Coworking and Shared Work Spaces Are A Security and Privacy Nightmare

Coworking and shared office spaces are the new normal.  WeWork, one of the coworking space brands, is now, apparently, the largest office space tenant in the United States.

Who are in these coworking spaces are startups and small branches (often 1 or 2 people) of larger companies, among others.

Most of these folks have a strong need for Internet access and these coworking spaces offer WiFi.  Probably good WiFi, but WiFi.  And WiFi is basically a party line, at least for now.

Look for WiFi 6 with WPA 3 over the next couple of years – assuming the place that you are getting your WiFi from upgrades all of their hardware and software.  And YOU do also.

A couple of years ago a guy moved into a WeWork office in Manhattan and was concerned about security given his business, so he did a scan.  What did he find but hundreds of unprotected devices and many sensitive documents.

When he asked WeWork if they knew about it, the answer was yes.

Four years later, nothing has changed.

Fundamentally, it is a matter of money.  And convenience.

But, if you are concerned about security, you need to think about whether you are OK with living in a bit of a glass house.

For WeWork in particular, this comes at a bad time because they are trying to do  – off and on  – an initial public offering and the bad press from publications like Fast Company on this security and privacy issue don’t exactly inspire investor confidence.

Fundamentally, using the Internet at a WeWork office or one of their competitors is about as safe as using the WiFi at a coffee shop that is owned by the mob  and is in a bad part of town.  Except that you are running your business here.

In their defense, WeWork does offer some more secure options (although you might be able to do it yourself for less).  A VLAN costs an extra $95 a month plus a setup fee and a private office network costs $195 a month.  That might double the cost of a one person shared space (a dedicated desk costs between $275 and $600 a month, depending on the location).

And clearly they do not promote the fact that you are operating in a bit of a sewer if you do not choose one of the more expensive options.  The up sell here is not part of their business model.

For users of shared office spaces, like WeWork (but likely anywhere else too, so this is not a WeWork bug), they need to consider if they are dealing with anything private or whether they care whether their computer is open to hackers.  If not, proceed as usual.

If not, then you need to consider your options, make some choices and spend some money.  Sorry.  Source: CNet.

Security News for the Week Ending September 27, 2019

Did Apple ‘Play’ President Trump?

Apple says that it has received a waiver from import tariffs on Chinese parts for the Mac Pro.  Why, after President Trump said he wouldn’t do that?  Apple’s PR machine made it look like the Mac Pro was now going to be made in Texas after they floated a rumor that it was going to be made in  China.  But the Pro has always been made in Texas.  And they are not building a new plant – only using the same plant where they have always been built.  It is an example of how a very rich, connected and powerful company can game the system to get what it wants while smaller companies lose out.  Source: The Register.

Click2Gov – ITS BACK!

Click2Gov facilitates self service government web site portals and in 2017 and 2018 it was compromised in dozens of cities, compromising 300,000 credit cards and costing banks about $2 million.


The new attacks started last month and have hit 8 cities so far this time. So far, 20,000 records have been offered for sale.  Cities in Florida, Idaho, California and Oklahoma have been hacked.

Coming to a city near you.  Source: Wired.

Simjacker – A Mobile Attack That is Invisible

The SIM card in your phone has the information necessary to identify your phone to your carrier, but of course, vendors could not leave well enough alone, so it does more.

The attack begins with the attacker sending the victim an infected SMS message.  Except this message has a series of SIM Toolkit (STK) instructions.  This message is captured by the SIM card and the commands in it processed.  The commands are quite powerful and could potentially send SMS messages containing data from the phone to the attacker, conduct espionage, spread malware  and other things.

Not all phones and not all carriers are susceptible.  Some US carriers say that they do not use that type of SIM chip.  Source: Adaptive Mobile.

Microsoft Bans More File extensions from Outlook Web Access

Apparently OWA is now called Outlook for the Web.  Must have missed the email.  In any case, Microsoft is now banning a total of 142 file extensions after 38 more extensions will be banned in the next release.   In addition to the existing banned extensions like .EXE, .COM, .ASP, .JAR and more, the new list includes Python files (6 extensions), Powershell (10), Digital certificates (3), Java (2) and miscellaneous applications (17).  Source: The Hacker News.

Checkm8 Exploit Could Mean Permanent Jailbreak for Many iPhones

This is still new, so there is a lot we don’t know, but a researcher nicknamed ami0mX says that he accidentally found a bug in the iPhone boot ROM that affects most iPhones.

The good news is that it requires local access.  Read only memory is only sometimes read only, so maybe Apple will be able to patch this – stay tuned.

If you can exploit this, it would allow you to jailbreak any affected iPhone or iPad.  The models affected include (but may not be limited to) the iPhone 4s through the iPhone 8 and the iPhone X.  It is not clear if the most recent iPhones are vulnerable.

A jailbreak would allow either a hacker or state actor or a vendor like Celebrite to either extract all data or compromise any affected phone, hence the name checkmate (Checkm8).  Source: Threatpost.


RUFADAA – What’s That?

I never heard of it, but now both you and I have.

