Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

More Businesses Are Opting to Pay Ransom to Get Their Data Back

The 2019 Crowdstrike Global Security Attitude Survey said that the total number of organizations around the world paying the ransom after falling victim to a supply chain attack almost tripled from 14% to 39%.

In the UK, the number of organizations that have experienced a ransomware attack and then paid the ransom doubled from 14% to 28%.

The ransoms, which often range in the 6 to 7 figure range (~ $500,000) are motivating the hackers to ramp up the attacks.

Here in Colorado we saw one attack that compromised a managed service provider and compromised over a hundred dental practices.  Each of those practices had to either pay the ransom or figure out another way to get their data back.

So why are these attacks continuing to be successful?

First of all, organizations of all sizes are not taking the necessary measures to protect their organizations.  Patching, not-reusing passwords and two-factor authentication are among the basic measures that many organizations are not doing across the board.

Next comes good backups.  We often see that backups are online (because that is more convenient) and the backups get encrypted as well.  Offline or write once backups are an important part of the backup strategy.

Finally, how long will it take you to recover.  After the Atlanta ransomware incident, the city spent 3 months recovering their systems.  For many companies, if they were down for three months, they would be out of business.

Given that ransomware attacks are, for the most part, attacks of opportunity, no one, big or small, has a get out of jail free card to use.  That means that everyone needs to be prepared to deal with a ransomware event and you want to be ready before it happens.

This is where disaster recovery, business continuity and computer forensics come in.

A Business Continuity program manages the process of making sure that critical business services continue to work in case of an attack.

A Disaster Recovery program manages the recovery process.  If you cannot rebuild your systems from backups within a time window that the business needs, you may be left with the very unpalatable option of paying the ransom.

If you do pay the ransom, you should assume that the attackers still have access to your system or have the ability to reinfect your systems after they come back online.  You need to understand how they got in there in the first place and that is where the third leg of the stool comes in – incident forensics.

While none of this cheap, having a program in place and your team trained could be the difference between responding to an incident and going out of business.

Source: ZDNet


The Internet of (Dumb) Things, Ring Version

Predictions are that there are going be billions of Internet of Things devices connected to the Internet over the next few years.

This past week the story has been about Amazon’s Ring camera – an example of an Internet of Things device.

In one case, in Tennessee, someone hacked into a family’s Ring cameras and talked to the family’s little girl and encouraged her to do destructive things.  The camera, in the little girl’s room, had been installed four days earlier.

In another case, in Florida, the hacker hurled racial slurs at the family’s son.

Amazon says that they take the security of their devices and service extremely seriously.  They also said that THEIR network wasn’t hacked (i.e., not my fault).  Not smart PR.

I think that is true (that they take security seriously) as long as it doesn’t impact sales, drive up costs or cause more support calls.

For example, Ring (Amazon) says that they “encourage” users to enable two factor authentication.  But they don’t make two factor authentication mandatory.  That would make it harder to install and use Ring products, negatively impacting sales and driving up support calls.  Score one against Amazon.

On the other hand, users are not taking the threat seriously enough to make sure that they are protecting their families.

I have a Ring camera so I logged on.  Guess what, I didn’t have two factor turned on.  I have had my camera for a couple of years, so I wondered WHEN Ring added two factor authentication because surely I would have turned it on if it was there.

I found a number of posts within the last week telling people how to turn on two factor.  Then I found one post on Reddit from SEVEN months ago that Amazon (I am intentionally switching between calling it Ring and calling it Amazon because Ring is Amazon and Amazon is Ring.  Amazon should know better) just turned on two factor authentication, but it wasn’t available to everyone yet.

That means until a few months ago, Ring didn’t even have two factor authentication available, never mind making it mandatory.  That means that from 2013 when the first Ring doorbell came out until just a few months ago – a period of about 5 years – they didn’t offer two factor authentication.

They still don’t offer geo-fencing – the ability to say that hackers in North Korea, China or Russia should not be allowed to try and hack my doorbell.

They don’t give me the ability to white list Internet addresses that I want to be able to get to my web login from.

Apparently, they don’t notify current customers – like me – when new security features are available.

Assuming you put a Ring (or competitor’s) camera in your kid’s room, what is the possible downside of the camera being hacked?

I assume that your kids are naked in their room sometimes.  You can figure out the rest.

If you put a camera in your living room, do you ever come out at night to get a drink of water and cross the path of your camera?  What are you wearing then?

Not to mention the possibility of freaking out your kids so badly that they might need therapy.

So what should you be doing to protect yourself and your family?

First, think really hard about WHERE you put your Ring or other Internet connected cameras.  My camera monitors the outside of my house.  While not optimal to get hacked, it is way less personal than in my kid’s bedroom.

Next, don’t just plug it in and connect it to the Internet.  Understand what security features the camera has and make sure that you enable them.  This takes work on your part and they don’t make it easy for you.  Sorry.  If you are not willing to do this, DON’T BUY THE CAMERA.

