Country of Georgia Hacked

Well it seemed like the whole damn country.

Over 15,000 website have been hacked, including, not surprisingly, newspapers, government offices and TV stations.

After the sites were defaced by the hackers, they were taken offline.

Newspapers said it was the biggest attack in the country’s history, even bigger than the 2008 attack by Russia.

This attack even affected some of the country’s courts and banks.

Needless to say, and based on the history with Russia, there was some panic around.

However a web hosting company, Pro-service, admitted that their network was attacked.

By late in the day more than half of the sites were back online and they were working on the rest.

The hackers defaced the sites with a picture of former president Mikheil Saakashvili, with the text “I’ll be back” overlaid on top.

Saakashvili is in exile in Ukraine now but was generally thought to be anti-corruption, so it is unlikely that Russia did it this time, but it seems to be politically motivated.

At least two TV stations went off the air right after the attack.

Given that Georgia (formerly known as the Republic of Georgia) is not vital to you and me on an everyday basis, why should we care.

The answer is that just because hackers attacked them today — if it could be done there, it could be done here too.  Oh.  Wait.  They already did that (see here).  In that case, it was the Chinese and the damage was much greater.

The interesting part for both the Chinese attack on us and the <whoever did it> attack on Georgia is that one attack on a piece of shared infrastructure can do an amazing amount of damage.

Think about what happens when Amazon, Microsoft or Google go down – even without a cyberattack.

The folks in DC are already planning how to respond to an attack on shared infrastructure like banking, power, water, transportation and other critical infrastructure.  You and I don’t have much ability to impact that part of the conversation, but we do have impact on our own infrastructure.

Apparently this attack was pretty simple and didn’t do much damage, but that doesn’t mean that some other attack will also be low tech or do little damage.  What if an attack disabled one or a few Microsoft or Amazon data centers.  Microsoft is already rationing VMs in US East 2 due to lack of capacity.  What would happen if they lost an entire data center?

This falls under the category of disaster recovery and  business continuity.  Hackers are only one case, but the issue of shared infrastructure makes the impact much greater.  If all of your servers were in your office like they used to be, then attacks would be more localized.  But there are many advantages to cloud infrastructure, so I am not suggesting going back to the days of servers in a closet.

Maybe Microsoft or Amazon are resilient enough to withstand an attack (although it seems like self inflicted wounds already do quite a bit of damage without the help of outside attackers), but what about smaller cloud providers?

What if one or more of your key cloud providers had an outage?  Are you ready to handle that?  As we saw with the planned power outages in California this past week, stores who lost power had to lock their doors because their cash registers didn’t work.  Since nothing has a price on it any more, they couldn’t even take cash  – assuming you could find a gas station to fill your car or an ATM to get you that cash.

Bottom line is that shared infrastructure is everywhere and we need to plan for what we are going to do — not if, but when –, that shared infrastructure takes a vacation.

Plan now.  The alternative may be to shut the doors until the outage gets fixed and if that takes a while, those doors may be locked forever.

If Your iPhone Dies, Does That Make You a Criminal?

No, this is not an Apple-bashing post, just coincidence.  The problem could just as easily happen to an Android user.

The short answer to the question in the subject of this post is, apparently, at least according to the courts in London.

Here is the story.

Jemima is a digital convert.  She is a resident of London and is dedicated to her iPhone.  She uses Apple pay. After all, what could go wrong?

The story starts with her getting on a bus in London and using Apple pay to pay the fare.  Then her iPhone’s battery died.

The bad news is that the fare inspector came by and she couldn’t prove that she had paid the fare.  She gave the fare inspector her information figuring that bus company should be able to verify that she paid.

But she was charged with a CRIME –  not being able to PROVE that she paid the fare and had to go to court and plead guilty or not guilty.

When she went to court she  produced a bank statement showing that she paid the fare, but they said that wasn’t enough.

But apparently she had failed to “register” her Apple Pay with Transport For London.  Which, they said, is actually not required.

