A Warning About Cell Carriers Lack of Security And What It Means To You

All of the cell phone carriers such as Verizon, AT&T, Sprint and T-Mobile are in the business of selling you stuff.  Sometimes stuff you don’t want or need, but still stuff they would like to sell to you.

As a result, when decent security gets in the way of them being able to separate you from your money, the sales opportunity wins.

Brian Krebs’ story (see link at the end) is very dramatic and the worst case scenario that anyone could imagine.

In February of this year, 84 year old James Schwartz was caring for his wife, who had end stage cancer when he had a heart attack.  When his wife tried to use her cell phone to call for help, she found out that it had been shut off and she could not call for help.  After 40 minutes of struggling, she was able to get to her husband’s phone and call for help, but by that time, he had passed away.  She died 17 days later.

What is unclear is that a call to 911 should have gone through anyway, so there is at least one bit of missing info. Perhaps she was trying to call a friend or family member.

As I said, this is a very dramatic situation which happens very rarely, but the underlying issue is what is important to you and me.

A scammer had gone into a premium authorized Verizon store (that would be a store that has the Verizon logo on it, but is not actually owned or run by Verizon) and pretended to be James’ wife and bought a shiny new iPhone, which he scammer put on James’ account.  When the phone number was transferred, James’ wife’s phone went dead.

After the two of them were deceased the scammer went back into the store and bought a tablet the same way.

The FTC said that over 2,600 people REPORTED similar scams in January 2016 alone, including Lorrie Cranor, chief technologist for the Federal Trade Commission.

Using a little known provision of the Fair Credit Reporting Act, she demanded in writing the the carrier provide her information about the transaction.  While the FCRA requires that they provide this information in 30 days, it actually took her carrier 60 days.

In both of these cases, the people who’s accounts were hacked lost cell phone service and then had to convince the carrier that they did not buy new phones.

While in concept this is similar to credit card fraud, the process is more complex because federal law does not protect you in the same way.  For credit card transactions, if you report the fraud within 60 days, you get your money back, period.  In the case of Sprint or one of the other carriers, you have to convince them that you are the victim of identity theft and fraud.  It is completely up to the carrier as to how they handle that.  While you can certainly sue them, even in small claims court (where you are almost certain to win because they won’t show up), it is a time consuming process.

One thing to consider is that we now use our cell phones for two factor authentication and even account password recovery and if an identity thief gets a new phone tied to your phone number, they have that data too.

So, what can you do?  Brian has a graphic in his blog post, but the short version is that every carrier has either the option or a requirement for you to set up a PIN on your account.  The PIN, in theory, should be required in order for you to add lines, change lines and do other account related things.

In reality, the sales reps in stores work on commission (or a quota) so they are not going to push too hard and will try real hard to sell you that new phone or tablet – even if that means bending the security rules.

AT&T just sent out an email that said even if you don’t know your PIN you can still spend money in their retail stores using their forgotten password feature.  This means that they will identify you some other way – maybe asking you for the last 4 of your Social or something else really secret.  Remember, their goal is to sell you stuff, as I said earlier, and security just gets in the way of that.

Still, I recommend adding the password or PIN and don’t make it 1234 please.  Pick something longer and harder to guess.  While it is not perfect it is better than not having it.

The time required to clean up the mess is significant.  You are going to have to go to the carrier’s store – this is not something that they will deal with over the phone or online.  You will have to get a new SIM card for your phone and deal with the charges on your bill.  In the case of Lorrie Cranor, the thief bought cell phone insurance too and she had to cancel that.  In the case of the Schwartz’s whoever was the executor of the estate had to clean up the mess.

In Lorrie’s case, she had two phones, they programmed one of the replacement phones incorrectly which required yet another trip to the store and they screwed up the voice mail on the other.  Then she had to fill our identity theft reports.  Lastly, if all the scammer wanted to do is sell the phones on the black market, then you are in better shape than if they wanted to impersonate you.  In the latter case, you would need to figure out what they did while they were in possession of your phone number.  In one case, they used the phone to make payments from the phone owner’s bank account, which the owner had to clean up.

Suffice it to say,  it is a frequent occurrence, with somewhat limited protections under federal law and which will consume a significant amount of your time to clean up.  While the PIN/Password is not perfect, it is better than nothing.

And, if your cell phone goes dead, at least you have some ideas about questions to ask.

Information for this post came from Brian Krebs.


Facebooktwitterredditlinkedinmailby feather

NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

Facebooktwitterredditlinkedinmailby feather

Eddie Bauer Leads The Oracle Micros Breach Story

On Monday I wrote about two new Point of Sale breaches, one at HEI hotels and the other at Oracle.   I said that it was only Monday and we already had two POS breaches.

Well the week is almost over and I am going to bookend the week with another POS breach.  Eddie Bauer stores, the clothing chain, announced on Thursday that the POS system in all of its stores had been compromised.   That represents 350 or more stores.  In their effort to control the spin, Eddie Bauer said that the breach did not affect their web site.

While Eddie Bauer stores, in a press release, said that the security of our customer’s information is a top priority for Eddie Bauer (see press release here),  Brian Krebs reported this week that when he contacted the chain on July 5th, the spokesperson told Brian thanks, but they had not heard of any fraud complaints for their banks.  Unlike the ortho clinic I wrote about two days ago, Eddie Bauer is offering identity theft protection to their customers who were affected.

In today’s world of competition and lawsuits, companies are loathe to provide any information about what happened if there is any way to avoid it.  As a result, other stores and end customers have very little guidance on what happened and what to look for.

Eddie Bauer did say that they thought that the hackers were in their systems from January 2, 2016 to July 17th, 2016.

Curiously – and possibly coincidentally but maybe not – July 2016 is also the date that Eddie Bauer rolled out a chip based point of sale system.   While we cannot say with certainty that if they had the chip based system in place last November when the Visa/Mastercard deadline to deploy chip based point of sale systems came and went that the hackers would not have succeeded, but it may well have blunted the effect of the hack.  The issue there is that not only are retailers way behind in deploying chip based POS systems, but the banks are way behind in mailing out chip cards, but that is a story for another day.

What we can say is that IF they had chip based solutions in place, at least for those customers who had chip cards, their credit card information would not have been visible to the hackers inside the POS system.

Eddie Bauer has not yet said that they are running the Oracle Micros software that I wrote about on Monday as having 300,000+ locations compromised, but if you look at Jeff Piller’s Linkedin profile, you find some relevant details.  Jeff, his profile says, is the Director – Technology & Architecture at Eddie Bauer and has been for the last roughly 4 years.

in his accomplishments, he says that he “implemented Oracle Point of Sale to U.S. and Canadian Stores to replace legacy IBM solution” and that he is “currently implementing EMV [that means chip credit cards – mitch] for ORPOS [or Oracle POS – mitch] and Mobile Point of Sale”.

To me, that is certainly a strong indication that Eddie Bauer is using the Oracle software and got swept up in the Oracle Micros mess.

ANYONE who is running a POS system needs to be reviewing the security of that system with some significant urgency.

Information for this post came from Krebs On Security, Linkedin and an Eddie Bauer press release.



Facebooktwitterredditlinkedinmailby feather

Webcam Warning! Do You Know Who is Watching?

Many people have webcams installed in and around their house.   For a Houston mother, the security that the cameras inside her house brought her was instantly turned into a nightmare recently.

Another mother, in Oregon, was looking at satellite feeds of earth with her son when they started looking for more images.  They came across an app called Live Camera Viewer.

They downloaded the app and opened it.  As they scrolled through the images, they came across a feed that was labelled as being from Houston.  It was a feed from inside two little girls’ bedroom.

The Oregon mom, horrified, posted a screenshot of the bedroom on a Facebook group for Houston moms, hoping someone would recognize it.

A friend of the Houston mom did recognize the bedroom and notified the mom who’s camera had been hacked.

After getting the app information, the Houston mom found the feed and saw that it had been “liked” over 500 times, meaning at least that many people had watched the feed, probably a lot more.

The good news for her is that someone in Oregon was freaked out enough that she reached out on Facebook and the Houston mom was able to find out about it and turn off the cam.

The article said that the camera was hacked, but that may or may not be true.  Many people do not change the default userid and password, so if someone found the address of the camera and tried the default password, is that hacking?

Even if the owner did change the password, people often pick really hard to guess passwords.  Remember, the two most common passwords are password and 123456, so even if people do change the password, it often is not hard to guess.

And remember my post from a few weeks ago where Rapid7 tested 10 web based baby monitor – the one were 10 out of 10 cameras were hackable?  Any reason to think that webcams are any more secure?  I doubt it.

The app may not have any evil intent.  There are tens of thousands of public webcams that are designed for people to view them.  Public buildings have them, the Park Service has them – they are all over the place.  It sounds like in this case that there isn’t a process in place to vet those cameras before they are placed online.  The app is free, so it is not likely that the person who wrote it is going to spend tens of thousands of dollars a year to vet every camera that a user adds to the list.

So what should you do?

Well first, I would really reconsider the wisdom of putting cameras in your kid’s bedroom, especially if those cameras are going to be visible to the Internet, even with a password.  If you can see the camera on your phone, it is likely visible on the Internet.

Second, wherever those cameras are pointing, change the default userid and password and make the password complex.  No, that does not mean Password1.  It doesn’t even mean Pa$$word1.  At least you want to make people work for it.