RUFADAA stands for REVISED UNIFORM FIDUCIARY ACCESS to DIGITAL ASSETS ACT.  It is a model law that is designed to deal with your digital exhaust after you move on to the afterlife (I am not sure, but I don’t think they have Internet access in heaven or even in the other place).

The issue is that many online service’s user agreements strictly limit what happens to your access after you die.  For example, Apple doesn’t want you to share.  The license agreement says “Unless otherwise required by law, You agree that your Account is non-transferable and that any rights to your Apple ID or Content within your Account terminate upon your death.  Upon receipt of a copy of a death certificate, your account may be terminated and all Content within your Account deleted”. Source: Apple.

So what is the solution?  RUFADAA.    The original model law (that state legislatures can use to create their own law) was created in 2014 and it gave executors and personal representatives unfettered access to your digital assets.  Examples include things like all of your personal photos that might be stored in the cloud.  But it also includes your email, which you may or may not want your executor to read.  It also would allow them to get the login information to, say, cancel online accounts that might be billed to the deceased every month.

Tech companies said this was contrary to federal privacy laws and state and federal computer fraud laws (that seems like a bit of a stretch, but maybe).  They also said that it violated their terms of service which say things like when you die, so does your content.

The revised version, called RUFADAA, greatly reduces the authority that an estate executor has regarding access to digital assets.

Under RUFADAA, an executor no longer has access to your emails, tweets, chats and other electronic communications unless the deceased specifically consented to that disclosure.

An executor can get access to other types of digital assets but only if he or she petitions the court and explains why access is needed to wrap up the estate.

If the fiduciary does not have explicit permission through a will or something similar, the online service can look to their terms of service for guidance.  I.E., if your will does not grant your executor access to your iTunes photos, Apple will look at their terms and tell you to take a long walk off a short pier.

OK, so what should you do?

#1 – Create a complete inventory of all of your online accounts where anything important is.  That includes things like your subscription to any online content for which your estate will be billed.  If your executor does not cancel your account, you will continue to be billed and are likely legally obligated to pay for that account, even if you don’t even know it exists.

The simplest but least legal thing to do (because it likely violates the terms of service that you agreed to abide by) is to write down your userids and passwords and store them in a safe place or with a trusted person (such as your personal attorney), but remember to change the document when you change your passwords.

The better thing to do is to change your will to explicitly grant your executor access to your digital exhaust to whatever degree that you want.  This can be done formally in your will or informally by writing those instructions in crayon and signing it.  Or anything in between.

Include information and instructions to your executor, along with userids, passwords, two factor authentication information (don’t pull an FBI and cancel the deceased’s phone service before you figure out that you need to be able to receive a text message on that phone in order to log in).  DO NOT INCLUDE THESE INSTRUCTIONS IN YOUR WILL BECAUSE ONCE THAT IS FILED WITH THE COURT, IT COULD BECOME PUBLIC, ALONG WITH ALL OF YOUR PASSWORDS.

41 states have enacted RUFADAA.  Here is a current list.

Bottom line is that it is up to you, but the law is really working against you, not for you, unless you take specific actions.  The good news is that if you do take specific actions, your service providers must follow your wishes.  

Source: Nolo, The Legal Encyclopedia



2019 Crypto Crime Totals $4.2 Billion – In First Two Quarters

Cryptocurrency intelligence firm CipherTrace says that in just two quarters cryptocurrency scams, fraud and thefts netted bad guys $4.26 billion.  This compares to $1.7 billion for all of 2018.

Crime is up several hundred percent even though exchanges are trying hard to improve security.

The attackers are getting more sophisticated, but the users are not.  The attackers are using SIM swaps,  phishing and URL hijacking, among other attack methods.

Apparently, insider fraud is the largest attack vector and also the hardest to protect against.

And don’t forget the total collapse of several exchanges such as QuadrigaCX in Canada.

If the second half of 2019  matches the first half, that will mean over $8 billion in losses compared to $1.7 last year, an almost 500% of last year’s total.

As a result of these huge losses – for which customers are not insured – governments are stepping up regulations.  Of course, as we all know, governments are great at solving problems from the last century, but not very good at solving problems from last year or next.

That doesn’t mean that they won’t implement regulations;  it just  means that if you are hoping those regulations will protect your cryptocurrency, that is probably optimistic.

Word to the wise – don’t invest anything in crypto that you can’t afford to lose 100% of and use every protective measure available, even if it is inconvenient.

Source: Forbes.






Vendor. Cyber. Risk. Management!

I don’t know how to say this any more clearly, but vendors represent a huge risk to every organization.

Lion Air, the Indonesian parent of Malindo Air and other subsidiaries that were breached, confirmed the breach last week.

Why did they confirm it?  Perhaps they were being good corporate citizens.  An alternative explanation is that the Russian security firm Kaspersky (that the United States banned from federal systems, probably for good reason) outed them and warned customers in Malaysia and Thailand.

The breach compromised 46 million people’s data.

Lion Air cheerfully said that no credit cards – which are easily replaced –  were compromised.

