Security news Bites for the Week Ending March 29, 2019

We’re From the Government and WE’RE HERE TO HELP YOU!

Well, not really.

We don’t have to worry about the gov being hacked.  They just give our information away.  At least in this case there is no hard evidence that the data was misused.

FEMA hired a contractor to help it find temporary housing for 2+ million people displaced by the recent hurricanes and wildfires.  In order to validate that the people were eligible for assistance, FEMA shared data like name and last 4 of social with the vendor.

Unfortunately, they also shared people’s address, bank account number, bank routing number and other financial details.

FEMA’s OIG discovered it and FEMA says they are sorry.

FEMA then conducted an audit of the contractor and didn’t find any obvious signs of abuse/misuse.  They are also fixing the problem.

Hopefully, that is the end of it, but given how much government agencies use contractors, are you betting this situation is unique?

Are YOU oversharing information with third parties? Are you sure?


Drones are rapidly becoming a large security risk

Because, at the low end, drones are really cheap and expendable and at the high end, really sophisticated, the bad guys have figured out that that are a great tool to cause disruption and potentially even death.

We saw late last year that rogue drones shut down London’s Gatwick airport.  While this was distressing, what if, instead, a drone hovered over some crowd and released some lethal whatever.  Relatively easy to do and it could cause mass casualties.

While the drone makers are adding no fly zones around places like airports and prisons, users can hack the drone software or pick second tier targets.  Everything can’t be off limits, otherwise the drone business will end.

For very high risk targets, authorities are trying to use military anti-drone technology, but that won’t be possible to protect every possible target.

Alternatively, drones are great surveillance tools – quietly photographing potential targets and eavesdropping on WiFi signals.

And, there are many more issues – and right now, no good answers.  Source: Threatpost.

Source: ZDNet.


Norsk Hydro says that they lost $40 Mil in the first week alone after the ransomware attack

Norsk Hydro estimates that they lost over $40 million in the first week after the ransomware attack shut down many factories and forced others to run in manual mode.

The good news is that they say they have cyber insurance led by AIG (so apparently multiple interlocking policies to give them more coverage with multiple providers sharing the risk).  How much insurance they aren’t saying and what the final costs are, including any lawsuits, won’t  be known for years,

They believe it will take weeks to repair all of the affected systems, which, actually, is good, scary as that may seem.

Norsk says that they think they have cleaned all of the infected servers and are ready to begin restoring data.

My assessment from a distance is that they appear to have a well designed and well tested INCIDENT RESPONSE PROGRAM.  Still it will cost them tens of millions of dollars – maybe more.

Consider how you would respond to an incident like this.  There is no indication that this was a targeted attack, but rather a random event.

Source: Security Week.


36 New Security Flaws Found in CURRENT Cellular Networks

While the president seems hell bent at stopping Huawei from becoming an integral part of the worldwide next generation cellular network due to security risks (which is probably not a bad idea, but will no impact on security for at least 5-10 years until 5G cellular becomes the norm), the government is doing nothing about the security holes that are affecting us today and will continue to affect us for years and likely decades.

Security researchers from Korea (South, not North) have identified 51 vulnerabilities in the current cellular network, 36 of which were previously unknown.  While they have reported these issues to various parties, it is likely that hundreds of millions of phones and maybe even the network itself will never be fixed.  Source: Computing.

Vendor Risk Management Common Misconceptions

If yesterday’s post (on Asus) and many of my posts in the past are any indication,  supply chain risk is a huge problem and not very well handled at many companies.  Part of the reason why is all of the misconceptions we have.  Here are a few and why they are misconceptions:

The vendor is a large company; surely they have a great security program.

Equifax was a vendor to thousands of companies.  No problem here.

Marriott was a vendor to millions of customers.  Any problems?

The DoD Office of Personnel Management had 25 million customers.

You get the idea.

We haven’t given the vendor any Non-public Personal Information (NPI) so there is not much risk.

More states are shifting the standard of care to personally identifiable information (PII).  That is a much bigger footprint.  If the vendor has your customer’s PII and the vendor has a breach, guess who is on the hook legally?  Answer: you.  Because you picked the vendor.

The vendor is privately held, so we can’t get any information on them.

Even if the vendor is privately held you can ask for information.    You can ask for an accountant’s statement.  You can ask about their cybersecurity program.  You can ask for a lot of information.  Do so.

