Ransomware, The Next Generation

Hackers are nothing if not creative.  Combine that with businesses not paying enough attention to security and you get a mess.

Researchers discovered an unprotected database with over 5 million client records belonging to Choice Hotels.

The hotel says there is good news.  Only 700,000 of those records were from real customers.  Doesn’t that make you feel better already?

However, that good news is limited.  The researchers were not the first ones there.  They found a ransom note in the database.  It appears that the bad guys copied the data and tried to delete it but something went wrong.    They wanted 0.4 Bitcoin or about $4,000 for the data.  Given the company and the data, they must have been hoping for an easy payday because that much data should be worth a lot more.

That is the next generation of ransomware.  COPY the data, then encrypt it or DELETE IT.  Then demand a ransom to get it back.  If you don’t pay the ransom, they RELEASE the data.  Or SELL it.  For this generation of ransomware, backups do not help.  The only thing that helps is keeping the bad guys out.  Call it ransomware 2.0 .  Luckily in the case, the bad guys were incompetent.  Maybe not the next time.

The database was set up for or buy a vendor.  The hotel says as a result of breach, they won’t be working with that vendor any more.

The hotel did not initially launch an investigation, but eventually did.

So what is the message here?

Just because you are working with a vendor does not let you off the hook.

What was the hotel thinking giving a vendor live data to test with?  What might the consequences be if the data was released publicly?

How much due diligence did the hotel do on the vendor’s cybersecurity program before they gave them the data.  Under some state laws (like Colorado), the hotel would be responsible for ensuring that the vendor had the ability to protect the data BEFORE they handed the data over.

Now the hotel chain will have to face the regulators and the lawsuits and the fines. 

All of this should be part of a company’s vendor cyber risk management program.  Maybe Choice Hotels needs to rethink it’s vendor cyber risk management program.  I can think of about 700,000 reasons why.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

What Does Foreign Influence in Elections Look Like?

The issue of foreign influence in US Presidential elections has been and continues to be a hot button.

Sometimes the focus on election hacking is on hacking the ballot box, but while this is possible, it would be very hard to do that on a national scale, so it is unlikely that this is the tactic that they would take.  However, since we know that Russia attempted to penetrate election systems in all 50 states during the 2016 elections, we should not rule this out completely.

Whether the foreign powers want to help or hurt a particular candidate (and there are likely some of each), there are many things they could do.

Obviously, they could hack the emails and other systems of candidates and release embarrassing emails.  They could also hack candidates personal phones and computers in addition to the campaign’s systems.

More likely, these powers will launch disinformation campaigns.  The number of emails that I get on a daily basis that are designed to inflame or contain outright lies is amazing an will only increase as we get closer to the election.    Same thing with social media.  Whether people will disregard these campaigns is not clear.  It seems that people tend to accept spam that they agree with and reject spam that they disagree with as opposed to treating it all with a whole lot of skepticism.

While it is illegal, foreign governments have been injecting money into campaigns of candidates that they like.  This is done via proxies who can contribute, so figuring out who is a shill for, say, China, might be hard.

Remember also that hacking elections is a time honored tradition.  While the techniques  have gotten better, hacking elections is not new.  One source says that the US interfered with 81 foreign elections (that we know about) since 1946.

The bigger issue is that people THINK that the elections are rigged and do not vote at all.  If this happens, the bad guys win. 

Voters need to be on the alert for all kinds of tricks that a foreign OR DOMESTIC actor might try.  Smart voters will reduce the impact of the bad actor’s work.  And you must vote.

Sources: Nextgov and The Washington Post.

Facebooktwitterredditlinkedinmailby feather

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Wireless Home Security – Good Theater, Bad Security

Alarm companies like wireless alarm sensors because they cost less to install and are prettier since there are no wires.  They are also remarkably less secure.

It is useful to understand that you neighborhood junkie might not be able to pull off the attack, but any serious burglar would not have a problem.

In this particular case, a lawyer who has an interest in security was able to buy a signal jammer for $2 that disabled the SimpliSafe alarm system in his house.

While the alarm company disputed his claim with statements like “this is not practical in real life:, the lawyer stands by his claim.

To me, the attack is obvious.  If you can jam the signal, the alarm will not go through.

SimpliSafe says that they will detect what they call interference and the lawyer agreed that it did, but only sometimes.  He also said that the interference never actually triggered an alarm.

People often purchase an alarm for peace of mind, but if the alarm is jammable, is the peace of mind justified.

If you really care about your personal security, demand that all of the sensors are hardwired to the control panel.  If the alarm company can’t or won’t do that, find a different company.

Of course, if the alarm is just for appearances, a wireless system will be just fine.

The second half of the problem is the communication between the alarm and the monitoring station.  Some alarms use your internet; others use a cell modem.

The Internet based alarm is easy to defeat as the wire for your internet connection is typically exposed in a plastic box outside your house for the convenience of your internet provider.  All it takes is a wirecutter to defeat it.  For cell based alarms, a cell jammer does the trick.

In general, you want two different communications paths back to the monitoring station.

All of this depends on how serious you are about your alarm system protecting you.  Most consumer alarms are really designed to lull you into thinking you are secure and it works because most people don’t have the security knowledge to understand what the weaknesses are.

To watch a video of the hack, additional recommendations on being safer and more details of the attack, go to the article on the Verge.

Facebooktwitterredditlinkedinmailby feather

THIS is Why Patching Your Phone Is Important

I tend to be a bit of a dog on a bone when it comes to patching your phone.  Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.

But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone.  For those phones, Google releases and installs patches like Apple does.

For every other Android phone, Google publishes the open source code to a public repository every month.  Then the phone’s manufacturer had to download it and integrate any changes that it made.  Up until recently, this was a completely optional decision on the part of the phone manufacturer.  Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world.  The mobile carrier then needs to integrate its changes into the code and test it.  Again, completely voluntary.  There will be a new option for brand new phones released with Android 10 this fall, but nothing now.

One more thing.  Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it.  So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best.  This means that for most of the time that you are using the phone, it will be vulnerable to be hacked.  If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.

This is why understanding this and being vigilant about patching is so important.  And why many Android phones are already compromised.

So why today?

Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.

Check out the link below for the details and CVE numbers.

Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.

Some of the Qualcomm chipsets affected are:

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Point is – a lot of them, affecting a lot of phones – most of which will never be patched.

While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.

If you use an Android phone, check to see if it is receiving patches.  if you store anything sensitive on the phone, disable WiFi if you can. 

IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.

It will not be long before attackers figure out the details and start using this in the wild.

Source:  The Hacker News.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather