The Chinese Don’t Need To Hack Us, They Let Themselves In Via The Back Door They Left Open

The Computer Emergency Response Team (CERT), a part of the Department Of Homeland Security, released an alert this week regarding yet another series of DSL routers that have hard coded userids and passwords.  The routers, which likely share firmware from a common Chinese manufacturer, all have passwords of the form XXXXairocon, where XXXX are the last 4 digits of the router’s MAC address.   That means that hackers, worst case, have to try all combinations of 4 digit passwords to get into the router, but in reality, they can ask the router what it’s MAC address is and the router will tell the hacker, so they don’t need to guess at all.

Who knows if the Chinese did this on purpose so that they could walk into the network if they wanted to, but that is certainly a possibility.

CERT says that the vulnerability is not new, so who knows if hackers, the Chinese, the Russians and/or intelligence agencies have been using this open back door for years.  That would not surprise me.  US Cyber Command formalized a policy earlier this year that says that they will keep these vulnerabilities secret if it is important to national security.  CERT released an earlier advisory last year listing a different set of routers that have a similar problem.

CERT also says that they know of no way to mitigate this vulnerability other than to unplug the router, run your car over it and replace it with a different router.

This is a precursor to the Internet of Things (IoT) security nightmare to come.   IoT devices typically have an embedded web server and other software, written by a Chinese software company and purchased by the IoT device manufacturer from the lowest bidder.  These devices are usually not patched from when the shrink wrap is first removed until they visit a landfill at the end of their life.

That does not mean that these devices don’t have vulnerabilities, but rather that no one is looking for those vulnerabilities or patching them.  Even if the vendor does issue a patch, consumers are highly unlikely to install a patch.  After all, when was the last time you patched your refrigerator or VCR?  Do you even know HOW to patch them?  I will admit that I had  my dishwasher repaired a few months ago and the technician literally COULD NOT close the repair ticket until he patched the dishwasher.  If I had not had a service call, the dishwasher would remain unpatched.

A link to the CERT advisory, which lists some of the affected routers, can be found in the Computerworld article linked below.

Information for this post came from Computerworld.

The Camera In Your Laptop

There was a recent Network World article that reported that some people are freaking out because IF you setup Windows 10 to do facial recognition to log you in, it works even if you have disabled your camera.

Call me dumb, but if you ask Windows to use the camera to log you in, it is likely going to do that.

But the article does make some interesting points.

The first is that the Windows 10 facial recognition is good enough that when The Australian tried to fool Windows 10 using 6 pairs of identical twins, Windows 10 was not only smarter than a 5 grader, but it was also smarter than The Australian.  The score was twins 0, Windows 6 – the twins could not fool Windows 10.  What I haven’t seen any data on yet is if Windows can be fooled by a 3D model of your face. I assume it won’t be fooled by a photograph.  I am sure that hackers are working away at fooling Windows.  Still, this is better than when Apple released their first iPhone fingerprint reader and that was hacked in a couple of days.

Next, Microsoft says in one of their FAQs that the setting to disable application access to the camera does not work for ‘legacy’ apps.  For the geeks reading this, that means .Net apps, COM apps, Win32 apps, etc.

The good news is that apps that ‘officially’ use the camera will turn the camera light on, if there is one or put a notice on the screen that the camera is on if there is no camera light.

The bad news is that malware is rarely that nice.  We have seen malware that manipulates the camera – which has been unfortunate for people who use their laptops when they are wearing less than they would in public.  There was an incident in 2013 where Miss Teen USA Cassidy Wolf’s webcam was hacked by a classmate who used it to take pictures and videos of her and then tried to extort money from her to keep the pictures private.  Apparently, she kept her laptop in her bedroom.  That person was caught.  He had apparently done this to a number of other people as well.  Cassidy Wolf has been very public about her situation in an effort to increase teenager’s awareness of the problem.