Make sure the camera is always patched.  In the case of Ring, the cameras phone home to make sure they are patched, but not all Internet of Things devices work this way.

Ring only supports text messaging for the second factor.  As I have said many times, that is not the optimal solution.

Arlo, an Amazon Ring competitor, will send a message to the app on your phone if someone logs in from an Internet address that they haven’t seen before.  That is a good feature.  Amazon doesn’t offer that.

You should isolate your Ring cameras and other Internet of Things devices so that if they get hacked they can’t take over other devices on your network.  That will probably require some IT expertise.

I have been holding off buying any more Ring cameras because I am not very pleased with their security and privacy strategy.  If more people hold off buying their products, they will get the message.

Also, if people light up social media, that would would help make the point.

Bottom line, vendors need to provide security and privacy features, users need to use the features that are there and prospective customers need to vote with their wallets to get companies attention.  Source: Vice



Behind the 5G Hype – What You Need to Know

Given that the cellular market is pretty well saturated in the developed world and cell companies are not likely to sell a lot of $1,200 cell phones in the developing world, Verizon, AT&T and the others are working overtime to create something to separate you from more of your money.

To even the game, you need to be knowledgeable.

For example, are you aware that most current cell phones being sold today WILL NOT support 5G?  Its true.  They will support pretend 5G (called 5G Evolution by AT&T, but I think they stopped calling it that after they were sued).  My partner Ray has a phone on AT&T and the phone says 5G, but I know for a fact that his phone does not have a 5G radio in it.

Rumors say that Apple plans to release one or more 5G capable phones some time next year, likely in the fall, but possibly earlier.  Maybe!

Samsung has a couple of 5G capable phones today – for example the Note 10 5G, which is different than the Note 10 and costs several hundred dollars more.

So what else do you need to know?

AT&T just launched it’s 5G service in 10 cities including LA, San Francisco and San Jose.  If you are an AT&T customer, have one of those new 5G phones, pay extra for a 5G service plan and happen to be near one of their 5G towers, you are good to go.  If you miss out on any of those requirements, you won’t get 5G.

As I have often said, when it comes to telecommunications services, we are like a developing country.  Other countries, like China, South Korea and Switzerland are far ahead of us in rolling out real 5G.

Part of the problem is radio spectrum.  5G will operate on three different frequency bands, called, for simplicity, low, medium and high.  Low is the most available spectrum to the carriers but also the most congested so while it can be deployed more quickly, it will also give you the smallest speed bump.  High is the least crowded but also the least available, at least until the FCC frees up more spectrum.  It will, eventually, give the best speed.  But it has a downside which is that the high frequency radio waves don’t travel very far or through building walls, so that will require tens of thousands of new towers.  Historically, city planners in the nice parts of town are anti cell tower (although these will be much smaller), so you have competing needs.

T-Mobile uses low band and claims that their network of slow-G (excuse me, 5G) covers 200 million people.  When Wired tested their network with one of the two phones that they sell that support 5G ($900 and $1,300), they found speeds as high as 158 megabits, but as low as 5 megabits.  Neither one are as fast as your current cable Internet.

T-Mobile admits that their 5-G service will only be about 20 percent faster than their existing service.

Verizon, on the other hand, uses the high band and tests show speeds of between 600 megabits and 1.5 gigabits – that is extremely fast.  But it is only available in small parts of 17 cities.  And the connection will only work if you are outside and near one of the few towers.

AT&T’s so called 5G service uses the slow band (low), but it also has high band service that it is offering to a select few business customers in a few locations.

Sprint is using the mid band and tests show speeds of between 110 megabits up to 400 megabits, which is, at the high end, probably 10 times faster than the speediest current 4G cell service.  They claim that their service covers about 3 percent of the residents of the U.S.

On the other hand, South Korea will cover 90 percent of their population with real 5G within the next two weeks.  They say that average speeds with be between 300 and 500 megabits and peak speeds will be between 800 and 900 megabits.

Statistics say that in 2020, 3G cell service will be more prevalent than 5G worldwide.

This doesn’t mean that you shouldn’t go for 5G cell programs.  It does mean that you should understand what you are getting.  And not getting.

The carriers, collectively, are spending billions of dollars to build out 5G network infrastructure ahead of when people get 5G capable phones, so they assume that people will, eventually, fork over their money for expensive phones and more expensive cell service.

My suggestion is to wait until there are more phone choices, wider service availability (are are two small sections inside the city limits of Denver that have broad 5G coverage today, according to Verizon and we have more data to understand what kind of speed boost you are really going to get.

Also, all of the providers are selling boxes that you can plug into your Internet connection to give you 5G when you are at home.  Other than to impress people, I see no reason to do this because it will not run any faster than the WiFi in your house already runs.

Source: Wired






Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.


Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch


KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register


Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer