Fake DC Cell Tower Story Has New Legs

Last week I wrote about the problem of fake cell towers in DC.

Well, the story has some interesting twists and turns.

First, the largest maker of these devices (at least as best we know) is Harris Corp., maker of the Stingray family.  Harris has been so closed mouthed about them that they have made the FBI drop cases against crooks instead of disclosing that these things even exist.

Well, the cat is out of the proverbial bag regarding the fact that there are probably gobs of these things on the loose, made by who knows whom – probably some are home brew – and they are listening in on – maybe Congress critters.

You have probably heard that there is nothing worse than a Congress critter scared that his or her cover is blown – whether it is a mistress or payoff or leak or whatever – and now susceptible to blackmail.  That’s why when you are getting approved for a security clearance, they want to  know about all of your skeletons.  Not because they care very much, but they don’t want to bad guys to use them against you.

It sounds like there may be Stingrays and Stingray-lookalikes all over the country, likely near sensitive facilities, and the FCC and DHS are playing stupid about it.

Why would they do that?

NOTE TO HARRIS CORP:  JUST PICKING ON YOU BECAUSE YOU ARE THE MOST WELL  KNOWN CELL INTERCEPTER.  I SUSPECT THAT AT LEAST SOME OF THESE BOGUS INTERCEPTORS DON’T COME FROM YOU.

Who do you think is the largest (legal) user of Stingrays?  U.S. law enforcement and spies – and since they don’t want people to know anything about what they are doing, there are no records kept, so no one really knows if a Stingray belongs to the FBI or the KGB or whatever China”s version of those two are.

You can count on all of those having deployed some of them.

But, we don’t really know, actually.

Some of those Congress critters now want to skewer Ajit Pai, head of the FCC.  This could get entertaining, at a minimum.

Information for this post came from The Register.

So what can you do?  Unfortunately, not a huge amount, but there are some things,

Number one is don’t use your cell phone.

Well, not like that.

If you make calls from the data side of your phone, these devices cannot intercept the calls in the same way.

Say you make a call using Signal or Whatapp.  The call is just more data.  Even the number you are calling is just data.  And it is encrypted.  Can spies, given the right motivation, crack the crypto?  Probably, even likely.  Even if it means hacking into your phone.  But you would need to be a very specific target for that to be worthwhile.

Power off your phone when you are not using it.  Truly a pain, but they can’t pick up a signal if the phone is off.  If you want to be off the grid for some reason, you have to be off the grid.

If you are Edward Snowden, you put the phone in the oven (preferably OFF) or the freezer (Likely ON).  Both are sealed metal boxes that don’t transmit radio waves.

If you are paranoid, Amazon sells RF shielding pouches, the portable version of Snowden’s oven or freezer for as little as $6.99.  For an example of one, click here.

So, while there is likely some risk, unless you are at high risk for some other reason, I probably wouldn’t worry much about it.  But, if you are concerned or just want to ‘stick it to the man’, there are some things that you can do if you are willing to be a little inconvenienced.

Facebooktwitterredditlinkedinmailby feather

Friday News

Delta Airlines Terms of Service “Concern”

Users that tag pictures with Delta Skymiles hashtags (#Skymileslife and #Deltamedalionlife) agree to some interesting terms and conditions according to a recently modified Delta Skymiles program terms.  First, they give Delta a perpetual license to use the tagged content (photos) and (b) they warrant they are the sole owner of the content and have the authority to post the content.  Note that you are not posting this on Delta’s web site.  The next term is the one that is mind blowing.  (C) you agree, under your Skymiles program agreement that if you post something, say on Twitter, with those hashtags, that you will indemnify Delta and pay any legal fees, among other terms.  Pretty amazing.  (Source: BoardingArea.com).

Ransomware May Kill You – Literally

Researchers at Vanderbilt studied the mortality rate in hospitals and correlated that data to hacking attacks.  They found that the mortality rate increased by about one-third to one-half percent after an attack.  They also say that the size of the breach doesn’t seem to affect the mortality rate.  (Source: Dark Reading).

