Now (Some) (Important) Meta Data Can Be Encrypted

Worried about the NSA capturing all that metadata about you?  That is the stuff about you that the government says it can collect without a warrant (and courtesy of the Patriot Act) because you send it unencrypted over the Internet and so you have no expectation of privacy.

A big part of the data (besides the Internet address that identifies you) is the DNS queries that you make.

DNS is the phone book that the Internet uses to map that friendly name like www,foxnews.com to an IP address  like 23.36.10.215 that the Internet can route.

This week Google announced that it’s DNS service (the one at 8.8.8.8) can now handle DNS over TLS (meaning that your queries are encrypted) blinding not only the NSA but also making it more difficult for your ISP to sell your data as well.

Since DNS is used so much, there was a lot of work done to make sure that DNS over TLS was fast, including using TCP fast open, pipelining and supporting out of order responses.

You can use DNS over TLS in one of two ways and the distinction is important.  The first is opportunistic, meaning it will encrypt your data if it can.  The other is called strict, which means that if the receiving server won’t accept encryption, the transmission will fail.

Google made support for it available for Android 9 (Pie) users Yesterday.  Android 9 users will have to make some settings changes to use it.  Users of older phones will have to upgrade.

Cloudflare also supports DNS over TLS and also DNS over HTTPS, an older variant of it, but until the phones support it, it is unimportant what services support.

Apparently iPhone users can do this to, but Apple does not support it natively; you have to do some significant shenanigans to get it to work.

Information for this post came from the Hacker News.

 

 

 

Chrysler Lawsuit Goes to Trial

Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch.  All while the reporter videoed it (see this CBS web page).

Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.

According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.

The researchers took over the car via its radio (OK, it is a little more complicated than that;  through the “infotainment” system).  It is all interconnected and there is very little security in it.

Over the last three years this case has been working its way – slowly – through the courts.  The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.

A year later the researchers figured out how to break through the patch, although that required physical access to the car.

And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode.  The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park.  That will unlock the cruise control.

You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.

At this point the U.S. Supreme Court said that the car owners do have standing.  This is a huge win for attorneys who want to sue over cyber-security issues.

Chrysler says that they are looking forward to the trial (sure they are.  If they were so confident, why have they been fighting to avoid going to trial for the last three years).  They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed.  The plaintiffs say that the resale value of their cars has been damaged.

The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.

For businesses, this is yet another step in holding companies liable for software bugs.  Potentially, in this case, bugs that they knew about but did not fix.

Does your insurance cover this?  Is it product liability insurance or cyber insurance?  It is probably not general liability insurance.  Maybe none of them.

This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.

Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.

This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,

Details from this post came from The Register.

 

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.

 

 

News Bites for the Week Ending January 4, 2019

Vietnam’s New Cybersecurity Law in Effect

Vietnam’s new “cybersecurity” law which requires companies to remove any content from the Internet that the government finds offensive went into effect on January 1.

It also requires some companies like Facebook and Google to open offices in Vietnam if they want to continue to do business there.

The law prohibits individuals from spreading anti-government information.  The Vietnam Association of Journalists announced a new code of conduct prohibiting reporters from posting anything on the Internet that “runs counter” to the state.

Google has apparently agreed to open an office there, although they are being somewhat sly about it;  Facebook does not seem to have committed to that.

Companies will need to decide if the income from Vietnam is worth the risk.  Source: South China Morning Post.

 

Android Apps Send Data to Facebook without User Permission

Apparently the Facebook software development kit did not even give app developers the option not to send data to Facebook until a month after GDPR went into effect.

Apps that have not updated their software are likely still sending data, probably without user consent, to Facebook, even if the user does not have a Facebook account.

Some apps send data to Facebook the second they are opened; others, like travel apps, send data to Facebook every time you search for a flight.

Integrating the data from various apps, Facebook could determine your religion (prayer app), gender (period app), employment status (job search app) and travel plans including number of children traveling (travel app).

Example apps are prayer apps, MyFitnessPal, Kayak, Indeed, Spotify, TripAdvisor and others.  The test was against Android apps, so it is not clear if the Apple Facebook library does the same thing.

Facebook admitted that they have a problem. Source: Android Police.

Both Facebook and the app developers could be on the hook for fines of $20 million Euros or more for violating GDPR.

Hackers Leak Private Info on 100s of German Politicians

Hackers leaked sensitive data on German Chancellor Angela Merkel and Brandenburg’s prime minister Dietmar Woidke, along with other politicians, artists and journalists.

Leaked information includes private conversations, photo IDs, credit card information,bills and other personal info.

Germany’s Federal Office of Information Security, who is investigating this said that government computers were not affected.  Other than covering their own butts, it is not clear why they would say that since no one suggested that government computers were being attacked.

This does point out that protecting your phones and tablets by making sure they are patched (many older phones do not have patches available and are therefore vulnerable if people use them to log on to web sites that contain email and other personal info), that applications on them are patched and unneeded applications are removed is very important.  Unfortunately, older devices for which there are no patches should be replaced.  Details here.

 

Lloyd’s of London Denies THEY Were Hacked; Throws Partner Hiscox Under the Bus

As a follow up to a blog post from earlier this week, hackers have now posted a sample of docs related to 9/11 lawsuits reportedly hacked from Lloyds and Hiscox.

Lloyd’s claims that they were not hacked but rather their business partner Hiscox was hacked.

Nice of them proclaim themselves innocent while throwing their partner under the bus.  No doubt this was an effort to divert lawsuits from them to Hiscox.  I will point out that this likely won’t work since a client of Lloyd’s has no agreement with or ability to select or control Lloyd’s vendors.  This is yet another reason why we are so adamant about companies implementing robust vendor cyber risk management programs.  Read details here.

Tens of Thousands of Chromecasts Hijacked; Promote PewDiePie

Hackers have compromised more than 50,000 Chromecast devices, Google Home smart speakers and Smart TVs using Chromecast using a five year old bug that Google knows about but chose not to fix.

The attack puts a warning on the TV that the Chromecast is attached to saying it was hacked.  This obviously is being done to get Google’s attention and not do any damage.  Bad peops may not be so altruistic.

The hack would allow bad guys to collect information like what devices have been connected to your Chromecast or Google home device, which Bluetooth devices it is paired with, play media of the attacker’s choice (including objectionable content), reset or reboot the device, force it to forget all networks or make it connect to new networks.  Probably other stuff too.

This all comes about because the devices are exposed to the Internet using that dumpster fire that Microsoft promoted for years called universal plug and play (UPnP).  UPnP allows a device to open a connection to the Internet via your firewall if the firewall is configured to allow it, WHICH IT SHOULD NOT BE (or at least, that is what I say).

To see if your firewall/router is configured to allow UPnP (note to reader JW–I got your message about tools 🙂 ), go to Steve Gibson’s wonderful site at https://www.grc.com . Unfortunately, I can’t send you a direct link because of the way the site is coded, so once you get to the site do this:

  1. Hover over services at the top of the page and then click on Shields up, which is a great free security tool.
  2. Click on PROCEED.
  3. Click on the big yellow box labelled GRC’s instant UPnP Exposure test
  4. If you get a green box at the end of the test, you are safe.
  5. Anything else and you need to change the configuration of your router or firewall and then retest.  You may need the help of your ISP to fix this.  Hopefully yours will be safe :).
  6. It is important to understand that some games assume that UPnP works, so you will have to manually make a hole in your security for those games, but that, while a pain, is much safer since only you will open holes that might let bad people in.

These folks are the same crowd that hacked 50,000 printers last year.

Both attacks include an ad for YouTuber PewDiePie.

Clearly if they were malicious, this would not be pretty, but now that the cat is out of the bag either throw away your Chromecast devices (not likely) or make the change to your firewall/router.  The next hacker may use those devices to attack the Internet.

If your Chromecast device was exposed because UPnP was on, you may need to contact your support person to help you un-play the device.  It uses ports 8008, 8443 or 8009.

Information for this post came from The Hacker News.

 

Another Law Firm Hacked?

Remember the Panama Papers hack?  11 million documents stolen causing one Prime Minister to resign and another to be fired?  If not, check out an old post here .  That hack caused the law firm of Mossack Fonseca to go out of business.

We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.

The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents.  It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London.  The group claims to have hundreds of gigabytes of documents.

They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.

They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police.  Now they want more ransom.

The hackers claim to be shopping the data on the dark web.

However, they are very kind.  They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.

You have to admit that it is pretty entrepreneurial.

This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids.  Not necessarily a nice bunch.

The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.

What does this mean for you?

One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.

It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.

If they do release documents, there is the prospect of collateral damage.  Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective.  In which case, collateral damage is likely.

Now would be a good time to look at your agreements with your various  law firms, no matter who they are.

On the other hand, if you are a law firm, now would be a good time to review your security practices.

Is there anything in writing about cybersecurity requirements?

What about  liability for damages if they get hacked?

Do they have to provide annual third party certification of their cybersecurity practices?

Are they even required to notify you if your stuff is compromised?  (Note that in many cases, the law does not require that).

And, of course, you are dealing with lawyers.  If it is not in writing it will be hard to impossible to enforce.

If cybersecurity requirements are missing, now might be a good time to review and amend your agreement.  In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms.  Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.

If the firms say that you should trust them, tell them that you do.  And you still want it in writing.  Trust, but verify, so to speak.

One thing that we do not know – how many other firms have been hacked and have not said anything about it?  Think about reviewing and changing your law firm agreements as insurance.

Information for this post came from SC Magazine.