Patching is Critical

Three news items today – different platforms, but one common message.

#1 – A new iPhone passcode bypass was found within hours of the release of iOS 12.1.  This follows on from the passcode bypass fixed in 12.0 and another iPhone passcode bypass in 12.0.1.  As iOS becomes more bloated (or feature rich, depending on your perspective), more bugs are likely to appear (source: The Hacker News).

#2 -Microsoft quietly patched a bug in Windows 10 that allowed certain Universal Windows Platform applications that had certain permissions to access user’s files without their knowledge.    The update changed the default for the “Broad FileSystemAccess” permission to OFF by default.  Up until now, it was ON by default.  Users may need to selectively turn that on now if the user feels that is safe (Source: The Hacker News).

#3 – Researchers tattled on Microsoft regarding a bug or feature in Word 2016 and earlier versions that allow a hacker to abuse Word’s (bloated?) feature that allow you to embed online videos.

Since a Word file is really a zip file, all a hacker has to do is embed a video link, such as to YouTube and then open the zip file separately outside of Word.  The zip file contains an XML configuration file that contains the embed code.  A hacker could edit that code and put in any link or javascript that the hacker wanted and that code would be silently executed when you open the document and click on the video.

The researchers gave Microsoft 90 days to fix the bug.  Microsoft says that they think it is a feature.  It likely is a feature, but a really poorly designed one.

Enterprise admins should update their anti-malware software to BLOCK any Office documents that contain the embedHTML tag.

Unfortunately, now that the cat is out of the digital bag, hackers will be looking at other similar ways to infect your user’s computers (Source: The Hacker News ).

So what is a user – or system admin – to do?

The first thing to do is to make sure that your patch management process is working.  That does not just mean your operating system patches, but also every single application installed on every computer.   Office is high up on that food chain, but things like Acrobat are targets too.  Adobe released 47 patches to Acrobat this last month that they rated CRITICAL,  46 of them allowed for REMOTELY executing arbitrary code if you use Acrobat to open PDFs in your browser.  FoxIt, an Acrobat replacement, released 116 patches this month.  The numbers are insane. 

If you look at all of your computers, you are running way more applications than you think you are – likely hundreds – probably many hundreds.  And it does not matter if you are using the apps.  In fact, unused apps are worse, because you are less likely to patch them.

IN FACT, YOU SHOULD MAKE IT A PRACTICE TO UNINSTALL ANY APPS THAT YOU DON’T NEED.

The second thing to do, and it can be time consuming, is read security intelligence alerts such as this blog and our separate client alerts.  You have to know at least as much as the bad guys.

Sorry there is no easy fix!

Facebooktwitterredditlinkedinmailby feather

FCC Continues to Support Network Providers at the Expense of Consumers

In general, the U.S. ranks below many third world countries in the speed, quality and cost of Internet access.  If you ask your neighbors what they think about the price, speed and customer service of their internet provider , you will generally not get a positive answer.  My brother lives in Europe and his internet connection is 50 times faster than mine is here and he pays less than half of what I pay.  That is a 100 to 1 ratio.

Some cities have attempted to fill this vacuum by building their own network for Internet services.   While the number is small (about 750 cities) compared to the number of cities in the U.S., cable companies are not happy about the competition.

Therefore, it falls on the FCC to protect those cable company’s interests by saying that local community owned Internet services are a threat to free speech.  Really,  FCC commissioner Mike O’Reilly actually said that in a speech.

As is often the case with Washington, he gave zero evidence to support that claim.  That is a big surprise.  But at least a few people will believe him.

Recently the FCC reversed its own net neutrality regulation saying that it didn’t have the authority to issue the order and when 38 states started issuing similar orders, it said that the states didn’t have the authority to do that, only it had that authority.  Confused?  Me too.

So now the FCC is saying that when local cities work to solve local problems (poor or non-existent internet services, it is a threat to the First Amendment.

The only remote connection is one university paper that says the same thing, also with no evidence.  The issue at hand is the pretty universal statement in almost all ISP’s terms of service that say that they can kick you off the network if you threaten violence or spew hate speech.  The Pittsburgh synagogue shooter used an online service called Gab to promote the killing of all Jews and, not surprisingly, Gab’s ISP kicked it off when the fact became public and threatened its reputation.  Paypal refused to process its credit card transactions and its domain name provider won’t host it’s domain.  None of these are community run, but I don’t hear the FCC whining about them.  In fact, as of today, no ISP is willing to host them and they are off the air for now.  ISPs create terms of service that reflect community norms and have the ability to drop customers who violate those standards.

What is not clear is why the FCC is so anti-consumer at this point.  It kind of makes you wonder if there is money involved.  And not in a good way.  Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Picture of the Week – Some Windows 10 Users Got Quite a Surprise

Microsoft got into a bit of trouble earlier this month when some folks who installed the Windows 10 update got a bit of surprise when it deleted all of the user’s documents.  It took Microsoft a while to admit that it was their fact, thereby increasing the damage, but they did remove the offending update from the download.

Microsoft did help people who lost all their files, but there was no guarantee of recovering anything and Microsoft isn’t liable if they can’t recover your stuff.

Moral of the story: HAVE GOOD BACKUPS!

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending October 26, 2018

Poorly Secured Family of Adult Web Sites Leak Account Info

For those people who can think back to the hack of the Ashley Madison web site, this is kind of deja vu all over again.

100 megabytes of user authentication data was leaked – user names, IP addresses, passwords and email addresses.  Not THE most sensitive data, but most people who visit adult web sites do not advertise that fact.  But there is more.

One surprise is that there were OVER ONE MILLION email addresses compromised.

Along with, apparently, pictures that some people uploaded to some of the sites.  Suffice it to say those pictures are not of sunsets over the beach.

The owner of the 8 sites took the sites down almost immediately and told people to change their passwords.

One disappointing feature of the sites – the passwords, while encrypted (or technically hashed), were encrypted with a hashing algorithm over 40 years old and which can be easily decrypted.

All this does point out the dangers of posting data and pictures to the web – YOU don’t understand what their security practices are like.  It also points out that web site owners need to get a security review of their web site from time to time to make sure that they re not using 40 year old unsecure algorithms.  Source: Ars Technica.

 

Saudis “buy” Twitter Employee to Spy on Dissidents

The Saudis do not need any more bad news, but they are getting it anyway.  The Times has reported that the Saudis “groomed” (maybe bribed or blackmailed) a Twitter employee to feed them dirt on Saudi dissidents.  In addition, the Saudis, like the Russians, have mounted a huge disinformation campaign.  Social media has a huge challenge and no easy answers.  Source: The Hill .

 

NY Times Reports US Begins First LIMITED Cyber Ops Against Russia

In spite of the fact that President Trump says that the Russians are not hacking our elections, the United States Cyber Command is targeting Russians to stop them from interfering with the elections.  The campaign started in recent days.

The campaign comes after the Justice Department released a report last Friday outlining a Russian campaign of information warfare.

Not surprisingly, the Pentagon is not talking much about this – just like they would not talk about any spy activities or activities that would likely be considered illegal, aggressive or an act of war by the targeted countries.

Interestingly, the story says that the actions are “measured” and much less that what the Russians are doing.  Why?  Because they are worried that Russia might take down the US power grid or some other major cyber activity.

That is not comforting.  Source: NY Times .

 

UK Grocer Morrisons Loses Appeal of Breach Class Action

This is the UK and not the US, but still, this is interesting.  A disgruntled employee downloaded data on 100,000 employees, leaked it to the press and posted it online.  Data leaked include salary and bank account information.

Morrisons was sued not surprisingly but, somewhat surprisingly, lost.  Morrisons appealed the court verdict, but lost the appeal.  They now plan to appeal to the UK Supreme Court.

If they lose there, it will mark a turning point in security law.  The company maintains that they did nothing wrong and it was a rogue employee who leaked the data.  The employee is now in jail.  The court says Morrisons is responsible anyway.  Stay tuned because if the courts hold that companies are responsible for the unauthorized actions of their employees, boy oh boy.  Source: BBC .

Yahoo Settles One More Lawsuit for $50 Mil Plus Credit Monitoring for 200 Million

As Yahoo continues to feel the fallout from its data breaches in 2013-2014 that it failed to disclose, they agreed to another settlement covering 1 billion of the 3 billion users affected.