I think the bigger problem is with cell phone cameras.  Cell phones may not have a light to tell you that the camera is on (my Samsung Galaxy Note 4 does not that I can tell, for example) and people are much more likely to use their cell phone when they are in a state of undress.  The only advice I have for people who are concerned about that is to not use your phone under those circumstances, but I don’t think that is totally practical.

I used to put a sticky note over my laptop camera when it wasn’t in use – which is most of the time.  While that solution is effective, it is somewhat less than elegant.

Later, I found a company at a computer trade show giving away small stick on sliders that cover the webcam and are very inconspicuous.  You merely slide the cover over if you want to use the webcam and back when you are done.  These are available on Amazon for about $5.  I thought maybe the glue would fail, but I have had one on my laptop over a year and it is still there.

The moral of this story is that I wouldn’t be worried about Windows using your web cam to ID you, but there could be other, malicious, apps that you might be concerned about.  A $5 fix will solve the problem for your laptop if you are concerned.  Or you can use a sticky note if you are on a tight budget.  I wish I had a solution for the cell phone version of this problem, but I don’t.


Information for this post came from Network World.

Cassidy Wolf interview with CBS News on her situation can be found here.

Government Employee Use Of Underground IT 10 Times Private Sector

Skyhigh Networks, a cloud security product vendor, did an analysis of data from government employees on cloud service usage.

They say that the average public sector organization uses 742 cloud services, of which 60 are sanctioned.  That means that typical organization uses 682 services that no one has looked at the security of – or approved the usage for government data – even though there are laws that make this practice illegal.

Skyhigh analyzed 10,000 cloud services and found that only 10% of them encrypt their data at rest.  The rest are waiting to be the next Office Of Personnel Management.

Only 15% support two factor authentication – one of the particular hot buttons addressed by Executive Branch CIO Tony Scott in the cyber-security “sprint” after the OPM breach.

And only 6% have an ISO 27001 security certification.

The report has a number of additional data points, but I will highlight only one more –

They did a survey with the Cloud Security Alliance and found that 7% of the IT and IT security professionals said that their organization had experienced an insider threat incident in the last 12 months.  However, looking at anomaly detection data, 82% of the organizations had behavior indicative of an insider threat in the last quarter alone.

What this means is that 75% of the organizations are clueless that their data may be being stolen.  That is not a great stat.

While this study is geared around the government, the private sector is probably not a lot better.  In many organizations, when it comes to the cloud, they just look the other way and cross their fingers.  It is just a matter of time before one of the big cloud providers gets hacked.  If successful, the hackers get a treasure trove from thousands or millions of companies.




Skyhigh’s press release can be found here.

Ashley Madison Fallout – It Could Be Your Company

As the Ashley Madison data is more widely circulated and people have a chance to digest it, consequences are beginning to add up which will have a negative impact on the parent company Avid Life Media, likely for years to come.

Granted this is a somewhat unusual situation, so some of the consequences may not apply to any given company, but maybe other, different, consequences may apply.  Some of the fallout is:

  • ALM planned a $100 million initial public offering this fall.  That IPO is now on “hold”.  It is unlikely that anyone would be interested in investing in this company for years to come, given the lawsuits that are on the horizon.
  • The Toronto police are investigating two suicides that they say are likely related to the release of the data.  If the company is held liable for that, it could have significant financial consequences.
  • The U.S. military is investigating specific service members.  There were about 15,000 .mil and .gov email addresses in the data dump.  Extra marital affairs are a violation of the Uniform Code Of Military Justice.
  • Local investigative reporters in every big city are reviewing the data for names of public figures in their cities.
  • A few named people have been “outed”.  Josh Duggar, ex-reality TV star and now ex-spokesperson for family values based PAC Family Research Council admitted that he had two Ashley Madison accounts.  In addition a stripper/porn star has come out on the cover of one of the supermarket tabloids saying that he paid her for sex.  While this likely doesn’t have any negative consequences for Avid Life Media, it doesn’t bode well for the Duggar family brand.  Their TV series has been cancelled and talks about spinoff series are “on hold”.
  • ALM has been served with at least 5 lawsuits seeking class action status in California, Texas, Missouri and Canada.  The lawsuits are filed as John Doe and Jane Doe lawsuits.  What is unclear is whether the courts will say that the plaintiffs being embarrassed is sufficient reason to allow the suits to go forward anonymously.
  • ALM has offered a CAN $500,000 (about $375,000 US) reward for information leading to the arrest of the hackers. For a company that is reported to make $60 million a year in revenue and $20 million a year in profit, offering a $375,000 US reward seems a little light.
  • Police are investigating multiple extortion attempts against Ashley Madison customers.

