New Business Email Compromise Scam Variant

Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.

The scam usually works something like this.  Someone in the target department – often not too high up in the food chain –  gets a email pretending to be from an executive like the CEO or CFO.

The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.

The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without  the normal thought process.

Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.

So now a new attack method has been added to the mix.

Steal the credentials of employees, log on to the HR platform and change the direct deposit information.  The employee is completely unaware of this until they don’t get paid.  The attacker has already emptied the account by the time that the employee talks to HR.

Now the company has a problem:

  1. Do they believe the employee that he or she didn’t change the direct deposit instructions.
  2. The employer did nothing wrong so do they just eat the loss and pay the employee twice.

I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.

If that vector doesn’t work, target the HR employee.  Using that account the attacker could change several paychecks at once and get a bigger payday.

Or both.

There are a number of things that an employer can do to protect themselves and their employees.

First of all, if you are do not have two factor authentication in place, do that now.  If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.

Geofencing is the technology that restricts access to your HR system to a limited geographic area.  For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S.  While this is not perfect, it does make it harder for the hackers.

Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period.  If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.

And of course, educate people.

None of these changes should be particularly expensive or hard to do and could save you significant pain.

Source: Helpnet Security

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

eCommerce Sites Hacked by Their Ads

The Magecart malware has stolen credit card information from such high profile web sites as British Airways,  Ticketmaster and Newegg.

The malware works by inserting a little bit of code – usually Javascript – into the page(s) of a web site that collects credit card information.  When a customer visits that page the  malware collects the credit card data, usually encrypts it and then sends it on to the attacker.

Sometimes the hackers break into the target website and insert the code but other times they compromise software libraries that web site developers use.

Now there is a new version of the Magecart malware.

Instead of infecting the website, this version infects the advertisements that run on those websites.

The ads get inserted when the web page is delivered and the malware is unleashed.  The credit cards are stolen in the same manner as the other attacks.

The reason that this is attractive to hackers is that if you can infect the advertising software you will be able to attack hundreds, thousands or even more web sites at once.  To a hacker, that is nirvana.

What is depressing to the merchant is that the attack is not under their control because they don’t have any visibility into the ads that are shown  on their websites.  For more details on how the attack works, visit the link at the end of this post.

So what is a merchant to do?

There are some things that you can do.

If you run a web server, most data transfers should be as a result of responding to an inbound request from a potential customer.  

When the hacker sends the credit card data to its collection machine, it is initiating an outbound session that isn’t based on a customer request.  Those should be blocked or at least scrutinized.

Also you can look at the metrics of how much data you send in response to a customer request.  If the hacker is moving data in large blocks, that might be a tip off.

The hackers could send the data to a server in the US or at Amazon, but they also might send the data to a server offshore.  Unless your business is international, you should block those off shore connections and if your off shore business is limited – say to Europe – then block connections to Africa and Asia.

Finally, check your code and query the ad networks that you use.  Everyone should be sensitive to the issue and if you don’t get an answer that you like, there are other ad networks.

Information for this post came from Bleeping Computer.

 

Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.

 

 

 

Food Giant Mondelez Sues Its Insurance Company Over “Act of War”

Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.

Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000  workstations at Mondelez into very expensive bricks.

Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for  100 million dollars.

White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.

The Zurich American policy in questions offers this coverage:

“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

It seems like this attack meets the requirements of this clause.

BUT, what insurance companies giveth, sometimes they taketh.

Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.

One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.

Zurich initially offered Mondelez $10 million to settle but then changed their mind.  Why?

Because of another clause in the policy.

There is a clause in their policy (and many others) that has an exclusion for  “hostile or warlike action in time of peace or war” by a “government or sovereign power.”   The key phrase here is BY a government or sovereign power.  Not hackers friendly to one.  Not hackers  mad at the world.  You get the idea.

Security experts and some governments blamed Russia for the attack.

Russia (of course) denied that claim.

So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”.  I don’t think it is sufficient to say “well the gov says it is”.

Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry.  Possibly the two sides will agree out of court, leaving the question unanswered for future claims.

Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.

