Cell Phone Providers Want to Protect You. Really!

I don’t know about you, but I am not inclined to believe that my cell phone provider is the best company to protect my security, but they disagree.  And who knows – maybe it could work.

The basis of Project Verify is that each cell phone has a unique fingerprint that allows the carrier to identify your phone and use that verification to log you in to your favorite (cooperating) web site.

They say that it verifies your identity using information from your SIM card, IP address and account tenure.  They have not released the details yet of how it will work.

One thing that is concerning is that they say that consumers will be able to control the information that they share and consent to how it is used.  It is unclear if that means that the cellular providers want to be the keeper of your data and doling it out appropriately.   Maybe that is not the case – they have not said yet.

What is clear is that what we are doing today is not working.  People pick easy to guess passwords (like Password or 12345678).  They refuse to use two factor authentication because it involves a teeny, tiny bit more work.

So, if this really works it could be a big improvement.

But we do need to remember that hackers are already targeting – pretty successfully – cellular carriers and all this will do is make the cell provider an even bigger target.

Right now cell phone NUMBER theft is big business because if you steal someone’s number you will be able to get their text messages which is what you need to reset passwords.

But as I understand this system, the security is tied to the bits on the SIM card itself, so stealing the number won’t help anymore.

Stay tuned.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

Facebooktwitterredditlinkedinmailby feather

Equifax Hack – The Prequel

While we all know about the Equifax breach last year that compromised the data of almost 150 million people and businesses, until today we did not know about the Equifax hack two years earlier.

In the earlier hack, former employees – actually Chinese spies – stole thousands of pages of documents including plans for new products, human resource files, manuals and other information.

Equifax went to the FBI and even the CIA, but did not publicly admit the problem.

That is because there is no law that requires them to disclose the theft of intellectual property although investors may disagree and sue them now that they know.

Equifax later found out that the Chinese had asked 8 companies to help them build a national credit reporting system.

I am sure that is just a coincidence.

So what do you as a business owner need to do?

The first thing is to understand that the theft of intellectual property dwarfs credit card theft and the best we can do is guess at the magnitude because most of it is not reported.

While hackers can break into your company, it is much easier for employees to walk the data out the front door.  That problem is so bad that defense contractors and financial firms are required by law to have insider threat programs.  Understand what a competitor inside the US or internationally might be interested in.  

Implement employee training programs to make sure that employees do not contribute to the problem.

While the insider attack is one part of the problem, the outsider problem is just as big a problem.  To protect against this, you need to implement a full cyber security program – hardening servers, patches, access controls, firewall rules, etc.  

This needs to be part of a formal, documented program.

The most important thing to understand is that it doesn’t always happen to “the other guy”.  Most attacks are attacks of opportunity and small and medium businesses are disproportionately affected – likely because they do not have the sophisticated IT controls and staff that big companies have.

You have two choices – 

Prepare now.

React when an event happens.

I can tell you from experience, preparation is way better.

Information for this post came from Slashdot.

 

Facebooktwitterredditlinkedinmailby feather

Researchers Hack Tesla Key Fob in 2 Seconds

Researchers have figured out how to hack a Telsa’s key fob in under two seconds.  That’s impressive.  Remotely.  I think in this case remotely means that they do not have to touch the fob or the car, but they have to be pretty damn close to it – in radio range of the fob.  Still, it is not particularly hard to be nearby the car.

The researchers say that the technique should work on any keyless entry system, but maybe that isn’t quite true.

Tesla’s keyless entry system is made by Pektron and they are using relatively weak encryption.  We have actually seen this exact problem with other cars like the system that VW uses and sells to many other manufacturers (which I have written about in the past).  So if may be fair that other manufacturers have similar problems, but not necessarily the same.  But maybe not all.

Because computers are fast and can support a lot of data, the researchers made a table of all 2 to the 16th possible encryption key codes.  That is only 6 terabytes – a disk that you can easily put on a PC, never mind a more powerful computer.

Then you need about $600 of hardware to intercept the owner unlocking the car.  You get the encrypted code that way.

Then all you have to do is scan this table that you built to find the matching entry and voila, you can clone the fob.  This MAY BE true for other manufacturers as well.  As I recall, the VW hack was even easier.

Telsa attempted to defend itself by saying that other car makers have crappy security too.  Not much of a defense.

So what do you do?

First, maybe passive entry is not the most secure thing in the world, so do you really NEED it, or is it just a cool toy.

Second, make sure that your insurance will replace your car if it is stolen in this manner.

In the case of Telsa, they warned their customers to disable passive entry.  That may be an option for other cars too.  If you can disable it, do so.

Telsa has created a new key fob that you can BUY, but you need to upgrade the software in the car first.  The software is free, the fob is not.  Still, if it is reasonably priced, you should probably do it.

Owners of other vehicles should check with the dealer for updates and probably scan Google periodically to see if their particular system has been hacked.

Telsa has also added a PIN code to its alarm system, but you have to enable it.

Generally, there is a trade off between security and convenience.  This is an example of it.    

Check the options in your car and select, maybe, the most secure one instead of the easiest.  Typically the dealer will explain the easiest one because that is also the coolest one.  Leaving the key in the car is also easy, but I don’t recommend that either.

Unless you are ready to buy a new car.  In which case, what color do you like?

Information for this post came from Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

Don’t Sync Your Phone to Your Rental Car

As I have reported before, car manufacturers do not seem to care about whether the last owner still controls that used car that you just bought.  While the issue of previous owners still having the ability to locate, unlock and even remote start some cars, car makers don’t seem to be doing anything about it and likely won’t unless they are successfully sued or a law is passed forcing the issue.

In the mean time, you are on your own in understanding the implications of the security of that used car that you bought.

But it gets worse.

If you rent a car and you decide that you want to play your music over the car’s sound system or use it’s hands free calling, you sync your phone to the car.

The car now owns your data and unless and until you erase, it all of that data is still in the car when you return it to the rental car company.

That would include contacts and anything else the car’s infotainment system sucks in.

So what can you do?

The simplest answer is to not sync your phone, but that might not be convenient.

Since every make and model of entertainment system (not just model of car) uses a different method to erase the data, the process can be/is daunting.

Enter US car industry exec AKA privacy advocate Andrea Amico.  He has created an app that will give you step by step instructions for wiping the car’s data.  You get, apparently, 10 tries for free, then the next bucket costs a whopping $1.99 – pretty affordable, especially if you rent cars frequently.

The good news is that the UK Information Commissioner’s Office (responsible for implementing GDPR protections in the UK) along with other data protection offices put together a resolution on the subject and given a few complaints, the ICO might well fine the car makers a couple million Euros if they don’t shape up.  That could get their attention.  

Stay tuned.

Information for this post came from The Register.

Information on the app can be found here.

Facebooktwitterredditlinkedinmailby feather