Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Facebook Stored Millions (Billions?) of Passwords Unencrypted for Years

Seems like Facebook can’t catch a break.  Whether it is Cambridge Analytica or one of the many other scandals plaguing the company, it seems like the only news coverage they get is bad coverage.

This time it is information that Facebook logged users’ passwords in plain text for anyone to read, stored those logs on internal company servers and gave access to that data to tens of thousands of employees.

Other than that Mrs. Lincoln, how was the play tonight?

The internal investigation, which began in January and is still ongoing, discovered that 2,000 employees made 9 million queries for data elements that contained plain text user passwords.

Facebook says that the passwords were logged in plain text “inadvertently”.  Possibly, but since protecting passwords is like programming 101 or maybe even programming 001, how could that be?

Facebook now says that they plan to tell people that their passwords were exposed.   Sometime.  They did post an announcement of the situation, here.

Facebook says that they will need to notify hundreds of millions of Facebook light users (light is the version that is used in the places where bandwidth is at a premium), tens of millions of other Facebook users and tens of thousands of Instagram users.

So what should you do?

I would recommend changing your Facebook password no matter whether you receive notice from them or not.

If you use the same password on any other web sites, change those passwords too.

Enable two factor authentication on the Facebook web site.  This is very simple to do and provides a lot of extra protection.

Review what third party apps you have given permission to access your Facebook data.

If you were sharing passwords between web sites, this is perfect reason not to do that.  Using a password manager makes it a lot easier to use unique passwords.

Facebook supports using an authenticator app such as Authy or Google Authenticator as the second factor rather than text messages.  It APPEARS that if you have a phone number associated with your account, they insist on allowing you to use that in an emergency.  Which means a hacker can declare an emergency.  Remove your phone number from your account to solve that problem.  Probably a good idea anyway.

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather

Norsk Hydro Ransomware Attack Impacts Price of Aluminum

Update:  The Washington Post pointed out that malware probably did not spread from Norsk’s IT network to it’s plant floor or OT network since they were able to run some plants manually.  This is where network segmentation is really important, even within the IT network.  They also pointed out that Norsk was very public about what was going on, even though it had a (likely) short term impact on their stock price.  They definitely should get gold stars for that.  Source: The Washington Post.

Aluminum Giant Norsk Hydro was hit with a ransomware attack this week.

The attack has forced the company to shut down several plants and take other other plants offline to stop the spread of the attack.

Other plants were operating in “manual” mode.

The Norwegian company employs 35,000 employees in 40 countries.  They report that their entire worldwide network is down affecting production and office  operations.

While some smelting operations can run manually, the company has had to shut down some of its extrusion plants.

The company says that it doesn’t plan to pay the ransom and plans to restore its systems from backups.

One expert suggested that the attacker(s) might have gained domain admin access and then installed a malicious executable on the domain controllers.  From there it gets downloaded to any machine that logs on to the network – workstation or server.  That is why they had to completely shut down the network.

The interesting thing is that they said that this attack is so big that it is affecting the spot price of aluminum on the world market.

So what does this have to do with you?

Let’s assume that you got hit with a ransomware attack.  Not a great thought but not impossible either.

Now assume that you had to shut down the entire company network.   Maybe computers can be powered up, but maybe not.  Since the network is down, the cloud based phone system doesn’t work.  No email and your cell is only useful as a phone.  As long as it doesn’t need WiFi access to work.

How will your company operate?

Are you prepared for an event like this?

Do you have a plan?  Have you tested it?  When?

This is not an isolated event.  We hear about it all the time.  Most of the time it doesn’t affect the spot price of materials on the world market.  That doesn’t mean that it won’t hurt you.

Your cyber incident response plan, program and training is critical.  Are the external third party resources that you may need identified?  Have you reviewed the contracts that will need to be signed?  

Do you have backup plans for how your business will operate when you no longer have a network or an Internet connection?

What happens when your web site goes down?  Will visitors just get a message that your site can’t be found?  What will they think if that happens?

