Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

DoD Moving Forward on Cybersecurity After Breach

In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting.  Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.

Among the data compromised is cryptographic information about how the subs communicate.

Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.

DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done.  It is likely that we will never find out the true impact of this breach.

The category of information that was breached is known, generally, as controlled unclassified information or CUI.  The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that.  December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked.  Again.  The instructions to industry were that they just needed to have a plan for becoming compliant.

But the problem is that no one was assigned to fix the problem.

In the wake of this new and recurring scandal, Defense Secretary  Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this.  The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too.  The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.

Given this, what should defense contractors and sub-contractors do now?

While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI.  Starting with the primes – and letting them handle the subs.  We have seen that this has already started, but we believe it will accelerate.

For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.

If you are a contractor, you should be actively working on becoming compliant.  You should have been already doing this, but there should be more urgency now.  Starting with implementing the policies, procedures and practices and moving on from there.  Adding the controls and monitoring; incident response and so on.

While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem.  All he needs to do is make it happen.  Remember, Generals, especially Marine Corps Generals,  are very good at “making it happen” and I would not question his desire to not be embarrassed again.  He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted.  Not a fun conversation.

Given all this, being prepared is a really good plan.  We can help.

Information for this post is based on a memo from the Pentagon.

Facebooktwitterredditlinkedinmailby feather

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Cryptocurrencies Under Attack

A story that seems to be repeated with way too much frequency is cryptocurrency attacks.  This is because most users don’t understand how easy these attacks are.

I am aware of *NO* attacks that compromised the cryptography of cryptocurrencies.  Always it is the software.  Sometimes on the user’s side.  Other times on the exchange’s side.

The cryptocurrency exchange called Coinrail lost $40 million to an attack.  Coinrail has taken its service offline and has moved what is left of its currency into cold storage to make it harder for the hackers and to help investigators figure out how the attackers got in (source: Techcrunch).

The Japanese exchange Coincheck lost $400 million to hackers.  They say they do not know how the attackers stole the money. They are considering compensating users who lost money – whatever that means. (Source: Techcrunch)

Tether, a cryptocurrency startup lost $31 million to attackers.  (Source: Techcrunch)

Bitcoin lost $500 of value in an hour after the most recent attack.  The industry as a whole lost $42 billion in value. (Source: Bloomberg)

As a coin speculator, what should you be doing?

First, you need to understand that you are a speculator in a wildly volatile commodity and that commodity has zero inherent value, unlike hog bellies or gold.

Second, understand that there is no insurance, very limited government regulation and no government protection from losses suffered.  This is about as risky as loaning money to your cousin Vinny.

Third, like all investments, diversify.  Whether that means stocks, bonds and Crypto or just different crypto exchanges (and not different currencies at the same exchange), diversify.  I recommend the first;  you do the second at your own peril.

Keep your wallet offline.  Hackers stole $20 million in Ethereum because users had opened a port on their local machines which allowed hackers to empty their wallets.  Offline is not a silver bullet, but it will stop that particular attack as long as the wallet stays offline.

Only run cryptocurrency transactions on a machine that you know to be secure.  One recent attack used DNS compromises on user’s machines to make their software think they were connecting to their exchange when, in fact, they were connecting to their attacker’s computers.

Bottom line – it is your money.  Treat it like it is important.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 8, 2018

One Vendor, Two Unprotected Servers Equal Disaster

Agilisium, a cloud storage vendor to Universal Music Group, exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords and the internal and SQL root password to the open internet – all via two instances of the Apache Airflow server with no password.

Your Vendor Cyber Risk Management Program (VCRM) manager needs to work with all vendors, especially those who are high risk, to make sure their cyber security program matches your risk, because you are the one who is going to take the heat (Source: Threatpost).

Online Ticket Service TicketFly Hacked, Shuts Down As a Precaution

Online Ticket Service TicketFly and some of the venues that it provides service for shutdown last week after it was hacked.  It came back up briefly but is down again today, June 4.  Concert venues that use TicketFly have had to delay ticket sales and concert goers that did not print out paper tickets for concerts going on during the outage will have to wait on line at the ticket office of the venue and hope they can get them tickets.  Ultimately, if that fails AND they paid for their ticket with a credit card, they will get their money back under federal law.  If they had to fly to the venue and didn’t get in, well that may be a different story.  The dangers of an always online world that is not always online.  Eventbrite bought TicketFly last year for $200 million (Source: CBS).

Stingrays in Use Near the White House

It has long been suspected that the Ruskies (or Chinese. Or both) have been using cell site simulators near sensitive areas to capture information.  When Sen. Wyden whined about it, DHS said that it wasn’t in the budget for them to protect the White House or Congress from those pesky Ruskies.  Well after they were sufficiently embarrassed, they did a small pilot and, well, it is true.  And, on top of it, the bad guys are hacking the public phone networks control system, called SS7, written in the 1980s, and which has very little security in it.  Fixing SS7 is a major world wide undertaking, would cost billions and take decades to fix.  So DHS still says that they don’t have money to fix it, but we do know that, along with hacking the elections, the Ruskies are hacking our phones.  (Source: The Register).

What Did Atlanta Lose?

When Atlanta got hit by a ransomware attack, they seemed to downplay the impact, but now they are telling a different story.  The city has spent $5 million in the aftermath of the attack, both to recover and to improve security, but it is not all sunshine.

The did lose years’ worth of police dashcam footage – never to be recovered.  If that was important evidence in a case, the case may need to be dismissed.  It did not affect body cam video, however.  What other files will be discovered to have been lost – that we will need to wait to find out (Source: We Live Security).

Facebooktwitterredditlinkedinmailby feather

Baby Monitor Takes Compromising Pictures of Mom

A 24 year old South Carolina mom, Jamie Summitt, got a rather rude lesson in cyber security.  She purchased a “smart” baby monitor that she could watch from her equally smart phone, only to wake up one day to find the baby monitor pointed at her.

She didn’t think much about that until she watched the camera move on its own to the spot where she breast feeds her 3 month old.

The camera, a very low end $34 camera from FREDI claims that it has NO RISK of PERSONAL INFORMATION and lifetime technical support.

When she and her husband were eating dinner together while the baby slept, her phone alerted her that the camera was moving.  That prompted an Oh (fill in the blank) moment.  Clearly they were not moving the camera.

Remember that consumers are not security experts and expecting to be so is doomed to failure.

To those of us in the security industry, this is not news, the hacking of baby monitors being a well worn road.  Since manufacturers are not liable for the security of their products, they choose not to spend money on something that doesn’t generate revenue.

She unplugged the camera and called the police, but when the police arrived and plugged the camera in again, the peeping Tom had actually locked them out of their own camera – likely having heard the conversation with the police.

She contacted Amazon, who pointed her to the manufacturer.  The lifetime tech support number was disconnected and they did not respond to email.  No surprise here.

I wrote a long time about about the tests that Rapid 7 did on baby monitor security and almost all of them got an F.

So what should you do?

The first thing to do is your own research on the security of whatever baby monitor you are considering purchasing.

See if your chosen vendor offers security patches to their monitors in the past.  No patches likely does not mean a secure product – just one that the vendor doesn’t care about after the sale.

Next, change the default password and make the new password something that is complex.  And hard to guess.

But another simple and low tech thing to do is…

Get an old ski cap and drop it over the camera when you are home. Or at least when you are in the room.  Take it off when you leave and put it back on when you come back.

At least that way the only thing the peeping Tom will see is your (hopefully) sleeping baby.

And not you in a compromising state of undress.

 

Information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather