Argh – They Have a Name for it Now – Leakware

As I have been saying for a while, hackers are good at evolving.

As we see more and more ransomware attacks, a lot of the people are opting not to pay the ransom and instead deal with reconstructing their infrastructure and losing data (like police losing digital evidence and having to let crooks go).

So the hackers are in the process of evolving.

The City of Johannesburg, South Africa was hit with a ransomware attack and the attacker said that if they didn’t pay the ransom, the hackers would sell/publish the data.  We are beginning to see more of this.

The city didn’t pay and we don’t know if the hackers sold the data.  It is possible that it was a bluff and they didn’t have the data.  Only time will tell.

But from a hacker’s standpoint, that is likely the next evolution of ransomware and they have given it a name – LEAKWARE.

The premise is that good backups don’t help.  Disaster recovery plans don’t help.  Business continuity plans do not make a difference.

If I was a hacker and was contemplating a Leakware attack, I would go after high value targets.  Examples include banks, mortgage companies, big pharma and  law firms.  Also anyone with a lot of personal data like HR departments, sensitive data, financial data or intellectual property.   Especially service providers (law firms, accounting firms, contract HR and similar companies fit into this category).  These are companies that might go out of business if their customer’s data was published, hence they are very likely to pay a Leakware ransom.

The only solution to this is to do your best to protect your infrastructure.  There are a number of ways to do this – better employee training, logging with 24×7 alerting, segmentation and many others.   It takes work.  It costs money, but maybe not a fortune.  What it takes is making protecting your network a priority.

Source: Government Computer News

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.

 

 

 

 

 

 

 

 

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.

 

National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.

 

Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week

 

Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register

 

Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.

Magecart Credit Card Skimmer – Gen 2

Magecart is a major (virtual) credit card skimming attack that has taken down the likes of British Airways and Ticket Master, among tens of thousands of other sites.  It works by somehow inserting malicious software into the web server that grabs the customer’s credit card info as they enter it onto the web page.  This can be done by using an unpatched vulnerability on the web site or by compromising an admin’s credentials or other methods.

Of course, web sites might be able to detect that malicious software has invaded its turf, so the hackers evolve.

Enter Magecart Generation 2.

Well, this is not literally true.  This new software isn’t based on the Magecart code, but rather on the Magecart concept.

More than likely, the dirty work of stealing the card data is actually done on the customer’s machine, inside the browser, with code downloaded from the infected server.  Because the data, possibly going to North Korea, is doing that from a consumer’s computer, which has almost no security, no logging, no auditing and no alerting, the odds of being detected before the credit card is used fraudulently, is very low.

Gen 2 is called Pipka and one of it’s neat features (if you are a bad guy) is to delete itself from the web page’s code after it has done its dirty work to make detection and even forensics much harder.

Pipka was discovered by Visa’s anti-fraud team.

They found it on the web server of an American merchant that had been infected with a different bit of malicious credit card skimming code called Inter.  People don’t learn.

In addition to this patient 0, Visa found the code on 16 more merchant sites.  How many more sites are infected?  Unknown.

Since this is an evolution (hence my calling it Gen 2), it is more sophisticated.  It can decide which fields out of the website payment form the hacker wants, that data is encrypted and stored in a cookie (after all, credit card data is only 16 characters for the card number and probably for less than 100-200 characters, you can have everything you need).

Since cookies fly around the Internet all the time and are often encrypted, they would fly under the radar.

As I said before, when the dirty work is done, it deletes itself, making it difficult for developers and investigators to fine.

Of course, once a server is infected, the Visa investigators will eventually track it back to your infected server and that is when all hell will break loose.

In British Airways case, the FINE ALONE – never mind the mitigation, the reputation damage, the credit monitoring services, etc. – cost them $230 million.

All because they didn’t have controls in place to detect this malicious code.  Because their security was not up to the job.

A lot of the sites that have been infected with Magecart are small.  Museum gift shops, for example.  A few very well known brands.

If you accept credit cards online, it is up to you to protect yourself.  Deal with it now or deal with it later.  It tends to be a bit more expensive to deal with it later. Just sayin’

Or wind up on the news.  Source:  CSOOnline

 

The Myths of Multifactor Authentication

Hopefully by now, everyone has at least heard of multifactor authentication.  But most people are not using it.  Google says that about 10 percent of GMail customers use it.  Based on our customer base, the adoption level for Office 365 users is higher, but not great.  And the adoption for other software is horrible.