But since she had not done that and the digital world doesn’t print you a paper receipt, you get to deal with the mess.

She was found guilty and  fined $592.  For not paying for the bus.  Which she had paid for.

Being a convicted criminal, she was turned down for a U.S. Visa.

MONTHS later, she was able to convince a judge that this was not right and finally overturned her conviction.

So ponder this when you do things the “convenient” (AKA digital) way.  It can come back to bite you in the ….

Recently, I had a somewhat similar situation but luckily it didn’t turn me into a criminal.

I went to check in for a flight and the airline said I didn’t have a reservation.  But I had the confirmation number.  Of course, no officially issued ticket.  I wound up having to pay a ridiculous amount for a last minute ticket.  Ultimately, we were able to trace down the problem, but it took quite a while.

Bottom line, understand the risks when you opt for convenience.

And understand the arcane rules that the business you are using has like requiring you to “register” your phone while not really requiring you to register your phone.

And maybe, get a paper receipt.

Oh, Jemima bought an external battery for her phone.

Of course, the challenge is that businesses are “out over their skis” as the expression goes.  They are moving so fast into the digital world, they are not ready to deal with what happens when things go sideways.

If you are responsible for a business, consider that.  What failure modes do you need to be ready to handle.  Don’t make it your customer’s problem.  Plan for it because, well, poo-poo happens.

Source: ZDNet



It’s Going to be Painful, And It’s Going to Cost Money

These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office.  Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition.  He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.

She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC).  The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software.  There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.

The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22).  For more information check out our CMMC web site.

Currently, companies  who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.

While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space.  Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.

From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money.  That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.

Regarding the pain part, it will be painful.  Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.

Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.

DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification.  All the while China has been stealing $500 billion a year or more in intellectual property.  Third party certification is the kicker with this rule.  People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.

CMMC does not have any exclusions for small contractors.  They have to meet the same standards as Lockheed does.  Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless.  Small companies have less internal sophistication and less internal resources, hence the pain part.

So, if you are in the defense supply chain at any level, become educated and start getting compliant.  Or run the risk of getting kicked out of the DoD supply chain.

Source:  Cyberscoop.

Sextortion Botnet Spreads 30,000 Emails an Hour

Most of you have probably seen or heard of the threatening email that starts with “Hi, I know one of your passwords is: xxxxx“.  The email goes on to say that the email writer has infected the recipient’s PC, including access to the recipient’s webcam. The attacker claims, by virtue of installing the malware on the recipient’s computer, to have access to all of the recipient’s accounts and to have recorded the recipient engaging in adult activities which the attacker will share with the recipient’s address book if the recipient doesn’t fork over some money, pronto.  Of course the ransom should be paid in Bitcoin.

There are a number of variants to this email, but what is amazing is how the process works.

First, regarding the password, it is a legitimate password belonging to the recipient, but it is likely NOT obtained from hacking any computer, but rather, bought on the dark web as a result of one of the many breaches that we read about on a daily basis.

If you want to see at least some of where your passwords have been breached, go to MONITOR.FIREFOX.COM .  It asks for your email and when you enter it, you will see a report like this:

This data comes from Troy Hunt’s “Have I Been Pwned” database.  Troy has been collecting breach data for about 5 years and his database has about 8 BILLION breach records as of this writing.  All it asks for  is your email address and nothing more, so it will only report on breaches which have been associated with your email address, whether that is the userid that you use to log in with or was just part of the data compromised.

The attacker, in many cases, also claims to have video of the recipient engaging in adult sexual activities.  The attacker threatens to share this adult video with your address book.  Nothing is guaranteed, but it is unlikely that the attacker has compromised the recipient’s PC,  did capture a video or has captured the recipient’s address book.  A simple fix to this is covering your camera with a piece of tape (be careful not to get the gooey part on the camera lens or a camera slide cover available at Amazon for a couple of bucks and cover the camera when you are not using it.

