Friday News

ATLANTA HIT BY RANSOMWARE ATTACK

Atlanta, GA is the most recent city to get hit by a ransomware attack – on Thursday, March 22.  Cities seem to be a hot target, likely because they are big, public and behind the private sector when it comes to IT and cyber security (One of Atlanta’s Councilman said “As daunting as the city of Atlanta’s apparatus may seem, we’re still limited by the amount of resources we have to defend our systems,”.   Atlanta’s mayor “compared the city’s network to a decade-old pickup she drove until it was wrecked”.).   Atlanta’s mayor said to expect a “massive inconvenience”.  The attacker is asking for $50,000 and they are considering it.  One piece of good news:  the city does have cyber insurance, so the taxpayers won’t be footing the entire bill to put Humpty-Dumpty back together again.

The local CBS affiliate said that the city was warned months ago that IT was in critical condition on life support, but doesn’t have the resources to recover.  (Source: Atlanta Journal Constitution).

TLS 1.3 APPROVED BY IETF

After FOUR YEARS and TWENTY EIGHT drafts, the Internet Engineering Task Force, the group of geeks that control the Internet’s protocols, have approved TLS 1.3.  While to the average user, that doesn’t mean anything, to the geeks in the room it means that HTTPS will be a little bit more secure – a lot bit more secure than some HTTPS traffic – and a little bit faster.  While it will take some time for traffic to move to this new version, it will and it will likely do it faster than the move to 1.2 was.  An effort to build in a back door to security for the convenience of network managers – and also spies and hackers – was beat down and not added to the spec.  Score one for you and me.  (Source: The Register).

The New York Times is reporting that the FBI is working with a team of security experts to attempt to craft a back door to encryption on mobile devices – the so called going dark problem.  The team, headed up by a professor at MIT, is testing out different possibilities, although the FBI says that it is not ready to ask Congress for legislation.  Yet.  At least, this time, they are working with security experts, which likely would yield a better solution than anything that politicians invent.  Still, there are problems.  First, is it really possible to keep a back door secret?  Can they get Congress, over the massive distrust on all sides of the conversation, to agree to such a law?  How do they get application developers, based in foreign countries and maybe even hosted in foreign countries, to agree to such an intrusion?  Lots of questions, not very many answers.  (Source: New York Times).

MICROSOFT MELTDOWN PATCH WORSE THAN THE DISEASE

Microsoft’s Meltdown patch for Windows 7 64-bit and Windows Server 2008 R2 left critical kernel tables readable by anyone means that malware could read any memory, make themselves an administrator and modify the operating system’s memory map.  The good news is that it does not affect Windows 8 or 10 and has been fixed in the March Windows update release.  (Source: The Register).

NOT MUCH HAS CHANGED IN VOTING SECURITY SINCE 2016

I have written before that DHS won’t finish with all of the audit requests from states regarding voting process security until this summer, leaving no time to actually fix any problems.   Now, the Brennan Center for Justice at NYU has released an updated version of their 2015 report on voting machine security.  Only 41 states now use  voting systems at least a decade out of date.  That is kind of like if you were still using an iPhone 3G – one that likely has not been patched in 5 or more years.  That is down from 44 states being in that position in 2015.  They also talk about all the other phases of the voting process, from registering voters to election night tallys, that are likely easier to compromise.  It all boils down to money and time, something the states and cities do not have available and which the feds do not think is important enough to fund.  (Source: GovCyberInsider).

Facebooktwitterredditlinkedinmailby feather

DHS Says Federal Networks Susceptible to Attack

DHS released a report this week regarding BOD 16-02.  A BOD or Binding Operational Directive is DHS’s way of telling executive branch agencies that they have to do something.  Like really.

In this case the issue is that hackers were abusing bugs in Internet routers, specifically Cisco routers.  Why Cisco?  Because they are the biggest gorilla in the game.  If you can successfully attack Cisco, the world is your oyster.

The report dates back to 2016, but it wasn’t released until this week.  The bugs date back to 2014 and 2016.  Cisco has patched the bugs.  Many agencies had not applied the patches.  Hence the BOD.  Get off your butts and apply the patches.

OK, so what does this  mean to you?

In general, your Internet gateway is the drawbridge to your medieval castle.  Leave the drawbridge down and the bad guys can get across the moat.

Even in medieval days, the drawbridge was only one defense.  Today, the firewall is also only one layer of defense.  Still, it is an important layer.

For many businesses (and especially consumers), patching their Internet gateway (router or firewall) and patching their WiFi router (sometimes the same device but sometimes different devices) is not something they do, and if they do, they don’t do it regularly.

All patching is important, but patching any Internet facing device is critical because the attacker doesn’t need to get inside your network before launching the attack.  They start from outside and they work their way in.

One important thing to know.  At least with Cisco, and probably some other vendors, if you are not paying for an annual support contract, they will not give you the security patches that they have released to fix the bugs that should not have been there in the first place.  My answer to that?  Pick a different vendor – there are lots.  Juniper, Sonicwall, Ubiquiti, Fortinet, Baarracuda, Palo Alto, pfSense.  Different vendors make sense for different users, but there are lots of choices.