What was compromised is passport information (which is difficult and expensive to replace), birth dates (which I have been told are very hard to replace), names, home addresses (I guess you could move) and other personal information.  But no credit cards, so relax.

Oh, yeah, the data was left in an unprotected Amazon S3 bucket – NOT AMAZON’S FAULT!

This is just one of many vendor induced breaches.  In June Upguard reported a terabyte of backup data belonging to Ford, Netflix and TD Bank was found unprotected on several Amazon S3 buckets.

Companies need to to create and implement a comprehensive vendor cyber risk management program.  This differs from the traditional vendor risk  management program which worries about whether a company has insurance and is  licensed and in addition considers how the data that is entrusted to them is being protected – either by the vendor, your company or both.  Many cloud providers, including Amazon, have what they call a “shared security model”, meaning that both parties are responsible.  In Amazon’s case, they provide the tools and the documentation, but you must use that information.  And frequently test. And test again.

Costs, fines and lawsuits as a result of this breach will no doubt cost Lion Air many millions of dollars.

One more consideration if you are wondering if you need a vendor cyber risk management program.

Colorado law (for those of you based here or with customers here) requires you to ensure that vendors are protecting your data before you share data with them, so by not having a vendor cyber risk management program you are actually committing a crime.

Source: ZDNet’s Dark Reading.


Security news for the Week Ending September 20, 2019

A New Trend?  Insurers Offering Consumers Ransomware Coverage

In what may be a new trend, Mercury Insurance is now offering individuals $50,000 of ransomware insurance in case your cat videos get encrypted.  The good news is that the insurance may help you get your data back in case of an attack.  The bad news is that  it will likely encourage hackers to go back to hacking consumers.  Source: The Register.

Security or Convenience Even Applies to Espionage

A story is coming out now that as far back as 2010  the Russians were trying to compromise US law enforcement (AKA the FBI) by spying on the spies.

The FBI was tracking what Russian agents were doing but because the FBI opted for small, light but not very secure communications gear, the Russians were able crack the encryption and listed in to us listening in to them.  We did finally expel some Russian spy/diplomats during Obama’s presidency, but not before they did damage.  Source: Yahoo

And Continuing the Spy Game – China Vs. Australia

Continuing the story of the spy game,  Australia is now blaming China for hacking their Parliament and their three largest political parties just before the elections earlier this year (sound familiar?  Replace China with Russia and Australia with United States).

Australia wants to keep the results of the investigation secret because it is more important to them not to offend a trade partner than to have honest elections (sound familiar?).  Source: ITNews .

The US Government is Suing Edward Snowden

If you think it is because he released all those secret documents, you’d be wrong.

It is because he published a book and part of the agreement that you sign if you go to work for the NSA or CIA is an agreement that you can’t publish a book without first letting them redact whatever they might want to hide.  He didn’t do that.

Note that they are not suing to stop the publication of the book – first because that has interesting First Amendment issues that the government might lose and they certainly do not want to set that precedent and secondly, because he could self publish on the net in a country – like say Russia – that would likely flip off the US if we told Putin to shut him down.  No, they just want any money he would get. Source: The Hacker News.


HP Printers Phone Home – Oh My!

An IT guy who was setting up an HP printer for a family member actually read all those agreements that everyone clicks on and here is what they said.

by agreeing to HP’s “automatic data collection” settings, you allow the company to acquire:

… product usage data such as pages printed, print mode, media used, ink or toner brand, file type printed (.pdf, .jpg, etc.), application used for printing (Word, Excel, Adobe Photoshop, etc.), file size, time stamp, and usage and status of other printer supplies…

… information about your computer, printer and/or device such as operating system, firmware, amount of memory, region, language, time zone, model number, first start date, age of device, device manufacture date, browser version, device manufacturer, connection port, warranty status, unique device identifiers, advertising identifiers and additional technical information that varies by product…

That seems like a lot of information that I don’t particularly want to share with a third party that is going to do who knows what with it.  Source: The Register.

Private Database of 9 Billion License Plate Events Available at a Click

Repo men – err, people – are always looking for cars that they need to repo.  So the created a tool.  Once they had that, they figured they might as well make some money off it.

As they tool around town, they record all the license plates that they can and upload the plate, photo, date, time and location to a database that currently has 9 billion records.

Then they sell that data to anyone who’s check will clear.  Want to know where your spouse is?  That will cost $20.  Want to get an alert any time they see the plate?  That costs $70.  Source: Vice.

Election Commission Says That It Won’t Decertify Voting Machines Running Windows 7

Come January 2020, for voting machines running Windows 7 (which is a whole lot of them) will no longer get security patches unless the city or county pays extra ($50 per computer in the first year and then $100 per computer in the second year) for each old computer.  Likely this means a whole lot of voting machines won’t get any more patches next year.

The nice folks in Washington would not certify a voting machine running an operating system that is not supported, but they won’t decertify one.  That, they say, would be inconvenient for manufacturers and cities.   I guess it is not so inconvenient for foreign nations to corrupt our elections.  Source: Cyberscoop