More than likely, this is just a classical shakedown that mobsters have been doing for hundreds of years.

But what is more interesting is how this attack works.

The emails do not come from a single email account.

Rather, the attacker has purchased access to a botnet of compromised PCs (which, by the way, the recipient’s PC could be one of if he or she doesn’t have good cybersecurity practices in place).  Using this rented botnet of hundreds or thousands of PCs, the attacker sends out emails at the rate, in one case, of 30,000 emails per hour, which probably translates to a handful of emails per hour per compromised PC.

This makes it almost impossible to shut down, although there is a command and control (C&C) server which is feeding instructions to these compromised PCs – that is probably the best leverage point to shut it down.  Likely those C&C servers are in countries unfriendly to US law enforcement or move around frequently to make it harder to shut down.

If this one botnet is sending out 30,000 sextortion emails an hour, that translates to 250,000 emails in an 8 hour day (assuming the compromised bot turns off his or her computer at night and 750,000 emails a day if he or she leaves her computer on all the time.


If say one hundredth of one percent of those recipients pay, that translates to 75 payments per day.  If the attacker is asking, say, for $500, that translates to $37,500 a day, tax free.  Even if only 7 (one tenth of the above number) people respond a day, that translates to an annual income of $1,368,000.   From just one attacker.

THAT is why we see lots of spam.  Source: BBC

Security News for the Week Ending October 25, 2019

Database Leaked 179 GB of Personal Data of military personnel, officials and hotel customers.

I wish this was a new story.  Autoclerk, a Best Western service that manages reservations, revenue, loyalty programs, payment processing and other functions for the hotel chain. left an elastic search database exposed.

Hundreds of thousands of guest reservations were exposed including names, home addresses, dates of birth, travel dates and other information.

The reason why government and military personnel are affected is that a government contractor that deals in travel reservations was sucked into the breach.  Source: SDNet.


San Bernadino Schools Hit By Ransomware

A message on the school district’s web site says not to worry, all of your data is secure.   (it’s just that it has all been encrypted by a hacker).    Phones are working but email is not working.   Schools in Flagstaff closed last month for several days while officials got things under control after a ransomware attack there.  Source: ABC


Russia Using “False Flags” to Confuse Security Experts

Researchers are still dissecting the attack on the 2018 Olympics in South Korea.  Russia inserted false signals and other misdirections in order to may people think that the attack came from China or North Korea.  This does point out that if you are willing to spend millions of dollars, you likely can figure out quite about a cyber attacker.  The story is so complex that one of the researchers wrote a book, Sandworm, which will be available on Amazon on November 5, 2019.  Source: WaPo


Amazon’s Web Services DDoSed for 10 Hours This Week

For about 10 hours earlier this week parts of Amazon were effectively offline.  Amazon’s DNS servers were being hammered by a DDoS attack.  This meant that Amazon backend services such as S3 may have failed for websites and apps that attempted to talk to those services.  The outage started around 0900 east coast time so it impacted users throughout the work day on Tuesday October 22, 2019.   For developers and businesses this is just one more reminder that nothing is bullet proof if the bullet is large enough.  Even though Amazon has an amazing about of bandwidth and infrastructure, it can get taken down.

Other services that were affected included RDS (database), Simple Queue Service, Cloudfront, Elastic Compute Cloud, and Elastic Load Balancing.  Amazon did offer some ways to mitigate the damage if it happens again – see the link below.  As a business you need to decide how much cost and effort you are willing to expend to mitigate rare occurrences like this.  Source: The Register.


Comcast is Lobbying Against Browsers Encrypting DNS Requests

Here is a big surprise.  As the browser vendors (Chrome and Firefox) add the ability to support encrypting your DNS requests to stop people from spying on you, one of the biggest spies, Comcast, is lobbying against this.  They say that since Google would be able to see the data, that puts too much power in Google’s hands.  Ignore for the moment that Firefox is not using Google as a DNS provider and also ignoring that Google is offering  users at least 4 different encrypted DNS providers.  Lets also consider that encrypted DNS is not even turned on by default.  The much bigger issue is that Comcast will not be able to see your DNS requests and therefore will not be able to sell your web site visit data.  But of course, we would not expect them to be honest about why.  Source: Motherboard.