So what is an Internet facing device?

Firewalls.

Routers.

WiFi Access Points.

Webcams that can be accessed from the Internet.

And likely other devices inside your home or business,

Start out by doing a careful inventory of anything that has a network cable or is connected to your WiFi.  Then see which ones of these devices can connect to the Internet.  Those are the high priorities.

There is one thing that you can do, going forward.  Buy devices that automatically update themselves.

Like the Ring Video Doorbell.  There was a vulnerability discovered recently (like in the last 6 months or so).  Ring fixed and patched every doorbell ever sold in roughly 48 hours. 

The Google Home Wifi controller is another example.

Do your research BEFORE you buy.  Ask questions.  And, if you don’t get the right answers, move on.  Vote with your wallet.  Eventually, that will get manufacturer’s attention.

Information for this post came from Federal Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

Feds Finally Admit What Many of Us Knew For Years

The United States Department of Justice has charged 9 Iranian nationals for theft of intellectual property from hundreds of colleges and universities, dozens of U.S. companies, Federal agencies, state governments and the United Nations.

DoJ Values the theft to be IN EXCESS OF THREE BILLION DOLLARS. That is likely a very conservative number.

The defendants are associated with an organization called the Mabna Institute that stole, among other information, 31 terabytes of email since 2013.

They targeted the accounts of 100,000 professors, compromising 8,000 of them; the stolen information was then sold.

At the same time, the FBI and Homeland Security are formally accusing Russia of attacking energy sector targets (such as nuclear power plants), water and critical manufacturing.  The two departments jointly issued an alert.

So what does this mean for America?  First and foremost, it means that America needs to take cyber security far more seriously than it has.  For most Americans, both consumers and businesses, when there is an intersection between security and convenience, convenience wins.  We saw that recently when Yahoo was breached and their dirty laundry started to be aired.  Marissa Mayer made conscious choices to implement new bells and whistles on the Yahoo software rather than improving the security.  Contrast this with Sergey Brin and Larry Page, co-founders of Google, who, when they heard that the Russians were attacking them and had gotten in, issued an edict to fix the problem at whatever the cost.  They hired hundreds of security professionals, wrote obscene hiring bonus checks to get the talent they wanted and declared war on the hackers.  Granted Google can afford that, but the distinction is the strategy, not the size of the checks.

So what should or can you as an individual or business person do?  Actually there are a number of things that you can do that are not terribly expensive.  

Number one has to be that America as a country has to understand that we are in a war and it is a war that we are losing because Russia and China and other countries are taking the war way more seriously than we are. 

Some experts have recently said that if an all out cyber war were to break out today, the U.S. would lose.  I have no idea if that is true, but the idea alone is scary.

Number two, we, as consumers and business people, have to change our ways.  Understand that we may have to do things that are somewhat inconvenient (two factor authentication comes to mind) and we have to give up the notion that we have nothing that they want.  EVERY BUSINESS has something that they want, even if it is just to put it up on the black market and sell it to your domestic or international competitors.

Engage cyber security experts.  Many of the calls that we get come from companies that have just been hacked.  While we appreciate the business, that is NOT the “optimal” time to call us.  At that point, the best you can do is damage control.  Not a great option.

If you don’t know what to do but realize you need to do something, contact us;  we can help you create a plan.  Whether you are an individual, small business or Fortune 1000 firm.

Information for this post came from eCommerce Times and The Guardian.

Facebooktwitterredditlinkedinmailby feather

Facebook Caught Mining User Data Again

This time, the data that Facebook is mining is your call data and your text message data.  But there is a difference.  In this case, Facebook says that it asked permission when you installed Messenger or Facebook Lite.  However, the default was to collect the data and it was not very clear to users that the data was being collected.

They have been doing this from both Android and iPhone users.

If you download your Facebook data (to download your data, go to http://www.facebook.com/settings  and click on the tiny little link at the bottom that says download a copy of my facebook data), you can see what data Facebook has.

Roughly a year ago, Facebook made it more obvious that they were collecting the data when you install the app.

Facebook says that they never sell this data (probably true) and it’s purpose is to let friends find each other on Facebook and help them create a better experience for everyone (more doubtful).

OK; lets say you are a FB Messenger user, what can you do?

1.  Check if your contacts are being synced with Facebook.  The instructions are different between iPhone and Android users, but the instructions can be found at https://www.facebook.com/mobile/messenger/contacts/ .

2. You can turn off syncing contacts by following the instructions at https://www.facebook.com/help/838237596230667 .  Again, the instructions are different between the iPhone and Android.

3. You can delete your call history from Messenger also.  Instructions can be found at https://www.facebook.com/help/messenger-app/870177389760756?helpref=hc_fnav .

Suffice it to say, Facebook is going to try real hard to capture the data.  After all, the name of the game for them is to harvest your data to increase your use and dependence on Facebook and to use that data to sell you stuff.

However, you can disable it.  Just not easily.

 

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Friday News

It was only a matter of time.  Researchers say that they have discovered “things” on the blockchain.  Not so nice things.  Like child porn.  If true, and I have no reason to doubt the researchers, that would make possession of a copy of the blockchain illegal in 112 countries.  And, since we know that you can’t change the blockchain, now what?  Normally, when the cops find child porn on a web site, they get it removed or shut it down.  Do you have any idea how to shut down a distributed database with tens of millions of copies on every continent of the globe, expect, maybe, not Antarctica.  Me neither.   And think about it.  You could use this technology to distribute any kind of illegal information that you want to.  Hidden in plain sight and unstoppable.  (source: PC Magazine).

Department of Homeland Security Secretary Kirstjen Nielsen testified before the Senate Intelligence Committee this week that they have completed the security clearance process on 20 election officials to be able to share classified intelligence about foreign government attempts to hack into their election systems.  Given there are about 10,000 election jurisdictions, at this rate it may take a while to complete.

Suffice it to say, it would seem that after 14 months, this administration is a tiny little bit behind the 8 ball when it comes to protecting our election process.  (source: Axios).

Possibly in the wake of the Cambridge Analytica “situation”, the Facebook security chief, Alex Stamos quit.  Followed, the next day by Michael Coates, head of security for Twitter quitting.  Followed the next day by Michael Zalewski, Director of information Security Engineering at Google.  Not a great week.  Is someone sending the big guys a message?  (source: National Herald).

Mossack Fonseca, the law firm at the eye of the storm of the Panama Papers leak of millions of documents of the rich and famous announced they are shutting down due to reputational damage, media attention to a company that would rather operate in the shadows and other fallout from their breach.  While their breach was very public, their finances were deep.  However when customers started deserting them like rats deserting a sinking ship, their ship was doomed.  While it took a couple of years, it was inevitable. (source: The Guardian).

The government has filed civil and criminal charges against a former Equifax exec for insider trading.  Jun Ying, a not very smart tech exec at the company heard rumors about a breach and decided it would be a good time to sell all of his vested stock options, netting him almost a million bucks in profit.  And, possibly, ten years at the crossbar hotel.  Not very subtle on his part.  Hopefully only the beginning of going after folks at Equifax, buy who knows.  (source: Reuters)

Facebooktwitterredditlinkedinmailby feather

Meltdown and Spectre – The Next Chapter

Meltdown and Spectre, the twin vulnerabilities affecting Intel and many other processors, has been a moving target.  Patches followed by “unpatches” when those patches caused computers to reboot randomly.  Then there were the software patches that slowed down computers by from 5% to  30%.

The process of mitigating these vulnerabilities has been way more complicated than we usually see.  But there is hope.

So what can you do?  Here are some answers –

First a tool – a free tool – to see what patches have been installed.  Google (or any other search tool) “INSPECTRE”.  Look for the entry from Gibson Research Corp at GRC.Com – in Google it is usually the first entry.  Download it and it will tell you, in English, if you are vulnerable or protected.

For Meltdown, there is a simple Windows (and other OS) patch that vendors have released.  Install the patch, run Inspectre to test and you are safe from Meltdown.

Spectre is the bad boy.

The problem that Spectre exploits is a decision that Intel and others made two decades ago.  It isn’t so much a bug as a design decision that had unanticipated side effects.  What this means is that fixing it means fixing the firmware inside the chip itself.

There are several variants of Spectre, some worse than others.  Intel has released patches for almost all of their chips, but getting them to install them  is the challenge.  These patches to the chip usually require you to to get a very specific patch for your model of computer from the computer’s manufacturer.

But there is some good news. 

Intel just announced that they will be selling a new “generation” of the chip later this year with the firmware patch already in place.  It appears a bit confusing at this point because they are 8th generation chips, but 8th generation chips without the patch started shipping last year. But, they will be shipping new versions of the 8th generation processors (what they will be called is not clear) that come with patches already installed (see announcement here).

But more exciting is the fact that Microsoft has started releasing patches to fix the firmware inside the chips.  Turns out Windows has always been able to do this but due to the hundreds of chips that Intel has released, Microsoft rarely if ever releases a patch that uses this capability.  This is an exception.

Microsoft has released a fix, KB4090007, but there is a catch.  Of course.

First, the patch only works if you are running Windows 10 and only if you are running the Windows 10 Fall Creators Update.  I guess that is to entice you to upgrade.

Second, you have to go find the patch and download it.  It will NOT be coming to a Windows Update near you any time soon.

Finally, it only patches certain select chips  listed in the article behind the KB link above.  You need to know the chip model you are running.  Luckily, the newest version of Inspectre will tell you that information.  Then you can go to the knowledge base article linked above to see if your chip is one that Microsoft can patch.  If it is, manually download the patch and install it.  Once done, the Inspectre software should show that you are protected.

Microsoft is supposed to be adding more chips to the list over time and hopefully, will create a fix for Windows 8 and Windows 7, since both of these are supposedly still supported.  Just not yet.  Second class citizens.

Not simple and not complete, but it is progress.

Facebooktwitterredditlinkedinmailby feather