In the case of Norsk it was a ransomware attack, but it could be a failure of your Internet provider, a fire in your building, a burst water pipe in your data center or any number of other possible situations.

In their case, they can afford the millions of dollars they are spending to deal with the situation.  Can you afford that?

Will your cyber risk insurance cover all of this?  Many times companies come to us after discovering that their insurance won’t cover the loss and we look at the policy.  The insurance company is right.  It doesn’t cover it.  That is because cyber insurance is like the wild west and if your agent does not write a lot of coverage, you may or may not get what you need.  This is very different than almost EVERY other form of insurance.  In Colorado and many (most) other states, cyber risk insurance is not regulated by the Department of Insurance.

If you are not prepared then now is the time to get prepared, because it is not a matter of if, but rather how, how bad and when.  

Plan now or deal with it later and dealing with it later will not be pretty.  Take it from someone who knows.

Information for this post came from Threatpost.

 

Facebooktwitterredditlinkedinmailby feather

Android Q (Version 10) To Have A Number of New Security Features

NOTE:  This is a bit of a rant on my part, but I will get to the good stuff further down.  Sorry, but I think the subject is important.

While the fact that Google is finally trying to counter Apple’s various ad campaigns such as their CES ad below

and their March Madness ad campaign”if privacy matters in your Life, it should matter to the phone your life is on”  is a good thing, it does not really solve the problem.

Android P or Pie, version 9,  was released in March of last year.  Here is the most recent distribution of Android OSes on active phones.

Android Pie is represented by the light blue bars on the top in the last three bars and is a tiny percentage of the market.

As of January, 2% of phones are still running Android 4,  almost 5% are running Android 5, 10% are running Android 6, 21% are running Android 7, 54% are running Android 8 and only 5% are running Android 9 – roughly.

Android 4.4, the last version of Android 4, was released in 2013; Android 5 in 2014, Android 6 in 2015, Android 7 in 2016 and Android 8 in 2017.

All versions of the Android OS before version 7 are no longer supported and will never have security holes fixed.  That means around 20% of the Android phones out there are unsupported and when Android 10 is released this summer, that number will rise as Android 7 support gets discontinued.

While companies have been (sort of) good about getting rid of unsupported Windows OSes (like Windows XP), they have been much less active in stomping out unsupported phone OSes.

As employees move more and more to using their mobile devices as a true computing device, this is becoming a bigger security challenge for all companies – one that most companies have been ignoring.  THE SINGLE BIGGEST UPCOMING THREAT TO COMPANY DATA IS OLD, UNPATCHED MOBILE DEVICES.  This is especially true in regulated industries where very sensitive financial, health and national security data is accessed.

Apple has been very good about upgrading their phones to the current iOS version, supporting iPhones from the current iPhone 10 all the way back to the iPhone 5S and pretty much shoving the new releases down their user’s collective throats, whether users are happy about the results or not (older iPhones typically run slower with the newer releases).  But, at least, those phones are as secure as Apple knows how to make them.

But for Android phones, there are WELL over 1,000 MANUFACTURERS of Android phones and likely WAY over 10,000 phone models in use.

Add to this Android’s fractured release distribution model.  Users, other than Pixel users, do not get their software updates from Google like Apple users get theirs from Apple.   Rather they have to wait for Google to release fixes, their phone vendors to tweak them and their phone carrier to actually push them down.

Many phone vendors don’t ever release patches and that does not seem to be much of decision making consideration on the part of users (and really shouldn’t have to be).

The Fortune 100 and the carriers could change this pretty quickly (like we are not going to sell your phone and we are not going to buy your phone unless you release monthly patches). but that has not happened yet.

Google is trying hard to improve this.  Last year they made two changes.  First, they layered the operating system so that they can make (security) changes below a certain layer without affecting Android apps that carriers get paid to install on your phone and second, they began to require phone manufacturers to release patches a few times a year for two years.

While this is an improvement, many people (most people?) keep phones for more than two years and don’t buy those phones on the date they were released, so while this is a start, it is not a solution.

Companies need to understand that this is a risk and decide what their company policies are going to be regarding allowing users to access company data using phones that are vulnerable and unpatched.  For companies that are subject to regulations such as HIPAA or NIST SP 800-171, this is a violation of the regulation and could possibly get the company fined.

OK, enough ranting.

What is coming in Android Q (Version 10)?

The Android Q beta will drop this month and the best guess is that it will be released in August.  Some of the new security features include:

  • The Android OS will stop tracking contacts “affinity” (who is talking to whom on your phone – yes they have been doing that forever), so that will no longer be available to apps
  • Phones will transmit a RANDOM MAC address (the address of the network card) to reduce sites’ ability to track based on MAC address.
  • Only some apps will be able to obtain the device’s serial number and IMEI (electronic serial number).
  • Users will get more control over location permissions.  Now you will be able to say that an app can only access your location when it is the active application on your screen.  This comes after it was released that some apps, running in the background, transmit your location data to the app maker over a thousand times a day.
  • Only the active app can access data stored in the clipboard.
  • Some network device state information will now be restricted.
  • Apps will need to have access to a special FINE location API (for WiFi and Bluetooth).  This is how grocery stores, for example, know that you are in the cereal aisle and can send you ads for cereal and not pantyhose.
  • Each app will be given a sandbox regarding access to the disk on “external” storage (USB storage).  Currently, if you give an app access to USB storage, they can access any data on the device.  If apps are well behaved, this is not a problem, but ….
  • There are new restrictions on apps starting in the background without telling you.
  • There are several changes to the permissions model – apps will need to be given specific permissions in order to detect, for example, a user’s movement.

One thing Apple has figured out how to do, is to get users to spend a thousand dollars on a new phone every year or two (An iPhone XS Max with 512 gig of storage costs almost $1,500!!!).  Not sure how they do this, but they have.  Android users are much more sensible.

Until users understand that their devices (and more importantly their data) are at risk because they are not being patched, this is unlikely to change.

Information for this post came from Helpnet Security.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 15, 2019

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google.  While hackers may not be explicitly targeting these small municipalities, they may be.  After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents.  The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget.  There is no indication that the county had any insurance.  In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage.  Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid.  Source: Bleeping Computer.

 

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a  very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure.   Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect.  There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that.  MUCH – repeat MUCH – more secure.  Source: Bleeping Computer.

 

App 63red Security Lacking;  Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect.  Inside the code of the app the researcher found the developer’s email, password and username in plain text,  Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed.  The first two statements are accurate but misleading.  He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security.  Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground.  Sources:  The Daily Beast and Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Multi Factor Authentication – Not Perfect

Hackers have figured out how to attack Office 365 and Google G-Suite accounts protected by Multi Factor Authentication (MFA).

No, this is not a bug in some software and no it is not hyper-sophisticated attack.

In fact, it is very old school.

First, as best I understand, it is a limited attack so it is not a full compromise.

It is a perfect example of security vs. convenience.

OK, I will end the suspense.

Both Microsoft and Google support IMap for email.  IMap doesn’t support multi-factor authentication.

The bad guys use password spray attacks against millions of accounts from a large number of compromised machines.

If they get in, they use that compromised email account as a landing spot to launch attacks against other users in the same organization since they are now (pretending to be) a trusted insider.

If the company has enabled geo-fencing then the attackers might be able to use a proxy or VPN to get inside the fence, but that is more time and more work.

So does that mean that MFA is useless?

Actually not at all.

First of all, if you can, disable all legacy insecure protocols (protocols that do not support MFA), do so.

Next, if you can, enable geo-fencing.  This will make things harder for the bad guys.

For systems that support it, enable improbable login.  This will detect logins that don’t make sense, even if they are inside the geo-fence.

Enable maximum logging and alerting.  Again we are trying to make it hard for the bad guys so they will go somewhere else.

While none of this is perfect, not having MFA enabled definitely makes life easier for the hacker.  Make it harder and unless you are a specific target, the hacker will move on.

Source: Proofpoint .

 

 

Facebooktwitterredditlinkedinmailby feather