Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Incident Response 101 – Preserving Evidence

A robust incident response program and a well trained incident response team know exactly what to do and what not to do.

One critical task in incident response is to preserve evidence.  Evidence may need to be preserved based on specific legal requirements, such as for defense contractors.  In other cases, evidence must be preserved based on the presumption of being sued.

In all cases, if you have been notified that someone intends to sue you or has actually filed a lawsuit against you, you are required to preserve all relevant evidence.

This post is the story of what happens when you don’t do that.

In this case, the situation is a lawsuit resulting from the breach of one of the Blue Cross affiliates, Premera.

The breach was well covered in the press; approximately 11 million customers data was impacted.

In this case, based on forensics, 35 computers were infected by the bad guys.  In the grand scheme of things, this is a very small number of computers to be impacted by a breach.  Sometimes, it might infect  thousands of computers in a big organization.  The fact that we are not talking about thousands of computers may not make any difference to the court, but it will be more embarrassing to Premera.

The plaintiffs in this case asked to examine these 35 computers for signs that the bad guys exfiltrated data.  Exfiltrated is a big word for stole (technically uploaded to the Internet in this case).  Premera was able to produce 34 of the computers but curiously, not the 35th.  The also asked for the logs from the data protection software that Premera used called Bluecoat.

This 35th computer is believed to be ground zero for the hackers and may well have been the computer where the data was exfiltrated from.  The Bluecoat logs would have provided important information regarding any data that was exported.

Why are these two crucial pieces of evidence missing?  No one is saying, but if there was incriminating evidence on it or evidence that might have cast doubt on the story that Premera is putting forth, making that evidence disappear might seem like a wise idea.

Only one problem.  The plaintiffs are asking the court to sanction Premera and prohibit them from producing any evidence or experts to claim that no data was stolen during the hack.

The plaintiffs claim that Premera destroyed the evidence after the lawsuit was filed.

In fact, the plaintiffs are asking the judge to instruct the jury to assume that data was stolen.

Even if the judge agrees to all of this,  it doesn’t mean that the plaintiffs are going to win, but it certainly doesn’t help their case.

So what does this mean to you?

First you need to have a robust incident response program and a trained incident response team.

Second, the incident response plan needs to address evidence preservation and that includes a long term  plan to catalog and preserve evidence.

Evidence preservation is just one part of a full incident response program.  That program could be the difference between winning and losing a lawsuit.

Information for this post came from ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather

Fiserv Security Flaw Exposes Your Banking Data – Even if You Don’t Bank Online

Sometimes even if you try to be safe, it doesn’t work the way you want.

Fiserv provides banking software to over a third of all banks.  They have 24,000 employees and almost $6 billion in revenue.  Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.

Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules.  The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4.  What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.

The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed).  He reached out to Brian Krebs.  Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.

While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.

After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours.  They deployed the patch to their cloud customers that day and their non-cloud customers that night.

So what does that mean for you?

First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.  

On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.

For your company, how would a security researcher or a user know how to report a security problem?

If it isn’t very simple, you need to fix that.  It could be as simple as a link on the contact us page or something else.

Next, how come when the guy who found it reported it, it did not get escalated to the right group?  Is this a training problem?  How would that work in your company?  Train people.  Report it to the incident response team.  Do not over think it.  JUST REPORT IT.  This is shades of the DNC hack.  We don’t want people to over think it.  Just give the incident response team whatever information you got and let them handle it from there.

Web sites will have bugs.  How you deal with them and how quickly is what can distinguish you from the next guy.

Source: Krebs On Security .

Facebooktwitterredditlinkedinmailby feather