Third, you want to find out how the manufacturer notifies you about security patches and how you install them.  If you can find a camera that will automatically check for and install patches, that is probably best.  If the manufacturer cannot tell you how the do patches and how often, I would recommend looking for a different camera.

Next, I would change the passwords periodically.  How often is a tradeoff between convenience and security, but I would say at least once a year.

Lastly, consider where you are putting those cameras and what a hacker might see if they do get into it – beyond the bedroom question.  The outside of your house is bad enough, but private areas of your house ought to be off limits.  In your house, do people lounge around the family room in less than public attire?  If so, the family room should be off limits to.

If you have the ability to only have the cameras operate when you are not home, that eliminates some of the concern.  That would mean that you  would need to have a way to turn the cameras on and off – possibly tied into an alarm system.

This Houston mom found out about it hard way – at least you know about it now and can take steps to deal with it.

Information for this post came from ABC News.

A video segment on webcam risks on ABC can be found here.

Facebooktwitterredditlinkedinmailby feather

The Consequences Of Not Having Cyber Breach Insurance

The Athens Orthopedic Clinic in Georgia suffered a breach in June of this year.  Even though they discovered the breach within two weeks of it occurring, the hackers made off with information on 200,000 current and former patients.  The information taken includes names, addresses, socials, birth dates, phone numbers, diagnoses and medical histories.

One of the typical things that companies that are breached do is to buy credit monitoring and/or credit repair services for the victims of the breach.

In this case, Clinic CEO Kayo Elliott said that while they would like to provide credit monitoring services, they cannot afford it.

Law firms are also considering filing lawsuits against the clinic.

Although they do not say so, it would appear that they do not have any cyber breach insurance.  The consequence of this is that the clinic may well file for bankruptcy and even go out of business.

If they had adequate cyber breach insurance, then the insurance company would pay for the credit monitoring services and also the legal costs to defend the clinic.

And, the word adequate is important.

Cyber breach insurance is not a “standard form” insurance policy, meaning that the state approves the coverages and forms.  Instead, each insurance company is free to do their own thing, create their own policy and create their own exclusions and exceptions.

So, when you are comparing cyber risk policies, make you understand what is and is not covered.

In addition, you should consider how much insurance you need.

In this case, the hackers were only in the systems for two weeks, yet the compromised 200,000 records.

If you assume that it will cost a company $1 a month per client to provide identity theft coverage, then a year’s coverage for their breached clients would cost $1 x 12 months x 200,000 records and that cost, alone is $2.4  million.  This does not include forensics costs, legal costs, crisis communications costs, HIPAA fines or any other breach related costs.

So in this hypothetical case, if the clinic had a $1 million policy they still would not have anywhere near enough coverage.

The Ponemon institute puts the average total cost of a breach at around $200 per record. So, in this case, 200,000 records x $200 = $40 million.

Unfortunately, a clinic like this will not be able to afford a policy of this size, but you should consider the potential size of a breach and what your costs are likely to be.  Your insurance broker can assist you in estimating these costs.

Even when the breaches are much smaller, the costs can be in the hundreds of thousands to low millions.  Is that a cost that your organization can deal with alone?  If you don’t have insurance, the answer to that question is yes you will have to deal with it, whether you like it or not.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Allstate: We’re Going To Sell Your Data

I don’t think that Allstate is a whole lot different than other insurance companies;  maybe they are just being more open about it.

Allstate has announced a new company called Arity, who’s job it is to sell your data.  Insurance companies have a lot of data and creating more every day.  One part of the auto insurance business is something called usage based insurance or UBI.  With UBI, the insurance company gives you a little gizmo that plugs into your car.  It detects every time you get in your car and will tell the insurance company how long you drove, how fast you drove, whether you hit the brakes hard, etc.  So they know that at 7:30 every morning you leave for work, your house is here, you take this road to get to work and your work is there.  In addition, they know how fast you drive, whether you switch lanes a lot, etc.

The first reason they collect that data is so that they can price a policy to your driving.  If they ask you, you will say that you drive like granny did on her way to church on Sunday, when in fact, granny drives funny cars at Bandimere (for those of you not in Denver, Bandimere is a local drag strip) on Saturday nights.

Since the insurance business is so competitive, Allstate figured out that they could make a little extra coin by selling your data.  They will even sell it to their competitors.

What they have not said is exactly what data they are selling, whether it is anonymous or not, etc.  Probably they never will say.  After all, they want the greatest possible flexibility in selling your data to maximize revenue.

In addition to selling your data to other insurance companies, other businesses might be interested.  Telecommunications companies, banks and retailers are just a couple of examples of those potential customers.

The challenge is that every insurance company has this data too.  If they all have it and all sell it, who is going to buy it?  That could lead to a price war.

Stay tuned for more fun.


Information for this post came from Insurance Networking News

Facebooktwitterredditlinkedinmailby feather