This apparently is NOT a common technique to  limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.

Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments.  Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit?  Not clear but stay tuned.  Source:  The Register .

Security news for the Week Ending January 11, 2019

Australian Emergency Notification System Hacked

The Australian Emergency Warning Network, run by a private company, was hacked.  The hacker sent out a message that said “EWN has been hacked.  Your personal data stored with us is not safe.  We are trying to fix the security issues.  Please email support at .. if you want to unsubscribe.”

This service seems similar to the CodeRED system that many Colorado cities subscribe to. In Colorado it is a voluntary sign up process.  It seems like that is the case with this one too.

The alerts went out by email, text and voice.  The company shut down the system during the attack to limit the number of messages that went out;  still tens of thousands did go out.

This happened right after the Australian government passed a law requiring companies to create backdoors to their software and make data available to the government on request.  Are these related?  Unknown.  Details here.

 

Federal Shutdown is Impacting Cyber Defenders

As a follow up to this week’s opinion piece on the Federal shutdown impacting cybersecurity, the Department of Homeland Security cancelled its 2019 Cybersecurity and Innovation Showcase due to the shutdown.  That was supposed to be their largest cybersecurity event of the year.  They said the hope to reschedule it after the government reopens.

The Department of Commerce has also cancelled events and powered down web servers that have cybersecurity standards on them.

DHS’s new cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA)has furloughed 45 percent of its workforce.  CISA is still manning its “Watch floor” and has some unpaid people who will respond to a major attack on critical infrastructure.

A former attorney at the FTC pointed out the obvious – that “the government shutdown is anxiety inducting, and drives great employees away from government service.”  If it wasn’t bad enough that people who do cybersecurity work get paid less than those doing the same work in the private sector, now they have to worry about getting paid too.  Details here.

Comcast Debuts Xfinity xFI Advanced Security

Comcast announced a new service using the buzzword of the week, AI, saying that their AI powered service is designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home.  It appears to run inside the Comcast router.  A solution like that is a smart way to do it since you do not have to install anything on a device, but it is limited in what it can do since most data is encrypted.

Cost is $5.99 a month, but you have to have the xFi Gateway, which rents for $11 to $13 a month, depending on the market.  Details here.

 

Coinbase Suspends Ethereum Classic

In the ongoing saga of cryptocurrency attacks, this one creates a new low.

One thing people have always said is that since cryptocurrency uses distributed ledgers, it is immune from people changing history and reusing coins.

W.R.O.N.G.!!!

Multiple sources said that they saw more than 100 ledger blocks “reorganized” (i.e. changed after the fact) – something that should never happen.

Coinbase suspended trading on that particular cryptocurrency.  It is only one of over 2,500 different currencies.

Coinbase said that they saw about 88,000 Ethereum coins being double spent, worth about $460,000, but I saw other reports that said the attack is ongoing and the numbers were much larger.  Source: Coindesk.

Weather Channel (App) Caught Selling User Data Without Permission

The Weather Channel collected user location data under the guise of telling you what the weather is where you are, but in fact, was selling that location data.  The City of Los Angeles is suing them over the misrepresentation.

The NY Times article said that they also sold the data for targeted marketing and to hedge funds for gathering consumer preference information.  The Weather Channel is owned by IBM.

Amazon’s Ring Video Camera Allow Employees in Ukraine Unrestricted Access to All Videos

Let me start by saying that an Amazon spokesperson says that this is not the case, but the Intercept says that multiple former employees say that Ring has given R&D employees in Ukraine unrestricted access to all videos, including those from inside your home to employees, executives and engineers.  The videos are not encrypted because, they say,  that would make the company less valuable.

A Ring spokesperson refused to answer questions about their data security practices but offered a written statement that says that they have strict policies in place for all employees.

After the article was published, Ring tried to do some damage control by still not answering questions, but issuing another email saying “Ring employees never have and never did provide employees with access to livestreams of their Ring devices,” a claim contradicted by multiple sources.

I have a Ring device and was considering buying more.  Not anymore.  Looking for a competitor.

One more time, caveat emptor.  Source:  The Intercept.