Security News for the Week Ending August 30, 2019

Lenovo “Crapware” Allows Attacker to Compromise Any PC in 600 Seconds

I am not going to get on my soapbox about why you should not buy a PC built by the Chinese government because I know people love their old IBM Thinkpads, but handle this issue no matter what.

Apparently the Lenovo “Solutions” Center has a bug that allows any user (meaning a hacker that has installed any malware on your computer – so your computer has to be compromised at some small level for this to work) to  become an admin in 10 minutes, the frequency that Solutions Center runs.  You can read the details in the link, but the simple fix is to delete the app completely.  Lenovo has a new app that does not have this vulnerability if you actually use the Solutions Center functionality.  Source: The Register.


Should You Block Newly Registered Domains?

Researchers say that OVER 70% of newly registered domains are malicious or otherwise potentially harmful to organizations.  Newly registered means 32 days.  Some organizations are already blocking these or alternatively giving users a warning if they go there.

Two thoughts on this – if YOU plan on launching a new domain, you should plan in advance and buy the domain early.  Many hackers do not have the patience to do this (and in fact their domains are only live for a few hours) and second, you should consider implementing a block or warning on newly registered domains to protect your users.  Source: Help Net Security.


House Dems Ask FSOC to Regulate AWS, Azure and Google Cloud

Two House Democrats have asked the Financial Stability Oversight Council (FSOC), which is comprised of Federal bank regulators, to consider making the big 3 cloud providers “systemically important” to the banking industry and as a result directly regulate them.

This was directly in response to the Capital One breach, even though that breach was the fault of Capital One’s bad security practices and not a security failure at Amazon.

It is probably obvious but I will point out that given the current political climate, it is unlikely that the administration will do anything that Democratic Party lawmakers suggest.  Still it does point to the possibility that Congress will try to legislate that if the administration doesn’t do anything about cloud security.  Source: Rep. Velazquez.


Cloud Archive for Dentists Hit By Ransomware Attack

DDSSafe, a cloud archive solution for dentists, was hit by a ransomware attack that encrypted the data of hundreds of practices.  This follows the FBI/DHS alert that hackers were going after cloud service providers because one attack can generate a massive payday.  In this case it is believed the hackers were asking $5,000 per practice and if 500 practices were affected, that would represent a $2 Mil+ payday.  Tax free.  Source: Krebs on Security.


Google Reveals Websites That Hacks iPhones With No Interaction

Google’s Project Zero identifies bugs in a variety of software from every vendor.  This week they announced 14 flaws which, when chained together in different ways, created 5 different ways an iPhone user can be totally compromised just by visiting a malicious web site, without clicking on anything.  The flaws were shared with Apple in February and Apple fixed them in version 12.1.4 of iOS.  Successful attacks allow a bad guy to steal your photos, contacts, location and passwords.  The bugs go back to iOS 10 and the web sites have been serving up malware for two years.  The nature of the attack was such that rebooting the phone (and not visiting those sites again) would get rid of the  malware.  Source: Computing.

Top Threats To Cloud Security – The Egregious Eleven

The cloud has become an important part of every companies IT solution.  Whether you are using a third party software as a service or building your our solutions in the cloud, the cloud is not risk free.  Just ask Capital One if you have any questions about that.

So what are the things that you need to consider?  The Cloud Security Alliance has done a great job of laying that out.  Here is what they are saying:

1. Data Breaches – this is the most public negative consequence of not properly securing your cloud infrastructure.

2. Misconfiguration and inadequate change control – this could lead to a breach (see Capital One, again) or it could lead to downtime.

3.  Lack of cloud security architecture and strategy – It is a REALLY bad idea to pick up the solution that you have in your data center and drop it in the cloud.  In fact, it could be a disaster.

4. Insufficient Identity and Access Management (IAM).  Again, See Capital One.  Because if you do this wrong, your systems are exposed to anyone, anywhere in the world.

5. Account hijacking – If the security of the service accounts is compromised things can go downhill fast.

6 – Insider threat – The cloud is no different that any other system and if you have a disgruntled or more likely careless internal user, they can easily expose the entire network to attack.

7 – Insecure APIs and Interfaces – Since the systems are inherently much more public in the cloud, all APIs and interfaces need to be very, very secure.

8 – Weak control plane – A weak control plane means the person in charge—either a system architect or a DevOps engineer—is not in full control of the data infrastructure’s logic, security, and verification.  Leading to a breach.

9 – Metastructure and applistructure failures –  Cloud providers reveal operations and security precautions at the “waterline” –  the line between when the provider is responsible and when the customer is responsible.  If that is not well implemented and well understood, the result can be a disaster.

10 – Limited cloud usage visability – without adequate usage visibility, the organization can’t tell the difference between authorized use and hackers.

11- Abuse and nefarious use of cloud services – I think this one is obvious.  Could be an insider or a hacker, but the cloud service is not being used in an authorized manner.

For a 40 page manual on this subject from the Cloud Security Alliance, check out this article (registration required).

Ever Heard of VxWorks? Me Either!

Turns out that VxWorks is an extremely popular “real time” operating system or RTOS.  RTOSes are used in devices that need to be able to respond to real time events, unlike, say Windows, Linux or MacOS.  VxWorks can make sure that say, if an MRI machine is zapping someone with energy in order to create an image and the computer decides that the patient has received enough energy, the beam is turned off.  NOW!  RIGHT NOW!  Windows, Linux and MacOS would turn it off too, but  it might happen a little later – possibly killing the patient in the process, which is generally not considered a desirable outcome.

So who uses VxWorks?  Apparently about 2 BILLION devices.  These include firewalls, routers, printers, the MRI machines that I talked about above, patient monitors, satellite phones, industrial control (SCADA) devices, VOIP phones and many other devices.

One other benefit of RTOSes is that they are small.  Very small.  For example, Microsoft recommends 2 Gig of RAM and 20 Gig of disk for Windows 10.  VxWorks will work with 1 Meg of RAM and 512K of ROM.  More is better, but, as you can see, it will work in a very small footprint.

Researchers found 11 serious flaws in VxWorks, most of which allow an attacker to compromise the system without any user interaction at all.

Wind River, the company that makes VxWorks has released patches and they also say that, while they don’t really know, all 2 billion devices are not as equally compromisable.  Maybe ONLY 200 million are at high risk (well, not a big deal then – ONLY 200 million devices).  Of course the low risk devices become high risk as soon as an attacker compromises the crunchy outer shell of your network.  It is also not clear that they know every place that VxWorks is deployed since many companies might buy it from a third party.

Two vendors who have publicly announced patches are Xerox and Sonicwall.  Users may be used to patching their Sonicwall firewalls, but how many users patch their Xerox printers and copiers?

The researchers say that attacks against VxWorks (named URGENT/11) can be detected at your firewall.  Unless the firewall is being attacked or it the attacker is launching the attack from an otherwise compromised device inside your network or the device is located on the public Internet.  Researchers demonstrated the attack against Sonicwall, Xerox and also a patient monitor at Blackhat recently.

So what do you do?

This is where those Bill of Materials that I have talked about for a long time come into play (even though most vendors can’t or won’t provide one).  Alternatively, you need to ask vendors if they are vulnerable to the URGENT/11 attack.  Start with vendors who’s equipment is (a) mission critical, (b) exposed to the Internet, (c) affects life safety or (d) could kill you (as in a patient monitor or SCADA device).  ANY one of (a), (b), (c) or (d) qualifies.  Two or more ups the risk.

Make sure that your Firewalls and intrusion detection/prevention systems have signatures to detect URGENT/11.  While this is not perfect for the reasons I mentioned before, it can’t hurt.

Be alert to unusual network behavior.  This could be an indication that your network has been infiltrated.

The big problem here is that most of those 2 billion devices will never be patched.  This bug goes back to 2006 – yes 13 years ago – AT LEAST that far back.  Not all versions of VxWorks are vulnerable to all of the bugs, but every version is vulnerable to at least one of the bugs.

Many of the devices are no longer supported by the vendor and in some cases, the vendor might not even be in business.

If the vendor is in China, where an amazing amount of hardware and software comes from, of course they may have no incentive to patch the holes as most users would have no clue as to whether the device is vulnerable and the Chinese might want to use the vulnerability to compromise affected devices.

The bigger problem is supply chain.  You buy, say, a security camera from Cisco.  Seems like this might be made in the US.  But they buy a processor board for the camera from vendor X and vendor X gets software for the system from vendor Y and other parts for the system from vendor Z.  Very quickly you lose track of where things come from.  If you think about something like a car, it could have 200 processors in a high end car, possibly each from a different vendor and each with its own supply chain issues.

The problem is not simple to solve.

Source: CSO Online.




