Security News For The Week Ending February 28, 2020

Russia Behind Cyberattacks on Country of Georgia Last Year

The State Department and the UK say that Russia was behind the attack on over ten thousand websites in the Country of Georgia last year.

They also formally attributed Sandworm (AKA Voodoo Bear, Telebots and BlackEnergy) to Russia’s GRU Unit 74455. Sandworm is the group responsible for the attacks against Ukraine’s power grid in 2015 and 2016 as well as NotPetya and other attacks. Not a nice bunch, but highly skilled. Andy Greenberg’s book, Sandworm, tells a scary story about these guys.

This is an interesting announcement from the State Department given the general position of the White House regarding Russian hacking. Here is the State Department’s press release.

Google to Restrict Android App Access to Location Tracking

Google is changing the Google Play Store policy for apps accessing your location when they are running in the background in response to user concerns.

The “user” is likely the folks running GDPR and the concern is the potential fine of 4% of Google’s revenue (AKA $6.4 billion).

They are reviewing all apps in the Play Store to see if the really need background access to your location or whether the user experience is just fine without them collecting and selling your location.

New apps will have to comply with this new policy by August 3 and existing apps will have until November 3 to comply.

In Android 11 you will be able to give an app ONE TIME permission to access your location data. When the app moves to the background, it will lose permission and will have to re-request it if it wants your location again.

This is actually pretty cool, but GDPR went into effect almost two years ago and they are just doing this now? Could it have something to do with a EU investigation of their use of location data? Probably just a coincidence. Source: PC Magazine

Accused CIA Vault 7 Leaker Goes To Trial

Accused CIA Vault 7 leaker Joshua Schulte’s trial for leaking top secret documents to Wikileaks started earlier this month. Schulte is accused of leaking top secret programs that the CIA used to hack opponents, causing serious embarrassment for their horrible security, allowing those tools to get into the hands of hackers and allowing our enemies to know how we hack them. It also cost the CIA a ton of money because they had to create a whole bunch of new programs that exploited different bugs that that had not disclosed to vendors to fix. Apparently Joshua is a bit of a challenge to work with and manage. Not only was he “a pain in the ass” but he also was into kiddie porn. He will be tried on those charges separately. Schulte’s lawyers say the government failed to turn over evidence that there might have been another leaker and wants the court to declare a mistrial. WOW! Read the details here.

Microsoft Trying to Do Away With Windows “Local” Accounts

For those of you who have been long time Windows users, you know that you had a userid to log on to the computer and then, possibly, if you want, another userid and password to logon to cloud services.

Like Google, Microsoft wants as much information about you as it can possibly collect. They also want you to use all of Microsoft’s online services, all of which are tied to your Microsoft login and not your local Windows login.

Microsoft’s answer? Make it very difficult for a user to logon to his or her computer with a local login. In fact, as of the most recent update to Windows 10, the only way to create a local, non-Microsoft, login is to disconnect your computer from the Internet when you first install it.

After all, they know that you DO want them to snoop on everything that you do. Source: Bleeping Computer

Akamai Says Hackers are Attacking APIs

If you are a crook and you want to break in, you might first try the front door.  If you discover the front door is locked, you might try another door or a window.  Same is true for hackers.

As companies slowly improve their defenses on end user web sites, hackers discovered that the APIs behind those web sites may not be a well protected.

Akamai runs one of the largest content delivery networks in the world, so they have a lot of data and here are some statistics.

* Between November 2017 and December 2019, about 2 years, Akamai observed over 85 billion “credential stuffing” attack attempts.  Credential stuffing is the term that refers to trying, using brute force, credentials obtained from a different hack on another web site.  For example, you have 3 billion userid/password combinations stolen from Yahoo.  Try them on Facebook or Twitter – all three billion.  Then try them on a thousand other sites.

When you do the multiplication between the number of hacked passwords and the number of potential sites, you realize you have hundreds of trillions of combinations.

This means that you need a method to try those hundreds of trillions of combinations without the web site locking the account after a few failed tries.

Enter the API attack.  Most of the time, APIs are used by other programs, so sometimes they have fewer security protections.

* Akamai said that they identified over 16 billion attempts to stuff credentials into something that was OBVIOUSLY an API.  That means that the 16 billion number is probably low, possibly way low.

It is important to understand that only a small fraction of traffic goes through Akamai, so the 16 billion attack attempts represents a small percentage of the total attack volume.

* Then Akamai looked at which of those attacks went after financial industry web resources.  That number was 475 million.  Also probably a low estimate as the financial industry, like everyone else, outsources to a lot of companies and those companies likely serve many industries.

“Security teams need to constantly consider policies, procedures, workflows, and business needs – all the while fighting off attackers that are often well organized and well-funded,” Steve Ragan, Akamai security researcher, said.

While this report focused on the 475 million attacks against financial institution API interfaces, don’t lose track of the rest of the 16 billion attempts – they are dangerous too.

From a business owner’s perspective, this means that you need to make sure that any APIs that you expose are battle ready and have strong detection mechanisms in place to shut down attackers before the attackers are successful.

  Source:  Venturebeat

What Does Your Car Know About You?

Here is what the connected world looks like and why car makers want 5G.

It starts with hundreds of sensors, at least.

But the data it collects? That data does not belong to you and the owner’s manual doesn’t say anything about it (which is legal in every state besides California).

So what would you do if you were a reporter working for Wired?

Hire a hacker and hack your car.

In this case, a 2017 Chevy Volt.

Almost all new cars come with a built in Internet connection, whether you want it or not.  100% of Fords, GMs and BMWs.  All but one Toyota and Volkswagen.  Sometimes it is free (because they want the data).  Other times it comes with a fee.

