Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

Do You Have Cyber-Risk Insurance? Enough?

A recent study estimates that a coordinated global cyber attack (think Wannacry, but not geographically bounded) could cause economic damages of between $85 billion and $193 billion.

The investigation was conducted by Lloyds of London and Aon Insurance as a “stress test” of the industry.

Claims would likely include everything from business interruption to incident response costs.

Total claims estimated to be paid by the insurance companies range from $10 billion to $27 billion.

That means that industry is on the hook for between $75 billion and $166 billion.

That is going to come out of victim companies’ checkbooks.

Are you ready to write a check for $166 billion?  How about $75 billion?

They estimate the biggest losses would be in retail, healthcare, manufacturing and banking.

Countries that are more service oriented – like the United States – would suffer more damage and have higher losses.

So there are a couple of questions –

  1. Do you have cyber insurance?
  2. Do you have enough cyber insurance?
  3. Can you make up the loss shortfall out of your checkbook?

One last thought.  Are you sure that the coverage that you do have matches the risk that you are exposed to?  Given that every policy is different, you might want to look into that too.  We can help.

Information for this post came from Reuters,

Facebooktwitterredditlinkedinmailby feather

Managing Supply Chain Risk

Supply chain risk is a hot button right now and getting hotter.

It has always been an issue – it was the source of the Target breach, the Home Depot Breach, Panama Papers and thousands of others that you never heard about.  According to a Ponemon study, 56% of organizations admit that they had a breach caused by one of their vendors.

According to that study, the average number of vendors a company is sharing sensitive data with is 471 and only 35 percent of the companies had a list of all of the vendors that they were sharing data with.

The problem doesn’t stop when you terminate a supplier relationship because they do not delete all of your data when you go away.  They keep it.

Add to that the fact that only 18 percent had a handle on fourth party risk – the risk that comes from your third parties using their own third parties.

Regulators are starting to deal with it.  New York is requiring financial service providers to actively manage it and it is not easy.

GDPR also holds companies responsible for what their vendors do with their data, so if you do business in Europe, that is another concern.

Expect regulators to add more third party risk management to their requirements over the next few years.  Colorado just did that.

Supply chain risk not only includes vendors that provide services to your company, but also hardware vendors and software providers.  Each purchased device, each downloaded application needs to be vetted, and monitored for potential security risks, and all patches have to be up to date.

The Magecart malware in the Magento Open Source eCommerce software has allowed hackers to steal millions of credit cards.

Supply chain risk not only puts your client’s data at risk, but also puts your own intellectual property at risk.  When the hackers come, they take everything,

Cloud service providers add their own risks.  Recently researchers were able to compromise at least a half dozen large web hosting providers.

And professional service providers – accountants, lawyers, analytics providers and many others add their own risk to the mix.

So what do you need to do?

Kind of like when alcohol gets out of control, the first step is admitting that you have a problem.

The biggest suppliers are likely not the biggest risk.  They often  have robust security programs, but even when they do, those sometimes fail . Think about Equifax.

We are seeing more CONTRACTS requiring supply chain risk management.  Vendors may be asked to self assess or use third party risk vendors like CyberGRX, Vendorly or others.  And there are vendors that provide security scores such as Bitsight and Security Scorecard.

Companies need to up their game when it comes supply chain risk – because the bad guys have already done that.

Information for post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather

Ballistic Missiles Headed to Los Angeles, Chicago and Ohio

Imagine watching TV one day and hearing an alert that says that ballistic missiles were headed from North Korea to Los Angeles, Chicago and Ohio.  The alert said that people had three hours to evacuate.

Ignore for the moment the fact that Russian TOPOL ballistic missiles can travel at up to 15,000 MPH, so it would cover the 6,000 miles from Korea to the U.S. in much less than 3 hours.

In this case, the bigger issue was that the football game on TV was not interrupted and there was nothing on CNN.  That’s when the family that heard the message freaked and eventually figured out that the so called alert was coming from their NEST surveillance camera on top of the TV.

Google, which owns NEST, said that it was the family’s fault – probably not changing the default password.

So what should you be doing?

This is part of a bigger problem with Internet of Things security, which currently is a disaster.  IoT security in general is really poor and people are buying IoT devices and not securing them.

First thing, I would reconsider placing a surveillance camera in your living room on top of your TV or in your kid’s bedroom.  I have heard horror stories of people doing that and pervs watching their kids doing who knows what while wearing …  After all, people are not always fully dressed inside the house.

Google laid the blame for this on the owner.  Said they should use two factor authentication.  How many people understand that?  I looked at the NEST camera installation page on their web site (here) and do not see anything obvious about turning on two factor authentication.  Why?  Because it complicates things which means more support calls which means lower profits, so I think NEST is being disingenuous here.  Gee, that is a surprise.

All IoT vendors need to step up to the plate when it comes to security, making it as easy as possible and understanding that they might get more support calls.  California just passed an IoT security law that will require vendors to improve security if they want to sell their devices in California.

On the other  hand, consumers who buy IoT devices need to understand that they are responsible as well and take appropriate steps, even if that means a little more work for them.

In this case, this one family had 30 minutes of freak-out time.  It could have been a lot worse.  Source:  CSO Online ,

Facebooktwitterredditlinkedinmailby feather

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.

 

Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Facebooktwitterredditlinkedinmailby feather