought an amazing number of SSL bugs to the surface (see a few of my blog posts here and here and here).  Now iPhone and iPad users have their turn to deal with an SSL bug.

The bug, in an open source toolkit used by developers to connect to the web called AFNetworking, disabled validation of SSL certificates that iApps received from a server.  What that means is that any old certificate would be just fine.  One from your bank.  Or a hacker.  Or anyone else.

If I can get on my soapbox for just one minute, this is another example of software supply chain issues just like the Lenovo/Superfish bug.  The developer (Uber is one, for example), used a third party library.  In this case, they may have tested the heck out of it – or not.  When they first started using it, it was reasonably secure.  Then they came out with an update that was not secure. Now Uber’s app is vulnerable.  Worse yet, even if Uber did test the updated app, it is unlikely that they would have tested for the condition that made this app vulnerable.  The software supply chain problem is not going away any time soon.

The good news is that the bug didn’t exist for long.  The bug was created with the software release dated Feb 9, 2015 and fixed with a release dated March 26, 2015 – a period of about six weeks.

Now the bad news.  There are over 100,000 apps in the iStore that use this library.  However, we only have to deal with ones that were updated during this period (technically, this may not really be true because a developer could download the affected library during this window and not update it before releasing it outside this window, but this is the best indicator we have) – that represents about 20,000 apps.  Next we have to narrow it down to which, of the 20,000, used the SSL features of AFNetworking.  That is only about a thousand apps.

Now the badder news – or maybe gooder.  The affected apps include ones from Yahoo, Microsoft, Uber, Citrix and others.  Which means while over a million downloads were affected, those big companies will likely read the newspaper and update their apps quickly.

SourceDNA has created a web site where you can enter a developer name (such as Microsoft) and see what apps they have and if they are affected.  This means that you have to enter each developer’s name and read the results – a time consuming effort.  What would be much nicer is if someone would write an app to look at what is installed on your iDevice and tell you what is affected.  That I have not found yet.  Still, it is better than nothing.  The website for SourceDNAs lookup is here.

For more details, see this article in ITWorld.

Why are companies losing the cyber breach battle?

Two articles in Bloomberg BNA today point to some of the reasons.  First, a panel at the ABA Business Law Section spring meeting said that boards have a fiduciary obligation to assure a reasonable information technology reporting system for cybersecurity threats and breaches.  They said that this can be an issue for some companies because “most directors cannot even spell IT”.  Well, that’s direct.

The panel proposed a few questions that the board should be asking management such as “how have you prepared for a security incident?” and “how do we keep the business going if breached?” among others.

The article (subscription required) goes on to talk about cybersecurity insurance and it goes further than just cyber liability insurance.

The panel agreed that prevention is almost impossible, but how the board RESPONDS to a breach is just as important.

The panel contrasted the board at Target (characterized as “the board effectively fell asleep”) and Wyndham (the board held 14 meetings and the audit committee 16 to deal with the breach).

While the Delaware Chancery Court held that only a sustained or systematic failure of the board to exercise oversight will create liability, one panelist suggested that “Looking to see what other similarly situated companies are doing is important because that may become the standard of care”.

Boards can no longer say that they didn’t understand the risk and that is why they were not actively managing cyber risk.

The other article (subscription required) analyzed Verizon’s 2014 data breach report (available here).

Verizon says nearly a quarter of the people who get sent phishing emails open them and 11 percent proceed to download the attachments.  This even includes fake emails from a bank asking them for a password.

In 2012, Columbia sent out (fake) phishing emails to 2,000 faculty, students and staff about a bogus iPad promotion.  176 of them opened the email and clicked on the link.  The clickers were then told that their action made them very susceptible to phishing attacks.

Three weeks later, the school sent a second email to those 176 people and 10 of them opened the email and clicked on the link.

A few weeks later, another round of phishing emails and 3 people still opened them and clicked on the link.

Given it only takes one person to do that and infect the company, what are the odds that a large business can make sure that ZERO people open that email and click on the link, assuming clicking is even required.

Marcus Ranum, well known security consultant put it this way:

Ranum said it costs companies more in the long run to have to continually react to intrusions than it would to steer clear of threats altogether by putting more resources into better detection. “Your seat belt and air bags are great, and you’re stupid if you don’t use them,” he says. “But it’s smarter to avoid the semitrailer in the first place.”

Food for thought.

Do you keep your car keys in freezer? Maybe you should!

A recent Network World article talks about the world of high tech auto theft.

Using a $17 amplifier, thieves were able to boost the signal between your car and your key fob sitting on the kitchen table and convince your car to open up.

The article has links to several other articles including one that talks about cloning a high end BMW with a blank key in less than 3 minutes.  Break a window (and block the alarm going off too), plug something into the diagnostic port near the steering wheel and clone the key.  Then just plug it in and drive off.  Apparently hundreds of BMWs have been stolen this way in Europe.

And the freezer?  Apparently the freezer acts as a shield for the radio waves and the amplifiers don’t work.

I suspect this is more difficult that it seems and requires a degree of skill, but given the payoff for stealing the car – the crooks are working on it.  And the cops don’t seem to have a handle on it – sometimes blaming the car owner for leaving the car unlocked.

In one video, the crook opened the car, stole a laptop out of the back seat and a $15,000 custom bicycle out of the hatch.  This problem is easy to solve – don’t leave valuables in your car.  Oh, and the considerate crook even locked the car again when he left.  All caught on video.