As SIMJacking Increases, So Do Lawsuits

SIMJacking, the attack where a hacker replaces the SIM card that is associated with your phone in the carrier’s database with the attacker’s SIM card number and then has access to all of your phone calls and text messages, is becoming more popular – because it is profitable.

At this point, the carriers have not been successful at stopping it (although they could virtually instantly – more on that later).  And, as a result of that, the lawsuits keep coming.

The most recent one is a suit against AT&T for $1.8 million – really pocket change for a company with global revenue last year of $170 billion – but they do not want to create a precedent of liability.

In many cases, the attack works because the attacker bribes a company employee to bypass the security mechanisms in place.

In this particular lawsuit, Seth Shapiro says that he lost $1.8 million – his life’s savings – in cryptocurrency and fiat currency ($) due to this attack.

“AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro’s account in order to rob, extort, and threaten him in exchange for money,” the lawsuit alleges.

Last year AT&T was sued for $220 million and T-Mobile was also sued last year.

In the case of this lawsuit, Shapiro was SIMJacked FOUR TIMES.  They did find the corrupt employees who helped the attacker.  One was paid about $4,000;  the other was paid $585.  I think they should ask for a raise.  Of course, they are likely going to be in jail for a while, so they would not be able to use it anyway.

The challenge for Shapiro is the user agreement that all customers sign.  It requires arbitration over a lawsuit and that process is heavily weighted in favor of the carrier.

Motherboard has created a SIMJacking protection document, available here.  The key message is to not use your phone for authentication.  Yes, it is convenient, but, unfortunately, until the carriers get their act together, it is not very secure and you,  ultimately, pay the price.

In Shapiro’s case, assuming he wins anything at all in arbitration, it will likely take years to get whatever he does get back.  Likely that will not include legal fees.

Add to that an FCC which is totally useless.  In part this could be because of limitations in what the law allows them to do to the carriers.  More likely, the bureaucracy is horribly broken.

If you don’t want to lose your money then it is incumbent on you to protect yourself.  Make that tradeoff between security and convenience.  Select financial institutions that allow you to implement controls.  For example, I have set my ATM card to only allow  me to withdraw $300 a day.  If someone compromises my ATM card and PIN, they best they can do is steal $300 a day.  Is that annoying on rare occasion?  Sure.  But it is less annoying than having a hacker empty my account.

One last thing.  The carriers also trade security for convenience.  Whether it is a $1.8 million suit or a $220 million suit, they will likely settle for a lesser amount.  Much (or all) of which is covered by insurance.   So do they care if there are a few lawsuits?  Probably not.  If the regulators fined them a billion dollars (or $5 billion like the FTC recently fined Facebook), it BEGINS to hurt.  Facebook’s PROFIT for just one quarter in 2018 was almost $7 billion, so that fine, if not covered by insurance, would mostly wipe out the profit for one  quarter.  Bad, but not fatal.

The carriers could make it much harder to do a SIM swap – but customers would complain.  Rather than educating the customers, they take the easy path out.  They could implement better controls for SIM changes, but unless those controls are forced on them by law, they won’t do it.  Years ago there was a problem with hackers getting you to change your long distance carrier on your land line (remember those days?).  FINALLY, the FCC crammed controls down the throats of the phone companies and the problem, magically, went away. 

But the important thing is that consumers need to educate themselves.  The carriers do not care.  They are big enough to win and even in the rare case where they don’t win totally, they can absorb it.   How much time and effort is it going to take YOU to get your money back.  If you lose a few thousand dollars are you willing to dedicate a year of your life to getting it back?  They are counting on the answer being no.

This means that it is UP TO YOU to protect yourself.

Source: Motherboard