The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.



Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.


Facebooktwitterredditlinkedinmailby feather

GDPR Regulators Getting Their Game On

Poland’s data protection regulator made an interesting decision affecting a Swedish based digital  marketing company named Bisnode.

Poland’s regulator, the national Personal Data Protection Office (UODO in Polish), fined Bisnode 220,000 Euros for failing to comply with Article 14 of GDPR.

Article 14 requires a data controller to inform a person when it collects data about that person from another source. In addition, you have to tell them the purpose that you are collecting the data for and give them the option to object.

Bisnode’s business model is to collect data from public records of various types and then, we assume, sell that data.

Bisnode apparently understood that obligation to notify people because of the 6 million records they scraped, they sent out notices to the people for whom they had email addresses.  That represented about 90,000 businesses.  Of those 90,000, about 12,000 or 13% responded back saying that the company did not have their permission to use this data for the purpose stated.

For the rest of the people, even those for whom they had a phone number, they opted not to notify them at all.

Instead, they put a notice on their web site.  Of course, those 6 million people had no reason to look at the company’s website and besides, I am guessing that they did not include a list of 6 million names on the web site, but maybe they did.

Bisnode objected to having to notify people because they said it would be too expensive to send everyone a registered letter.  Of course an email is not equivalent to registered mail, actually closer to a postcard, and they could have  sent 6 million postcards for a whole lot less than the cost of 6 million registered letters.

There is a lot more information in the source article linked below, but for now the point is that businesses that depend on scraping other people’s data and selling it should be wary about their business model.

At a bare minimum, they need to consider the notification requirements and understand that each distinct purpose the data is being used for requires its own notification (if you know now that it will be used for, say, 3 purposes, you can include all three purposes in one notice, but if you decide next month that you have  new purpose, you have to renotify.  And, the notice cannot be generic in nature like “we are going to sell your information to folks who are going to do stuff with it, like spam you”.

The Polish DPA also required them to notify the 5.9+ million people that they didn’t notify.  Bisnode is thinking about deleting the data instead, but even if they do, will that relieve them of their notification obligation?

Assuming Bisnode does appeal, hopefully that appeals decision will improve the clarity of the rules under GDPR, but given what I  have seen in the past, Bisnode is unlikely to get a free pass in this situation.

So for businesses that depend on the ability to take data from third parties and use it in a way that the consumer did not anticipate, anticipate that you could be on the wrong side of a DPA decision and then will need to decide if you can afford to fight.   Not being able to do that freely may make the business not viable, so either way, those businesses have a problem.

Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

Hackers Want to Own Your Systems Longer

Gee, in one sense, that is not a big surprise.

On the other hand, given all the money and effort, you would think we would be winning.

According to security vendor Carbon Black, in just the last 3 months, they found that the percentage of time hackers used methods to cover their tracks jumped 5 percent.  It jumped 10 percent in the last 6 months.  Up to 56 percent of the time.

They did stuff like deleting logs, disabling anti-virus, hijacking legitimate programs and disabling firewalls.  Among other nasty stuff.

By hiding they get to steal more stuff.  Own the system.  Own the entire network.

Part of the reason is that they are stealing intellectual property.  22 percent of the time.  Up from 5 percent the previous quarter.

Also, the hackers are island hopping – a term meaning that once they own one network, they use that beachhead to compromise another company.   They say that 50 percent of the reports for last quarter used island hopping as a technique to gain access.

Bottom line – the bad guys are evolving.  You need to evolve too.

Unless you are okay with them stealing all of your intellectual property.  And your customers.

Installing anti-virus and a firewall is NOT going to stop them anymore.

Part of what you need to do is get your employees to change their habits.  That, unfortunately, is not easy.  

For the most part, people want to do what is easy.  That is why Google says that less than ten percent of their customers use two factor authentication, for example.  It is not the easiest way to log in.

Then you need to lock down your systems (servers) and your network.  The good news is that this will not impact your users very much but it will mean a lot of work for your IT team.

Since the hackers want to remain inside your network undetected, you need to need to try and detect them.

If they are good, a traditional SIEM won’t find them.  Network Detection and Response tools are the next generation of SIEM.

Sorry for harping on this, but you have to protect yourself.  No one else can.

The hackers are playing to win.   You need to play to win also.

Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Who *IS* Going to Rescue Us

It is old news that Jeff Bezos was caught cheating on his (soon to be ex-) wife.  That isn’t terribly unique news.  Powerful men seem to do that a lot.  At this point it is still somewhat murky as to how AMI, parent of the National Enquirer, obtained pictures that Jeff shared with his girlfriend.

It is certainly possible, as AMI claims, that they got them from the brother of Bezos’ girlfriend, Lauren Sanchez.  It is not clear why he might have done that.  Possibly he didn’t like the situation.  Possibly, they offered him a suitcase full of cash.  Surely he must have known that would not enhance his relationship with his sister.  Maybe he didn’t care.  Maybe he didn’t even like her.  Who knows.

That gossip is not terribly interesting in the big picture.

There is, however, an aspect of the story that we should all be concerned with.

Bezos, having a few billion here and there, even after going 50/50 with his soon to be ex, hired an investigator to figure out how AMI got those compromising pics.  In case you don’t keep up with the gossip, the pictures included parts of Jeff’s body that most people do not expose to the sun.

The investigator wrote an opinion piece for the Daily Beast saying it was the work of the Saudis.  I certainly don’t know if this is true or not.  Certainly the Saudis don’t like Bezos must since the newspaper he owns, the Washington Post, said that the Saudi Crown Prince was responsible for killing and dismembering a journalist, Jamal Khashoggi.  Whether you think that Khashoggi was innocent or not, people generally don’t like the idea of ordering hits on people and then cutting those people up and stuffing their body parts into diplomatic pouches to get them out of the country.

We could debate for a long time the merits of all of the above, that is not the point of this piece.

Lets assume for the moment that we reliably believe that the Saudis did hack either Bezos’ or Sanchez’ cell phones, steal the photos and give them to AMI.  This is an assumption, not a fact, but something we need to agree for the moment is possible.

Lets assume as an alternate, that some other government that we have a love-hate relationship hacked into some U.S. company for reasons of their own and either stole stuff or did some damage.  An example of this is Sony and North Korea, but that is not a good example because we have a hate-hate relationship with them and not a love-hate relationship.

All of the above is just a setup for what follows.

What should we expect the U.S. government to do about it?

After all, we hack the crap out of anyone that we can – right? – NSA, CIA and other TLAs (three letter agencies).

Should the government retaliate?  Lets assume for the moment that Trump and Bezos didn’t have one of those hate-hate relationships that they do have.  Should the White House launch an attack on another nation?

This is a real question that Trump has had to deal with and the supposed reason for the China Tariffs.  It is possible that the tariffs may have some long term effect on China’s hacking of us. Short term, it seems to have increased their hacking, but long term – who knows.

We do know in the short term it is costing U.S. companies billions, most of which will be passed on to U.S, consumers in the form of higher prices and slower growth.  The auto industry says that it is causing them to lay off tens of thousands of employees.

But still, stay tuned.

China is not a good example either because what China is doing is very widespread, not targeted like going after one person or one company.

So what should we expect our government to do in cases like this?

In the aggregate, hacking is costing companies more than a half trillion dollars a year globally.  That is real money.  It is bigger than the GDP of many countries.

Realistically, individual companies do not  have the ability to keep out a determined nation state actor.  Not if they are targeted and motivated (that represents, maybe, one tenth of one percent of all of the attacks, probably much less than that).

What is also true that many small companies may become collateral damage from attacks – either by regular hackers or nation states, but not the target.  A perfect example of that is WannaCry that devastated companies across Europe who were not the target of the attackers.

Here is the bad news.

My opinion is (which along with about $4.95 will buy you an average cup of coffee at a well known coffee chain – probably a small cup) that 99+% of the time – unless you are a Sony and go up in flames – the government is not only not going to do anything to protect you or retaliate, but they are not even going to notice that you have been attacked.

The FBI gets thousands of reports of attacks a week.  In 2017, the FBI got more than 300,000 reports.  That is more than 800 reports a day, including Saturdays and Sundays.  The FBI has, as I recall, around 14,000 actual agents who are responsible for all manner of crimes including murder, kidnapping and terrorism.  How many of those 800 reports a day do you think they can respond to?

In fairness, they will cherry pick a few.   Maybe 5 out of 800 a day.  I don’t know.  Probably less.

Bottom line – you are going to be responsible for yourself.

Realistically, this means that you have to do your best to keep the bad guys out and be ready to deal with it when the bad guys win a particular battle.

You are not going to like this analogy, but after 9-11, we stood up the TSA.  Whether you think they are wonderful or buffoons, we spend almost $8 BILLION dollars a year in that one agency just trying to keep the bad guys at bay.  Based on published reports, something like 50% of guns screened by TSA get through the checkpoints, more at some airports, less at others.  Luckily, those guns do not appear to be owned by active terrorists.

From the TSA’s standpoint, while they would like to prevent another 9-11, and the director of the TSA would likely be fired if there was another one, for the rank and file, they are just doing their job.  There is not much financial consequence to the 40,000 plus employees of the TSA if another 9-11 happens.  In fact, it is likely to reinforce their job prospects unless we decide to shut down all of the airlines permanently.  Or make you travel naked with no luggage.

From your standpoint, if you suffer an attack – ransomware, theft of intellectual property, destruction of your factory like happened recently with a German steel mill, that is costing you real money, real business, real jobs.  It is very personal for you.  Norsk Hydro lost $40 million in the first week after their ransomware attack.

This means that you need to actively work to make it harder for the bad guys damage you.

For you, this means, time, energy, people and yes, money.  Sorry.

This is one case where the government can’t fix it, even if they try.

Source: The Cybersecurity 202.

Facebooktwitterredditlinkedinmailby feather