Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.


Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register


The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.


Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.


If Your Data Is Important to you DO NOT Trust Your Cloud Provider

There is a great piece on ZDNet today about a writer who’s phone number was stolen (not the phone, the number) using a SIM swap attack.  In this case, the phone company was T-Mobile and all the hacker had to do is call them, given them a bit of the victim’s information (like secret stuff such as the last 4 of your Social) and T-Mobile was happy to give the hacker this writer’s phone number.  T-Mobile doesn’t want you to be angry with them so they are willing to sacrifice your security and privacy instead.

Once he or she had the number, he was able to reset the writer’s twitter and google passwords.  The writer had set up two factor authentication to be more secure, but once the phone number moved to the hacker’s phone, the text message he was using for the second factor went to the hacker’s new phone:

TIP: Use authenticator apps like Google or Facebook Authenticator instead of text messages because then stealing your phone number won’t give the bad guys the second factor information.

T-Mobile put a message on the writer’s phone saying the phone number had been transferred and to call 611 if he didn’t do it, but since the phone had no service, that wasn’t possible.  Smart thinking T-Mobile.

The writer was able to call T-Mobile from another phone on the account and get the phone number restored, but that didn’t get his online accounts recovered.

TIP: Time is of the essence.  The sooner you detect the problem and the sooner you get your carrier involved in fixing it, the less damage the bad guy can do.

Now the writer had to go through the brain damaging process of recovering access to his accounts.  He used Twitter for work (that’s a problem in itself) and had about 10,000 followers.  The hacker whittled that down to about 3,000.  He also had years of history about stories there, along with collaboration with sources and other writers.

He did get his accounts back eventually, but there was a lot of damage done.  For example, all of the labels on his GMail messages are gone, so he has to reconstruct all of that.  Among other issues.

Oh, yeah, Twitter would only talk to his registered GMail email and since that was hijacked, he could not get them to do anything until he got Google to restore his access to his account.

The hacker compromised his Google Fi account and since he didn’t have access yet to his GMail, they won’t talk to him.  That account, he thinks and all the data in it, may be lost forever.

TIP: Read the rest of his article for more suggestions on protecting yourself.

So if you are a person who uses online accounts and stores “important” stuff there, consider this.  There is no guarantee that you will be able to get to your online account tomorrow or retrieve any of the data that is there.  If that is a concern, you need to take action.

Almost all services offer a way to backup your data.  It is not the cloud provider’s responsibility to protect your data unless it says so in writing in your agreement.

TIP:  Read your agreement with your provider and see what it is liable for.  Also see what damages you can collect.  Often the damages are meaningless (like they will refund your payments made in the last 12 months – for a free service).

TIP: Google, one service a lot of people use, has  a free service called TAKEOUT.  It has nothing to do with home delivery of Asian food.  It is available at .  Takeout allows you to select which of the hundreds of Google services you want to download your data from and it will give you different options for each service.   This is great for Google users.  Each service is different.

TIP: Set yourself a reminder to backup any critical personal online data as frequently as is important to you.  For example, if you only backup your data monthly, then you may lose a month’s worth of email, photos or whatever.  Backup at least as frequently as the amount of data you are willing to lose.

TIP:  If you download your data, back it up.  I suggest multiple copies of the data is important and then store it securely.  Flash drives are VERY cheap.  And fail occasionally, hence the reason for multiple copies.  Put it in a safe deposit box;  Give it to your kid who lives in another city. Whatever, but it does you do good if you can’t get to it.

Source: ZDNet


FTC Paves New Road

The message this administration has been delivering over the last two-three years is less regulation; less controls.  So what, exactly, is the FTC doing?  Are they going off the reservation or is there a plan here?  My guess is that there is a plan.

Last week the FTC whacked DealerBuilt, a service provider that provides dealership management software service to car dealerships.

Apparently, back in late 2016,  Dealerbuilt had a breach that exposed 12 million customer’s data from over 130 dealerships.  The data included all of the stuff that you would expect for car loans.

The crooks downloaded about 10 gigabytes of that data representing about 70,000 customers before it was discovered.  The problem was a really crappy cybersecurity program including transmitting data in the clear, storing data unencrypted, no penetration testing, etc.

What is new here is that the FTC is holding the vendor and not the dealers responsible.  They are saying that the vendor has direct liability to the FTC, even though it is the car dealership that is considered a financial institution because it makes car loans.

Dealerbuilt tried to make it right with their customers after the breach, but the damage was already done.

DealerBuilt was, according to the terms of the deal, prohibited from handling consumer data at all until they had an approved cybersecurity program in place (meaning zero revenue until then) and they have to have a third party risk assessment every two years.  While it does not say so, these FTC programs typically last for 20 years.

If they screw up again, the FTC could fine them $42,350 (who makes up these numbers) per violation.  $42,350 x 70,000 customers = $2.96 billion.   Probably enough incentive.

Key point is that if you are a vendor to someone, and most people are, then the FTC is saying that they reserve the right to come after you, as well as your customer.

The consent decree also holds company executives responsible for the new cybersecurity program and requires that the company conducts penetration tests.

Interestingly, it seems like the FTC is still going after folks, as is Health and Human Services (HIPAA), while other agencies, such as the EPA are being  told to stand down.  Source: Autonews.

Will Deepfakes Redefine Whether You Can Believe What You See?

“Think of this – one man with total control of billions of people’s stolen data.  All their secrets, their lives, their futures…”  So begins a fake video  using technology and videos of Mark Zuckerberg saying completely different things (see here).

It even has a CBS News logo on it.  CBS asked Facebook to take it down for trademark violation, but since they refused to take down the doctored video that Trump and others on the right used to try to smear Speaker Pelosi, they are now in a box.

But this is not a Facebook problem.  Nowadays, almost anyone with a little bit of skill and not very much money can make a relatively convincing fake video.

Then they can post it.

They don’t have to post it on Facebook, they can post it on some obscure, non-US web site.  One they create for the purpose.  One that is going to ignore takedown requests.  One that can move at will making it hard to block.

Then all they have to do is wait for people to post links to it.

Could be anything.

The video could show someone committing a crime or talking about something illegal or something immoral.  Given the tech, the possibilities are endless.

Abraham Lincoln once said that it must be true if it is on the Internet (no, he didn’t say that! ).   People tend to believe things that reinforce anything that they would like to be real.

That Zuckerberg video looks pretty real.  It should because it is Zuckerberg and he did speak, just not those words in that order.

Since politics is full of dirty tricks and it would be easy to create plausible deniability by getting someone in another country to actually do the posting (after all, Trump just said the other day that he would listen to dirt about an opponent given him by a foreign power – this is not much of a stretch.  After all, it could be real.  How would someone know?  Especially if they want it to be true.

This would be an easy way for an enemy of the U.S. to influence an election.  Create enough of these fake videos – for China it would cost petty cash – say $1 million or even $10 million for a whole bunch of them – and you could cause people not to know what to believe.

While tech could help mainstream media figure out some fakes, web sites that didn’t really care whether something is fake as long as it hurt people they want to hurt, will choose not to use that tech.  This puts the target of the smear in a position of having to react and possibly sue to try and get things taken down.  Good luck with that.  It would be a game of whack-a-mole.

Stay tuned, this will get ugly.  Source: Vice.

Security News for the Week Ending June 14, 2019

SandboxEscaper Releases Yet Another Windows Zero-Day

SandboxEscaper has it in for Microsoft.  He or she has released over a half dozen zero-days including four of them just a couple of weeks ago.  He or she has put Microsoft behind the power curve multiple times and now he or she is doing it again.

This time SandboxEscaper has figured out how to exploit the patched version of one of the previous exploits.  This exploit can be triggered silently with no obvious warning to the user.  There is no patch available for it yet. Source: The Hacker News.

If history is any example, this is probably not the last time we will hear from SandboxEscaper.


License Plate Pictures Taken by CBP Cameras Available on the Dark Web

As reported last month but not confirmed by Customs and Border Protection until this week, an unnamed vendor of license plate readers to CBP and others was hacked and hundreds of gigabytes of data stolen.

Included in that data was thousands of photos of license plates captured at the US border and travelers at US Airports and they are available on the dark web.

The government (no surprise) has a poor vendor cyber risk management program.  The vendor, widely believed to be Perceptics, although the government is shielding it for some unknown reason,  copied data from the government’s computers  to their own.  After this, the vendor was hacked and hundreds of gigabytes of data stolen.  Source:  The Register.


A Year Later, U.S. Government Websites Are Still Redirecting to Hardcore Porn

Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domain names that redirect visitors to porn sites.

Gizmodo reported this a year ago and it is still not fixed,  Actually a few sites were fixed and a few more added to the broken list.

Users were being redirected from government sites to sites with names like” Two Hot Russians Love Animal Porn”.  One site infected was the Department of Justice’s Amber Alert site.  To be clear, the government is not running porn sites.

And these are folks that we are relying to to protect our cyber universe.  Source: Gizmodo.


Philly Courts Still Down After Cyber-Attack Last Month

Another day, another city.  In this case, it was the court system in Philadelphia was hit by a cyber-attack.

After the attack, e-filing, docketing and email systems were taken down and now there are still problems.

So far, the courts have released very little information – not even the name of the firm that they hired to fix their mess.  Likely, that will come out later.

Suffice it to say, with each of these attacks, it becomes more and more important to evaluate YOUR disaster recovery system.  Can you afford to be down for weeks in case you suffer an attack?  Source: Infosecurity Magazine.

What If Local Hospitals Were Hit With Ransomware?

Remember the Wannacry attack that basically took down the UK healthcare system and which CBS says will cost about $4 billion to mitigate?

Well, a few medical experts with a bent towards hacking presented the results of a simulation they conducted regarding what would happen if local hospitals were hit by a coordinated malware attack.

They claim that the average connected device had about 1,000  exploitable CVEs( vulnerabilities).  The speakers said that 85 percent of US hospitals do not have any IT security staff.  Those are scary thoughts.

The speakers, Joshua Corman, founder of I am the Cavalry , Beau Woods, Dr. Christian Dameff and Dr. Jeff Tully, painted a pretty bleak picture.

Along with authorities in Phoenix, they ran a simulation for three days that started with one hospital being infected by destructive malware, followed by digital assaults on other hospitals in the city on day 2 and finally a physical attack like the Boston Marathon attack on day 3.

To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.

By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.

All of the deaths in the simulation were caused by the hacking.

You may remember the case of the St. Jude pacemaker.  A security researcher told the government of the flaw and for a year, the government hemmed and hawed and didn’t do anything.  Eventually the feds blinked and issued a warning and St. Jude patched it.  Most flaws do not get patched at all.

Even if the hospitals have an infinite pot of money, it takes years to get new devices approved.

What needs to happen is for the government and medical device makers to improve their security processes and for hospitals and doctors to fully engage.  We are never going to have bug free software, but right now, many devices are never patched because the approval process to apply the patches (from the government)  is basically unworkable.  The public needs to demand it – minus that, the problem will never get fixed and people will likely die needlessly.

In the case of hospitals affected by Wannacry, the researchers are confident that the result was people dying.

Source: The Register.