To be clear, there are many different forms of multifactor authentication.  The most common but least secure is a text message sent to your phone, unencrypted, with a one time PIN.

While this is WAY better than just using a password, this can be compromised and has been in many cases.  Almost always, this is a targeted attack on a high value (either money or position) victim.  But not always.

A less common multifactor authentication method is to use an authenticator app on your phone.  That way nothing is transmitted at all, except during the initial setup and stealing your phone number does not allow an attacker to use your multifactor authentication.  They would have to physically steal your phone and it would need to be unlocked.  There are many free authenticator apps including from Microsoft, Google, Facebook and others.

So why aren’t people using multifactor authentication?

  1. Lack of awareness.  Computer folks understand the risk and how to deal with it, the average person does not.
  2. Fear.   People don’t like change, especially in situations where they don’t understand what or why.
  3. I’m not a target.  The reality is that everyone is a target because these hackers send out millions of emails a day.  They have no clue who their victim will be, for the most part.
  4. Only large companies need it/can use it.    Actually, it doesn’t take much.  Consumer services like Amazon, Facebook and GMail all support it.  Almost all banks support it.  There is a small learning curve, but once you get the hang of it, it is simple.
  5. It’s not perfect.   That’s true, but brushing your teeth is not perfect either.  Still, most people brush.
  6. I think the biggest issue is it’s not convenient. To some degree this is true.   But, as I often say when I am interviewed, is having an attacker empty your checking account or retirement account inconvenient?  More inconvenient than taking the extra few seconds to use multifactor authentication?

The good news is that it is not an all or nothing thing.

Start with your bank or brokerage account.

Add email.

Once you get used to it, it is not a big deal and way less inconvenient than having to deal with having all of your personal (AKA nude) photos posted online as many celebs have learned.

As Nike says, JUST DO IT!

Yet Another Hosting Provider Hit By Ransomware Attack

SmarterASP.net, a web hosting provider with over 400,000 customers, was infected by ransomware over the weekend.

They are, at least, the third provider to be hit by such an attack.

Affected user web sites are down and the company’s website was also down.

Customers logging in might see a directory listing that looks like this

The encrypted files have the extension kjhbx, except for the ransom note below:

The company has not returned calls so it is unclear if they paid the ransom or are restoring from backups.

If this is like the previous hosting provider attacks, it will likely take weeks for them to restore all the data – if it all can be restored.

A2Hosting and iNSYNQ are two other hosting providers that were attacked earlier this year.

In 2017 South Korean hosting provider Nayana paid a ransom of over $1 million after they were attacked.

Hackers understand that if they can get a hosting provider to pay, the payday is likely a lot larger than attacking you or me.  As a result, attacks against cloud service providers are likely going to continue.

There is no obvious notice on the company’s homepage of the attack and for good reason – it is not terribly good for business.  They are likely hoping that this disappears off the radar and they can continue signing up customers.  There is a note buried on the support site, here.  It says don’t bother to call us or email us, we are kind of busy right now.

So what does this mean for you?

First of all, check your cloud provider’s contract that you signed – either without reading it or without caring.  It probably says that they will not charge you while your web site is down.  Beyond that, you are likely on your own.  Maybe your contract is different, but I doubt it.

You can try suing them for damages, but in light of the contract, that probably will go no where.

*IF* you have cyber risk insurance WITH  network business interruption coverage, you will probably be able to collect on your policy, but only if you have that coverage.

From some of the earlier attacks, it took the providers *WEEKS* to recover all the data – if they were able to recover it at all.

ARE YOU OKAY WITH YOUR WEB SITE BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH SOME OTHER CLOUD SERVICE PROVIDER THAT IS KEY TO YOUR BUSINESS BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH LOSING SOME OR ALL OF YOUR DATA FOREVER?

Assuming the answer to these questions is no, it is up to you to figure out a business continuity plan.  Assuming your data is permanently gone, it is up you to figure out what to do.

We have read stories of some companies going out of business after one of these attacks because customers fled or they lost all of their data.  These are the minority, but it does happen.

Plan for it now because dealing with it after the fact is no fun.

AND, your cloud service provider is likely not liable, other than not charging you for the service that you are not getting.

Information for this post came from ZDNet.