We don’t give our vendor data in electronic format, so there is not much risk.

While paper is lower risk, it is not no risk.  Your shredding service only gets paper.  Likewise your document storage vendor.  Consider each situation carefully.

The vendor’s security is probably good because they are well known.

Target is well known.

Home Depot is well known.

Marriott is well known.

And hundreds of others.  Any questions?

Our vendor was hacked, but they say that they fixed the problem.

Maybe, but maybe not.  It depends.  Did they put a band-aid on the problem or did they fix the systemic issues underlying it.  Ask questions.  This will likely take a bit of digging, but do it anyway.

This vendor has a breakthrough product; surely their security is good too.

Again maybe, but maybe not.  Sometimes breakthrough features are deemed to be more important than security and privacy.  Don’t assume.

The vendor won’t give us what we ask for so we are out of luck.

Maybe.  How important is what you are asking for?  Should you consider a different vendor?  Will they let you look at it but not keep it  (maybe in person or maybe over a web conference)?  Is there alternative information that would work?  They do likely want your business, so engage them to help you figure it out.

The vendors security program looks strong, so their third parties (our fourth parties) are strong too, right?

Maybe, but that is a bit of a stretch.  Review their vendor cyber risk management program first before you make that assumption, especially if the fourth party has your sensitive data.

I would never fall for a phishing attack so I am sure that our vendor wouldn’t either.  We don’t need no stinkin’ training and neither do they.

That is so wrong on so many levels.  We have many stories of businesses that didn’t need training that fell for phishing scams, lost sensitive data or even lost hundreds of thousands of dollars.  While training doesn’t fix everything, it is important.  Don’t skip the training and training is not a one time event.

These are just a few of the misconceptions, there are many more.

If your vendor has a breach, you are on the hook.  Maybe they are too, but you are first and foremost.  Your customers look to you to protect their data.

If you need help with your vendor cyber risk management program, contact us.

More Supply Chain Woes, Courtesy of Asus

Here is an interesting combination of countries.

Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.

Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.

How did it happen?  Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.


So is the Russian company outing the Chinese company Asus because they are enemies?

Or is the KGB trying to prove that Kaspersky is not a threat?

Or, is Kaspersky just doing what it’s software it is supposed to be doing.

The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.

The attack was very targeted apparently.  Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.

One VERY IMPORTANT point here.  According to Kaspersky, Asus has been very unresponsive to the issue.

So, what do you do?

First of all, my recommendation would be to remove Asus from your approved vendor list now.  If they come up with a better story you can always add them back in later.  The only way companies will get serious about cybersecurity is if it affects their financials.

That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.

This means that companies need to protect themselves.

Creating and implementing a vendor cyber risk management program is a start.

Make sure that you have adequate CYBER insurance.

Next figure out what you exposure is.  Are you buying parts (soft or hard) and integrating it into your product or software?  You are at a higher risk.

Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)?  That puts you at risk.

While patching is a bit of a band-aid, it is one of the best band-aids that we have today.  This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat.  If it is on your network or talks to your network, it has to be patched fully,  Think about how bad patching habits worked out for Equifax.

As I said, this is not going to end soon — it is something that you should apply some think time to.  The potential impact on your brand could be very high, depending on your business model.

Source: Motherboard.  To see if your computer is infected, check out this Wired article.



Hidden Cameras in Your Vacation Rental or Hotel Room?!

After you are done gasping — it is not a far fetched scenario, at least for vacation rentals.  There have been many stories of AirBnB rentals having surveillance cameras – even though their agreement requires that they be disclosed if present.

When it comes to hotels, it is much more likely that those cameras were placed there by pervs rather than by the hotel staff.  Remember the Erin Andrews nude video story?  (See story here if you don’t remember it.  Note:  this is suitable for work – there are no pictures, just the story).

On the other hand, if you are in a foreign country, hotel video cams are more common, especially if you are an American executive, work for a tech company or have a security clearance.  If you do travel internationally and need a defensive security briefing, contact us.

First thing I need to do is provide a warning.  For international travelers, even detecting surveillance cameras, never mind disabling it, can be hazardous to your safety, literally, depending on the country.

This advice comes from a guy, nicknamed Monk, who does counter-surveillance for members of the U.S. military’s Special Operations Command among many others, so I take his advice at face value.