For this suit, they will pay $50 million, split between Verizon and Altaba (the company that controls what is level of Yahoo) and provide credit monitoring for 200 million people for 2 years.  Add to that $35 million in legal fees.

This, of course, is not the end.  It is only one lawsuit of many plus fines from regulators. Stay tuned for further settlements. This really poorly planned strategy of Marissa Mayer to hide the breach may wind up costing Yahoo and Verizon a billion dollars.  Source: Seattle Pi.

Score One For the Right to Repair Movement

Every three years the Librarian of Congress gets to arbitrarily decide who is breaking the law and who is not.  Really.  Specifically, he or she gets to decide who and why the Digital Millennium Copyright Act (DMCA) applies to.

Every three years, those people who got an exemption before have to go back to the Librarian and ask, again, mother may I?

One example is that the Librarian said that you can circumvent encryption and DRM tools to jailbreak your phone.

Another exemption allows educators to use encrypted DVDs (and break that encryption) in certain educational settings.

None of this gives you the tools to actually do it, but they can’t put you in jail or fine you millions of dollars if you succeed.

The newest addition to the list of approved exemptions from DMCA is for the right to repair movement, a growing group that says that people should have the right to repair things that they bought like cars, iphones and tractors.  John Deere, for example, said that while a farmer bought the metal pieces of that million dollar combine, they do not own the software that actually makes it work when you turn it on and if you don’t let an authorized John  Deere mechanic fix it, they will try to sue you into oblivion.

Now people can try to fix their cars, tractors, iphones and other devices.  It doesn’t mean that the manufacturers will help you – it just means that they can no longer sue you.  Source: Motherboard .

Facebooktwitterredditlinkedinmailby feather

Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Smart Home Manufacturers Won’t Say if They are Giving Your Data to the Feds

From a sales and branding perspective, the last thing that smart home device manufacturers (think Amazon Echo, Google Home, Apple HomePod and a raft of other) want you to worry about is whether the Feds are snarfing up your data.

We do know of a few highly publicized cases like asking for smart water heater data in a murder case, Fitbit data to charge a 90 year old man with murdering his stepdaughter and a few others, but at least as far as media coverage is concerned, this has not been in the news much.

So Tech Crunch went to a number of players to ask them.  Here is some of what they got:

  • Google’s Nest says it has responded to government requests about 300 times (a pretty small number) since 2015 and has not received any national security letters.  Yet.  Google is the only vendor that currently publishes numbers.
  • Amazon won’t say.  They are burying the requests for Echo data deep in other reports so you can’t tell and has no plans to impact sales by telling you.
  • Facebook also says that it will bury the data for its Portal device and wouldn’t say if it will ever break that data out.
  • Google would not comment on requests for Google Home data and instead tried a slight of hand and said “look at our Nest data”.
  • Apple said there would be nothing to report regarding HomePod because all requests are given a random identifier (such as an IP address?   Nice try Apple!) that can’t be tied to a person.  An IP address might not tie directly to a person, but it does tie directly to a household.
  • Ring refused to answer the question and said they require a legal demand.

Bottom line, everybody is dodging and weaving, so I think it is reasonable to assume that the cops are asking them for data.  Probably a small amount right now because smart homes are still a very small niche, but as it goes more mainstream, expect more requests.  And, probably, no more transparency, at least at first.

So what should you do?

The first question is do you care?  The second is well, exactly what data are they collecting.  We know a couple of TV makers (Vizio and Samsung, I think) paid multi-million dollar fines for snooping.

Will vendors decide to collect more data or less data over time?

We don’t know and the vendors aren’t saying.  Assume the worst.  Probably a safe bet.

Assuming you care, there are limited things that you can do.

For things like smart TVs, there is no easy way to turn recording of you off.  Vizio was required to notify customers that they should not say anything sensitive in the same room as the TV.  So, watch TV in silence.

Check for devices with on-off switches.  Check the vendor’s policy statements.  That’s not a guarantee of anything, but better than nothing.

Of course there is the nuclear option – again assuming that you care – do you REALLY need you refrigerator telling you to get milk?  Maybe?  But maybe not!  If you do, then turn the smart device into a dumb device.  If you don’t connect the device to the Internet, it cannot blab.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather