Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.


Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.


Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.


AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.


Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

5G – Mostly Hype – For Now

There has been a lot of hype surrounding the next generation of cellular technology and while 5G is definitely cool, we need to make sure that we don’t get the cart before the horse.

#1 – Everyone has to buy a new phone.  Apple watchers think that Apple should release it’s first 5G phone before the end of 2020.  Other phones are being touted as 5G or possibly 5G evolution – which is different.  This means that even if 5G is available in your neighborhood, which it likely is not, it won’t do  you any good until you replace your phone.

#2 – Carriers need to upgrade each and every cell tower.  This means new electronics.  Given that there are hundreds of thousands of cell towers – or more – in the United States, that is a lot of money.  Likely, carriers might upgrade the network first in rich neighborhoods (because those people might buy new phones sooner) or neighborhoods with high traffic density.  Most of us won’t see upgrades for years.  I still connect to towers that only support 3G and 2G on a regular basis.

#3 – Network capacity needs to be upgraded.  It is wonderful if you can talk to the cell tower at 1 gigabit per second but that does no good if the connection from that cell tower to the rest of the network is only, say 50 megabits – there is no magic to get you faster speed.  And that needs to go all the way back to the Internet backbone.  In many cases, that is 5 to 10 network connections that all have to be upgraded.  If you have two cell towers that each want to talk at 1 gigabit per second and they connect to one consolidation  point, that needs to have a 2 gigabit connection and if two of those connect to a higher consolidation point, that needs to have a 4 gigabit connection.  Everybody shares the same pipe and it will only run as fast as the slowest connection.

#4 – MORE cell towers.  The nature of 5G is that the signal can only travel a short distance at that high speed.  This means more towers. And more “back haul” connections.  Should we put a tower in your back yard?  This is going to be a big problem.  Carriers want to reduce costs which means that land owners are going to be even less likely to want to put a tower in their back yard.  I have heard some stories that carriers are lobbying for laws to force land owners to put cell sites on their land for next to nothing.  That is not going to go over very well.

#5 – Oh, yeah, 5G doesn’t work inside.  Not in your house.  Not in your car.  Not in your office.  Unless you have a 5G mini cell site inside the building.  With enough bandwidth to back haul the traffic.  There are some carriers that are working on  using a different frequency that works better inside, but frequency (also called spectrum) is exceptionally scare.

#6 – Now you create all these really cool 5G applications that use all that bandwidth.  What about security.  After all, today, phone app security is horrible.  If you start building all of these bandwidth gobbling applications will security magically improve?  Not likely.

Other than that, there are no problems with 5G.

What we are likely to see is limited deployment of 5G over the next couple of years.  Select sites in select cities.  What we are also know is that the back haul bandwidth is going to be a problem.

Next we are going to have to get everyone to buy new phones.

And likely the 5G cell plans are going to cost more just like smartphone plans had/have a “surcharge”.

We need to develop all those cool new apps.

And finally, we need to solve the security problems.

As I said, other than that, there are no problems with 5G.


Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.


Welcome to the Surveillance State

Let me first say that there is nothing illegal about what follows.  You may not like it, but it is not illegal.

Using a public records request, Motherboard obtained a user manual for the Palantir surveillance system called Gotham.

The system is used by law enforcement around country (including, for example, New York, New Orleans, Chicago and Los Angeles), but northern California has got them all beat.  It is also used by a number of private companies.

Northern Cal has created something called the Northern California Regional Intelligence Center or NCRIC.  Through NCRIC, 300 cities in California, home to almost 8 million people, had access to Palantir’s data.

So what can a city ask NCRIC for?

This includes emails, phone numbers, current and previous addresses, social security number(s), business relationships, license plates, and travel history as captured by license plate cameras. The tool also maps that person’s “possible relatives” and “possible associates,” or their friends and family.

They say that everything starts with something that’s perceived as being illegal.
Examples of data that the police can request include:
  • If they have the name of a person associated with a license plate, they can find out where that vehicle has been over any period of time via license plate reader data.
  • With a name, police can get email and phone info, current and previous addresses, bank accounts, social security numbers, business relationships, family relationships, height, weight and eye color.
  • They can find out who are the family members of the evil person along with their business associates.  Once they have those names, they can get the information above for those people too.  Those people, of course, may or may not have done anything illegal.

The feds pay for NCRIC including the 80 people who work there, through a grant.

NCRIC’s contract with Palantir expires this year and Palantir will be replaced by SAS, another big data company, but NCRIC has a license to use Gotham forever.

Again, remember, nothing about this is illegal and you might be able to do most of this yourself with some work, but in the case of Palantir, all you have to do is type a name and click a few buttons.

Welcome to 1984.

And, don’t forget, none of this is limited to law enforcement.  It is limited to only those people who’s credit cards or checks clear.

Source: Motherboard (there is a lot more info in the article).

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.


If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Magecart, the Credit Card Stealing Monster, Is Alive and Well

In one research report researchers have discovered Magecart attacks affecting 17,000 web domains including some in the Alexa Top 2000.  You may remember that Magecart is what took down British Airways and likely caused them to be fined 183 million Pounds by the UK Information Commissioner’s Office.

Magecart is not a single hacker or even a single organization, but rather a technique for injecting Javascript that steals credit card information into otherwise okay web pages.  This group looked for unprotected Amazon S3 buckets (really, did people not get the memo – apparently not) to compromise the Javascript code.  In this case, many of the pages are not even checkout pages, so they are just spraying to see what they get.

The Javascript code that they are inserting is heavily obfuscated to make it very difficult for anyone to figure out what it does.  Most developers looking at code like that will just  move on.  Source: The Hacker News.

In a separate report, Sanguine Security says that they identified 962 web sites that were infected with Magecart in one day.   They described it as the largest automated campaign to date.  The previous record was 700 in one day.  Source: Info Security Magazine.

Whether there is some overlap in sites between these two research groups is unknown, but what is clear  is that attackers are very successfully figuring out how to inject malicious code in otherwise reputable web sites undetected.    Two examples of large web sites that have been infected by this technique are Ticketmaster (EU) and British Airways, so it is not just effective on small sites.  Most of the sites infected are, in fact, relatively smaller sites.

Bottom line is that all sites need to consider the possibility of their code being infected with malware and take measures to reduce the risk of that happening.  This includes things like checksumming files and installing software to detect modification of existing files and the addition of new files.

But this also affects third party code that is integrated into your web site.  As we have seen with a number of third party attacks, the attackers hit the weakest point, and if that is third party code that you use, that is fine with them.