To say that Information security at Ashley Madison was lacking would be polite.  In one of the leaked emails, the CTO of the company said “With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn’t focus on it either”.  After the Sony breach, someone suggested encrypting customer messages (the hackers claim to have gigabytes of messages and pictures and if they choose to release those, it could start this mess all over again), but CEO Biderman said that he needed to understand what the ‘business opportunity’ of doing that was.  He apparently viewed it as an expense, not anything critical to the business.

I have no inside information, but I have to assume that the company’s revenue numbers for this month have dropped precipitously and likely won’t recover for a while and maybe ever.

So while, as I said, this is a pretty unusual case, it certainly serves as a poster child for the potential consequences of a data breach.

Other companies with sensitive information – such as doctors or mental health professionals – are in a similar situation.  If patients feel their privacy is not safe, then they will sue and find other providers.

For businesses where their intellectual property is what they sell (pharmaceutical companies come to mind), losing control of that IP can cost them a lot of money.

For critical infrastructure providers, losing control of information regarding details of that infrastructure would allow terrorists to more easily attack that infrastructure, causing outages and other consequences.

While for a lot of us, a breach is an inconvenience and a small business liability, as attackers move on from mode 1 (credit card hacks) to modes 2 and 3 (information collection and business damage), WHO is a potential target changes.

This might be a good time for businesses to review their situations.


Wyndham vs. FTC – This Round Goes To The FTC

The Wyndham Hotel chain was hacked several times going back as far as 2012.  The FTC came after the hotel chain using Section 5 of the FTC Act, claiming unfair business practices.

Usually what happens in these cases – and there have been a number of them – is that the company and the FTC come to an agreement;  the company signs a consent order and the FTC watches the company closely for the next 10 to 20 years.  That’s right.  That is not a typo.

That is the downside of getting on the radar of the FTC.  20 years is a long time to have a government agency looking at you with a microscope.

Wyndham decided to take a different approach.  They claimed that the FTC Act did not give the FTC authority to regulate cyber security practices.  They went even further to say that the FTC did not provide them a cookbook of how to protect the company, so how can they complain that Wyndham wasn’t doing it right.  Of course, the 600,000+ credit cardholders that got compromised might not agree with this theory.

In fact, in the Bluemaumau article linked to below, hotel industry consultants pretty much give Wyndham an F in security.

Privacy advocates worried that if the courts agreed with Wyndham, the government would have no effective means to encourage companies to protect their customer’s information.

The decision this week is an appeal of a motion that Wyndham made to the District Court to dismiss the case saying that the FTC did not have authority.  On appeal, the Third Circuit Court handed Wyndham their butt:

The court laid out in excruciating detail the allegations against Wyndham: allowing hotels to store payment card information in plaintext, using outrageously easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber attacks. This has led to three reported incidents of major data breaches, with personal data for hundreds of thousands of customers whisked over to servers in Russia. The breaches, which resulted in more than $10 million in fraudulent transactions, were only discovered after customers complained to credit card companies about unauthorized charges.

At this point, Wyndham can appeal the decision, enter into a consent agreement with the FTC or go to trial.

I doubt they want to go to trial because if they do, the practices described above with come out publicly in all their glory and I don’t think Wyndham wants that kind of press coverage.

Hopefully, this will settle the issue as to whether the FTC has authority.  If Wyndham decides to appeal then this we will have to wait for that decision.