Alabama is the last state in the union to enact a data breach notification law

Almost 15 years after California’s landmark privacy law, SB 1386, became effective, Alabama passed a data breach notification law and the governor signed it.  Like many other states, it refers to “implement and maintain reasonable security” and “conduct a good faith and prompt investigation” in case of a breach.  What is a bit less customary is that they give some detailed specifics as to what is reasonable.  Yeah for Alabama.  (Source: Ballard Spahr)

Homeland Security Says Rogue Stingrays Operating in DC

Stingrays, one brand name for cell phone call interceptors were found by Homeland Security to be operating in DC last year according to a memo between DHS and Sen. Ron Wyden (D-OR).  DHS said that they did not have the equipment or funding to monitor for rogue devices.  It makes sense that foreign intelligence services would be very interested in intercepting cell phone calls made by government officials in DC and likely many other cities where there are large defense and intelligence communities.  Wyden said that leaving cell phone security to the phone companies has been disastrous, which is certainly true, but he didn’t mention efforts by the NSA to weaken crypto over the last 20 years or efforts by the FBI to intentionally build in back doors to all encrypted communications, so, maybe, what goes around, comes around  (Source: Associated Press).

Why Vendor Cyber Risk Assessments Are So Important

Bangalore based Business Process Outsourcer [24]7.ai admitted that they suffered a breach between September 26th and October 12th 2017.  Being an outsource vendor, their breach likely affected many customers.  Among those that have fessed up, so far, are Delta Airlines, Sears and yesterday, Best Buy.

[24]7.ai said that they thought that only a million of their customers credit cards were affected by the breach

You can outsource the work, but you can’t outsource the liability.  Even though Sears, Delta and Best Buy are trying to throw [24]7.ai under the cyber liability bus, who their customers will blame is them (Source: Economic Times of India).

Facebooktwitterredditlinkedinmailby feather

Facebook Continues it’s Damage Control Program

Facebook is used to riding high.  Not so much lately.

First they said that Cambridge Analytica inappropriately captured the data of 47 million users after 250,000 or so users completed a survey and they captured the information of all of those people’s friends without their permission.

Now they are saying that their arithmetic wasn’t so good and it wasn’t 47 million but rather 87 million users (Source: National Review).

Facebook is also saying that “malicious actors” took advantage of the search tools on Facebook and captured public information on most of all 2 billion users.  The attack was very creative.  Take email addresses or phone numbers compromised in one of many breaches and pop them into Facebook’s search box.  Until yesterday, that would retrieve any information you marked as public including photos, job history, friends and other information.  Yesterday, as part of their  “rehabilitation”, they disabled the feature, but not before bad guys stole terabytes of data (Source: Washington Post).

Then there was the memo by Facebook exec “Boz” who said that anything that we do to connect more people is good, even if it is used by terrorists.  Now that the memo has become public, he claims that he didn’t really believe that. (Source: CNBC).

Finally, after first saying that while he liked the EU’s new privacy regulation, GDPR, Facebook had no plans to make that the rule in places where they were not being forced to do that by law, they are now saying, just kidding (Source: Ars Technica).

Okay, given that Facebook seems to be acting like the twin of Mr. Robot’s Evil Corp., what should you do?

First, be a conscious user.  Even today Facebook allows you to make information private or visible to just friends.  My posts are public, intentionally, but nothing else is public – only visible to friends.

Given that Facebook makes all of its money from selling your data, the default is always going to be share (or steal) your data.  You need to proactively change the defaults.

As Facebook makes changes in response to the current PR disaster it is in the middle of, see what new capabilities they offer and take advantage of them.

Finally, don’t post so much.  Do you really need to post everything that you do?  Once you post it, it is out there.  At least one insurance company is denying burglary claims if people posted their vacation plans prior to returning home.  Be smart;  post less.

Social media is wonderful, but with wonderfulness comes problems, so be smart.

Facebooktwitterredditlinkedinmailby feather

Drupalgeddon 2

The Drupal team has released a patch that they call highly critical that allows an attacker to run arbitrary code on a Drupal web site with no authentication required. All they need to do is know the URL of the web site.

Drupal rates the severity of the flaw a 21 on a 1 to 25 scale.

They said they expect exploits to be developed within hours or days.

From a risk standpoint, for an unauthenticated user to be able to run any arbitrary code on your website, that is about as bad as it gets.

All recent Drupal versions are affected – 6, 7 and 8 and Drupal has created patches for old, unsupported versions.

Details are available here.

 

Facebooktwitterredditlinkedinmailby feather

80% of IoT Apps for Your Phone Contain Vulnerabilities

The Internet of Things is the newest fad.  Today I heard about Internet connected sneakers.  Apparently, you can change the design at will.

Given that and the lack of any liability of the part of the software developer no matter what happens (when was the last time a software developer was sued for writing a buggy app?), there is not a lot of motivation to write good software.

Pradeo labs studied a hundred apps that control everything from your baby monitor to your garage door and found some unsettling but not surprising facts:

  • 80% of the apps had vulnerabilities
  • 15% were vulnerable to being taken over
  • 8% get connected to uncertified networks, including domains that have expired and which could be purchased by hackers
  • 90% (yes, that is not a typo) leak application data such as application content, device information, video, audio and location.

Information from this post came from Pradeo Security.

Given this, what should a user do.

Unfortunately, there is no easy answer.

First, and this one is hard, don’t be the first on your block to install an app.  Let others debug the software.

Second, look for app reviews and especially security info in reviews.

Third, ask the vendor (and not the retailer) about security.  If you get blown off or get some fluffy answer, you get the message – security is irrelevant.

Fourth, make distinctions between apps that secure, say, your house and apps that open the blinds.   You may not care if your blinds are opened accidentally, but you probably care if a hacker unlocks your house or is watching you and your baby.

And last, be willing to forgo the newest gee-whiz app if you don’t have a good feeling about it.

Facebooktwitterredditlinkedinmailby feather

Saks, Lord and Taylor Demonstrate How Not to Respond to Being Hacked

The New York Times is reporting that The Hudson’s Bay Company that owns Saks Fifth Avenue and Lord & Taylor confirmed that some number of stores run under these names and also Saks Off 5th were hacked and 5 million credit cards are available to be sold on the black market.

The breach is one of the larger retail credit card breaches – Target and Home Depot were each about ten times the size.  The Times says this is an indication of how difficult it is to secure credit card transaction systems.  While there is some truth to the statement, the more likely reality is that companies do not want to spend the money to fix horrible, decades old, security designs.  If you are unwilling to make changes then you should not be surprised at what you get.

Information for this post came from the New York Times.

So what can you do?

First, if you are a merchant, you need to secure your credit card system.  Hudson’s Bay said this only affected in store systems, not online shopping.

If you only allow those systems to connect to your inventory system, your loyalty card system and the credit card processor’s systems – by specific IP addresses, you have made the game geometrically harder for the hacker.  What you cannot see is difficult to hack.  For every exception you make to this rule, you make the hacker’s job easier.

You should be monitoring web traffic for unusual addresses.  While they have not given us any details, my guess it there were unusual traffic patterns.  Of course, you have to be watching for those patterns.

As a consumer, you should be watching your credit card transactions in real time.  I have had cards stolen numerous times.  The hackers get one transaction from me.  Recently, it happened to me and by the time the hackers were trying to use the card a second time, I was on the phone with the bank, they were watching the traffic stream and they killed the transaction in real time.  If hackers can’t use stolen cards, they won’t steal them.  It is no fun at that point.

How the public found out about the attack was from a security firm, Gemini Advisors, not from Hudson’s Bay.  How did they let that happen?  Did Hudson’s Bay think they could keep the breach secret?

Given the size of Hudson’s Bay, they should have had a crisis communications plan in place to be ready to deal with this.  If they did, it didn’t work.

Gemini (not Hudson’s Bay) said the hackers were in the system since last May.  They were active in the system for almost a year and they didn’t know it?  That doesn’t inspire confidence.

Hudson’s Bay said that they wanted to assure their customers that they weren’t liable for fraudulent transactions.  Note that they didn’t say that under federal law credit card companies are responsible for all fraudulent charges after the  first $50 or debit card charges after the first $500, subject to certain rules.  This is not Hudson’s being nice, this is federal law.  If you are going to hire spin doctors, do a better job of spinning.

Regarding Social Security numbers, driver’s license numbers and PINs – bottom line, they don’t think they were compromised.  That data should be tokenized so that there is no question that it can’t be compromised.  Bad system design.

If you need help with solving problems like this, give us a call.

Facebooktwitterredditlinkedinmailby feather