Feds Indict 80 in Romance Fraud Scheme

I was talking to an Assistant US Attorney (AUSA) last week and he told me that romance scams (where a scam artist cons usually older people out of their life’s savings pretending to be romantically interested in the victim) is the second largest cyber attack reported to the Feds.  Given the announcement below, I guess he knew this was coming but couldn’t say anything.

Last Friday the Feds unsealed a 252 count indictment against 80 Nigerian nationals who, they say, conspired to bilk victims out of $46 million.

The indictment was handed down by a Grand Jury last year but only announced after 14 of the culprits were in stainless steel bracelets courtesy of a coordinated roundup of the bad guys.

While the other 63 are still at large (if you are counting, 3 were arrested previously, adding up to 80), it is not a hopeless cause.

In my conversation with the AUSA last week, he pointed out that the indictment of people outside our reach is not completely pointless.  Many of these people like to travel.  At least some of those places are friendly to the US and yes, the US puts the names of those indicted on Europol’s and Interpol’s arrest for extradition list, so should one of those nice crooks appear at a customs location in one of those friendly countries, they will be immediately arrested and held. What is amazing is that we capture at least a couple of these guys a year that way.

In the short term, capturing these 17 people does send a message to folks that there are risks to operating romance scams and business email compromise scams.

What is also interesting is that the FBI tells me that they are adding more and more agents for attacking cyber crime because that is the fasting growth area.  Crooks figure that they can get away with almost anything and the crooks think the Feds are to stupid to catch them.  That might have been the case a few years ago, but the Feds are definitely becoming a lot smarter every year.

Another Federal Law Enforcement agency here in Denver that I work with says that they are about to get their cyber lab redone and they will have more than FIVE TIMES the space in the new lab than they do in the current lab.  With a bunch of new equipment too.

So while cyber criminals do have the edge today and will continue to have the edge in the short run, in the long term, the prospects for being a cyber crook are a lot more dicey.

In this particular indictment, the Feds say that the victims include many elderly people (the romance scam) and businesses of all sizes, with the Feds specifically calling out law firms for some reason-maybe we will here why soon (business email compromise scams).

For business users and general consumers alike, this is yet another heads up.  The Feds say that these scams are a multi-billion dollar a year “business”.

What you can do is educate your people – your employees and family members – about these major cyber attack methods.

Training probably provides the best cost benefit trade-off to reduce the likelihood of falling for one of these scams.  We can provide a fantastic online training program, including unlimited anti-phishing training, for an organization of 25 or less for around $500 a  year.  Whether you buy our program or another solution, I urge you to put one of these solutions in place.

In addition to training, of course, you need to take other protective measures.  Basic measures will reduce the risk factor significantly.  Will it stop a determined nation-state actor?  No.  But most of the attacks that we see don’t fit into that category.

Source: SC Magazine.


Security News for the Week Ending August 23, 2019

Remember That Vague Client Alert Earlier This Week?

For those of you who are clients, you received an out of cycle client alert on Tuesday (they usually come out on Wednesday) providing a copy of the Homeland Security Alert on the Sodinokibi ransomware going after Managed Service Providers or MSPs.   It now appears that the attack on Texas towns (see below) is based on an attack on the MSP hosting the systems of those municipalities.  Assuming that is true (The state of Texas is being very vague on the whole situation), that could explain why DHS issued the alert at this time.  To reiterate the recommendation in the alert – make sure that your MSPs’ security programs are up to the task.  In the case of Texas, one town has announced that the attacker wants that town to pay $2.5 million in ransom.  Source: Bleeping Computer.

20 Texas Towns Hit by Ransomware.  Wait 23.  Wait …..

Cities and towns across the country have been hit by a wave of ransomware attacks, but of course, everything is bigger in TEXAS.

While the press release is very short on details, the Governor has called out the Texas Military Department (that is the combination of the Army National Guard, the Air National Guard and the Texas State Guard, which is an organized militia as defined in the Constitution) along with the experts at Texas A&M University (The Aggies have a world class cybersecurity capability) to help the cities impacted deal with the situation.  While Colorado was the first state to activate the National Guard to help with a cyber attack, Texas is now the third (after Louisiana) in what may become a trend. Source: KUT, Austin’s Public Radio Station. 

IRS Notifies Thousands of Cryptocurrency Traders of Back Taxes and Penalties

Not wanting to leave money – even digital money – on the table, the IRS has sent out letters to thousands of cryptocurrency traders who did not report the trades on their tax returns assessing them  taxes and penalties along with the threat of possible criminal prosecution.  Not a big surprise, but if you thought you could escape the tax man…  Of course, if you are trading peer to peer, then it is 100% unlikely that the tax man will ever find you.  Source: CNBC.


Huawei Goes Into Full Battle Mode

Huawei CEO Ren Zhengfei sent a memo to the company that says, in light of the US bans, that it was time for the company to go into full battle mode, making references to the military bible, The Art of War.

As President Trump effectively admitted, the ban on Huawei has only a little to do with national security and all to do with his trade war, by continuing to suspend the ban – which is affecting US companies bottom lines and user’s security.

In the mean time, Huawei says that it will build 60,000 5G base stations this year and 1.5 million next year – all without any US components.  Since other countries continue to buy Huawei equipment and US rural cell carriers say that that it will cost them more than a billion dollars to replace Huawei equipment which they do not have – meaning that they will dramatically slow 5G deployments.

Currently the US is lagging in 5G deployment and despite the President’s wishes that this is not so, this is not likely to change any time soon.  Read the details of this dance here.


Plan for End of Life of Software Support

End-of-life in software and hardware means no more security fixes and given the number of fixes we see every month, using software and hardware that is no longer supported is not a good plan.  No more patches does not mean no more flaws – just no more fixes for those flaws.  Hackers count on that fact.  Here is what is coming up to the end of life soon:

Python 2 on January 1, 2020 (about 4 months)

Windows 7 on January 14, 2020 (also about 4 months)

Windows Server 2008 and 2008 R2 also on January 14, 2020 (4 months).  As an incentive to get you to migrate to Azure, if you migrate your Windows 2008 servers to Azure before January 14th (and therefore pay Microsoft monthly cash), they will support Server 2008/2008 R2 for three more years.

For states with cybersecurity and privacy laws that say that you have to take reasonable measures to protect your data, it will be hard to defend in court, if you have to, that using unsupported software is taking reasonable measures.

Misconceptions About Vendor CYBER Risk Management

I talk about the importance of vendor cyber risk management programs all the time.  Vendors have been at the root of many very major breaches such as Target and Home Depot and more recently Capital One.  Here are some thoughts around vendor cyber risk management.

  • The vendor is big and publicly traded so surely they are secure.  The source of the Capital One breach was Amazon.  Enough said
  • I don’t share non-public personal information with the vendor, so they are a low risk.  First, if a vendor is a trusted partner, the risk is high because, well, they are trusted.  If the vendor gets compromised and you receive say, a poisoned email from that vendor, you are more likely to open it and second, more and more laws address any personal information and not just non-public personal information.
  • The vendor is not publicly traded.  True, if the vendor is not public there may not be much information online, but that doesn’t stop you from asking for information.  In Colorado, for example, you are required by law to verify that a vendor can protect personal information before you let them have it.
  • I don’t share data with them electronically.  Think about a document storage company or a document mailing service.   They still represent a risk.
  • The vendor is well known so surely they are secure.  Is Target well known?  Marriott?  Equifax?  Sorry, size doesn’t protect you.
  • The vendor was already hacked, so its all good now.  There is a kernel of truth here.  Many times companies do improve their security after a breach, but there is no way of knowing without doing your own assessment.
  • The vendor is a big tech company – spent bazillions on their software – so surely it is secure.  Company’s data stored at Amazon is compromised all the time.  It may not be the vendor’s fault – you may not have configured things right – but your data is still compromised.
  • The Vendor won’t provide documents that we have asked for.  Often vendors can’t provide everything you might like but that doesn’t mean that you shouldn’t get as much as you can.  And then you have to make a decision as to whether you should do business with them.  If companies lose enough business they will change their ways.
  • We have reviewed the vendor’s security and it is good, so we do not need to worry about their vendors.  Nope.  Not the case.  There was a recent breach of about 24 million mortgage documents.  What happened?  The banks hired a vendor.  That vendor outsourced part of the work and that vendor was hacked.  Leaving the banks financially responsible.
  • I’ve never been hacked so surely my vendors won’t be either.  Hope is not a good security strategy.  Remember that it took Marriott 4 years to figure out they had been hacked.  The longest running undetected hack I know about was a tech company that was compromised for more than ten years.  They are no longer in business.   Bankrupt and sold off for scrap.

How strong is your program?  Dealt with it now or deal with it after a breach.  Now is cheaper, I promise.