If Wyndham decides to settle, then we will have to see if the FTC comes down harder on them because they have been fighting them for three years.  Even if everyone agrees to the normal 20 year agreement, that means that the executive team at Wyndham will be reminded for the next 20 years of these three breaches.

This is not a ruling on the merits of the case;  assuming the two parties don’t settle, that will be decided at trial in the District Court in New Jersey.

Given Wyndham has been fighting this for three years, I would be surprised if they want to continue to spend hundreds of thousands of dollars on legal fees, but who knows.

Stay tuned for more details.

For other businesses, this is a notice that they should review what the FTC has considered unfair in the past and make sure that their security practices are not going to run afoul of those FTC concerns.

Information for this post came from IAPP and Bluemaumau and another IAPP article here.

Businesses Need To Consider The New Hacking Paradigm

While hacking credit cards for fun and profit is still a popular pastime, two additional hacking models need to be considered.

The first additional model is the Anthem Blue Cross or Office Of Personnel Management model.  In those cases, hackers are looking to amass vast amounts of data on as many people as possible.  They want the dossiers to be as deep as possible.  Whether it is 80 million as in the case of Anthem or 25 million as is the case in the OPM breach, those hackers collected vasts amounts of data.  Those dossiers will be of value for years or possibly a lifetime (your blood type or medical illness history cannot be reissued).

For a business, offering 12 months of credit monitoring will no longer calm people down.  The courts have started to agree with plaintiffs that there is potential imminent harm and credit protection will not sufficiently mitigate that harm.  In either of these cases, that likely means that settlements with plaintiffs will get more expensive, will drag out longer and will damage the business’s reputation more deeply.

The last hacking model is total nuclear destruction.  We saw this, really for the first time, with Sony.  Those hackers were out to do as much damage as possible.  Decimate servers; destroy reputations, do as much harm to the business as possible.  It cost Sony Entertainment Chairman Amy Pascal her job.

This was followed by the breach at The Hacking Team.  While some people may not have been happy about their business model, their brand is now demolished.  Selling the tools that they sell to pseudo-friendly governments is not going to make you friends.  In addition, with all of their source code for exploits that they used laid wide open and patched by vendors, they need to rebuild their tool arsenal.

Most recently, we saw Ashley Madison get hit.  The hackers said close down your business or we will destroy you.  A-M did not shut down and the hackers dumped 10 gigabytes (compressed, meaning that it was really maybe 15 or 20 gigabytes of data) on the market including user information and business documents.  When Noel Biderman, founder of A-M didn’t acknowledge that the data was real, the hackers dumped another 20 gigabytes of data including his entire email file.  The hackers say they have hundreds of gigabytes of data left to dump.

Researchers and journalists are now combing though the A-M user data.  Already they have found 15,000 .gov and .mil users and users  from the White House, Congress, the Pentagon, the Capitol Police and presidential candidate Ted Cruz’s office have all been identified.  Ex-reality TV star Josh Duggar was outed and publicly apologized.

These last two hacking models should be of much greater concern to businesses.  They are much harder and more expensive to recover from; it may require significant downtime to recover from – Sony, for example, did not have any operational financial systems for 60 days and had no email or voice communications for two weeks.  In some cases, it may require reinventing the business.  Ashley Madison was planning on a $100 million IPO this fall.  That IPO is on hold now.  Maybe for a short while;  maybe for a long time.

PNI, the division of Staples that provided photo printing services online to the likes of Costco, Walmart and CVS, and that was hacked last month, was purchased last year by Staples for $67 million.  I bet that at least some of those customers will change providers.  What do you think happened to the brand reputation of PNI?  What do market value of that division is today?

It is incumbent on the C-Suite, the Board, auditors, shareholders, bondholders, potential investors and anyone else who is affected by business valuation to consider this. Carefully.  With due diligence.

If these people do not shine a bright light on this, I know a group that will.  That is the plaintiff bar.

Just sayin’


Information for this post came from Wired, the Associated Press, Rollcall, and The Guardian.