There are three primary methods for checking for hidden surveillance devices.  Remember some of these cameras are maybe a quarter inch across, so they are not easy to see.  They can be hidden in almost anything, including light fixtures, bedside radios, smoke detectors and other places.

The three methods are scanning for transmissions, detecting the lenses and physical search.    Many devices that will help can be purchased online for less than $100, but remember this is an art, not an exact science.

Scanners only work, of course, when the device is transmitting.  This MAY not be a big problem because the smaller devices likely don’t have a lot of storage, so they have to transmit often.

Lens detection works quite well, but there is a technique to develop.  And, it requires a lot of patience. Physical detection works quite well also, but you have to have an idea of what a bug might look like and you have to be willing to disassemble stuff like your bedside radio or the smoke alarm.

I have a sample video of foreign intelligence officials “reviewing” a hotel room when the occupant was gone, so that is definitely real.

As I said, this is not an exact science, but a mixture of all three is probably going to serve you best.

First thought – where are they going to hide a camera?  Kind of depends what they want.  If they want compromising video, it needs a clear line to the bed.  If they want your userid and password, it needs a clear line to your desk.  Remember, top down is fine, so the ceiling is a good candidate.

Alarm clocks, outlets, surge  protectors and lamps are all good locations because they have a built in source of power that won’t raise any suspicions.

This is not meant to be a complete how to article.  That would require way more ink.  Mostly, it will (probably scare you) warn you of the risk.

Hiding cameras in air vents and returns provides good cover because the cameras, electronics, power and storage can be bigger but still hidden.

The article suggests that you ask for a room change, but if you are being targeted, they will just put you in another room with built in surveillance.  Instead, block the suspected camera.  Turn the lamp camera to face the wall.  If it gets turned back the next time the room is serviced, you were probably right.  Point the alarm away from the bed, etc.

While this story may scare the bejibbers out of you, remember that most of the time, the surveillance is there to record damage to the owner’s property, although Erin Andrews’ surveillor had different ideas,  This is also the case if you are a higher risk business person.  AND do not fall for the “who would want to steal stuff from me” ruse.  Higher value business person is a relative term.

Just in case you think I am paranoid (well, that is valid, I am), here is a link to an article by entertainer Kim Komando who hosts a weekly show on tech.  It is real.  What we don’t know is how prevalent is is.  No idea.

Information for this post comes from USA Today.

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.


Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.


Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .


Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebook Stored Millions (Billions?) of Passwords Unencrypted for Years

Seems like Facebook can’t catch a break.  Whether it is Cambridge Analytica or one of the many other scandals plaguing the company, it seems like the only news coverage they get is bad coverage.

This time it is information that Facebook logged users’ passwords in plain text for anyone to read, stored those logs on internal company servers and gave access to that data to tens of thousands of employees.

Other than that Mrs. Lincoln, how was the play tonight?

The internal investigation, which began in January and is still ongoing, discovered that 2,000 employees made 9 million queries for data elements that contained plain text user passwords.

Facebook says that the passwords were logged in plain text “inadvertently”.  Possibly, but since protecting passwords is like programming 101 or maybe even programming 001, how could that be?

Facebook now says that they plan to tell people that their passwords were exposed.   Sometime.  They did post an announcement of the situation, here.

Facebook says that they will need to notify hundreds of millions of Facebook light users (light is the version that is used in the places where bandwidth is at a premium), tens of millions of other Facebook users and tens of thousands of Instagram users.

So what should you do?

I would recommend changing your Facebook password no matter whether you receive notice from them or not.

If you use the same password on any other web sites, change those passwords too.

Enable two factor authentication on the Facebook web site.  This is very simple to do and provides a lot of extra protection.

Review what third party apps you have given permission to access your Facebook data.

If you were sharing passwords between web sites, this is perfect reason not to do that.  Using a password manager makes it a lot easier to use unique passwords.

Facebook supports using an authenticator app such as Authy or Google Authenticator as the second factor rather than text messages.  It APPEARS that if you have a phone number associated with your account, they insist on allowing you to use that in an emergency.  Which means a hacker can declare an emergency.  Remove your phone number from your account to solve that problem.  Probably a good idea anyway.

Information for this post came from Brian Krebs.