The Wired reporter and an engineer who tears apart cars (after crashes) for a living met in an empty warehouse with a Chevy Volt belonging to a friend of the reporter.

These cars can generate upwards of 25 gigabytes of data PER HOUR that the car is running.  Of course, most of this data stays in the car, but *IF* the manufacturers had 5G cell connections, I bet more of it would get transmitted back to them.

In their case, they hacked into (literally) the radio – which is now called an infotainment system – to see some of the data that it collects. They were able to see only a tiny fraction of the data that is being collected.   Here is what it looked like when they were working on it.

Buried behind the touch screen and radio controls sits our Chevrolet's infotainment computer, a box identifiable here by a circle for its fan. (Geoffrey Fowler/The Washington Post)

They found location data – including the warehouse where they were taking the car apart and the hardware store where he went to buy some tape.

It included the unique ID numbers of the two phones that Wired was using.

It included a long list of contact’s addresses, emails and photos.

They also bought a used infotainment system on eBay and found reams of data on it.

Fords record location data even if you don’t use the navigation system.

Some Beamers have a 300 gigabyte hard drive in them to store the data.

Telsas can even collect video and store it.

If you have a self driving car, there are cameras that watch you.  That data will likely be stored.

When the car’s owner asked GM what they collected and who they shared it with, they declined to answer.

When Wired asked, they got a very vague answer.

A lot of this is dependent on what features you ask for.  If you want the ability, for example, for Amazon to unlock your car and deliver packages, you have to have remote unlock.  If you want remote key access, well, there is another access point.

Most people don’t even know what services come with the car.

And maybe you don’t care if the car maker and the government and hackers are tracking you.  If so, no problem.

If you get fewer of bells and whistles, the less private data (as opposed to engine data) they will be able to collect.

And, we think, if you replace the radio with an after market radio (infotainment system), you will likely disable a lot more.

BUT, you will also disable some features.

Likely, for example, OnStar is connected to the Infotainment system, so if you replace it, that might disable OnStar.

Or, you could be an older, used, vehicle.

Certainly an interesting world.

Source: Wired

5G Security Is a Mess and Banning Huawei WILL NOT Help

The President is right that cellular security is a problem, but not for the reason that he thinks – although that is a problem too.

Researchers at Ruhr-Universität Bochum have discovered a way to compromise 4G cellular security – the cell service that almost all of us use now.

It allows them to impersonate the phone’s owner and book fee based services that get charged to the owner’s phone bill.

It also could impact law enforcement investigations because it would also allow a hacker to access websites using the victim’s identity. In fact do anything the real owner can do.

If the attacker wanted to blackmail someone, they could upload sensitive or compromising information and then lead the cops to that info. The cops would believe the owner did it. Hackers could threaten to do that in order to blackmail someone.

The vulnerability affects all LTE devices – Apple, Android, Windows – even Cellular IoT devices.

And the only way to fix it is by changing the hardware – at both the user end and the cell company end. Any bets on that getting fixed? I didn’t think so.

The team is trying to figure a fix for the next generation (5G). They say that it is possible.

But it is going to cost the cell carriers money.

The additional security requires the phones to transmit more bits, costing the carriers overhead.

And all 5G phones would have to be replaced (DO NOT buy one if you have not already done so).

And the base stations would have to be expanded.

Other than that, it is a piece of cake.

The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping. However, it is possible to modify the exchanged data packets.

For more info see Help Net Security and CSO Magazine.

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

An Attack Backdoor

I was interviewed by the local affiliate of a national TV network earlier today about a hack where a young lady got her bank account emptied out in a matter of seconds after she provided a caller a single 6 digit number. Hopefully this lady will eventually get her money back, but not without a lot of pain. Here is how the story unfolded.

The victim received a phone call from someone claiming to be from Venmo asking if she made a particular $450 transaction. This person was not from Venmo and there was no such transaction.

She said that she did not make such a transaction and the fake Venmo rep said that he was going to send a code to her phone to validate that he was talking to her and he needed her to tell him what the code was. She did and he said it was all good. Except that it wasn’t. She hung up.

Here is what happened next.

The hacker was actually trying to log on to her Venmo account. When she later looked in her spam folder, she saw a number of emails from Venmo saying that someone was trying to log in to her Venmo account and failed.

TIP #1 – Make sure that security alerts from financial service vendors make it into your inbox and not into spam.

What the hacker did while she was on the phone is tell Venmo that he forgot the password to her account. They sent her a one time password to her phone and she gave that code to the hacker. The hacker then entered that code into the forgot my password screen and Venmo let him reset her password. He now “owned” her Venmo account. This is called social engineering in that the attacker doesn’t actually break into the account but rather asks the victim to let him into it. The style of attack is called a man in the middle attack because the hacker is in the middle between the victim and the web site the he wants access to.

TIP #2 – If you get a call like this from a financial institution (or Twitter or other social media company), listen to what they tell you and if they ask for any information, hang up and call back to a known good number (say from the bank’s web site). DO NOT negotiate that with the caller – they understand they have lost the war if you do that and they will give you many reasons why you should not do that.

TIP #3 – If a supposed rep CALLS YOU and asks you to give him or her a code, HANG UP IMMEDIATELY. Refer to Tip #2. Occasionally, companies that YOU CALL may ask you to do that to verify your identity. It is a VERY bad practice but companies sometimes do that. If you are confident that you called the right number, then even though I think this is a horrible security practice, it may be required. You should tell the person that you think this is a horrible security practice and see if there is a different option.

The laws that protect CONSUMER (very different than businesses) financial accounts are pretty strong. Your liability for fraudulent use of your checking or savings account or credit card is pretty limited. Less so for debit cards (which is why I recommend that people never select the DEBIT option at stores and gas stations. Businesses want you to do that because it saves them a little bit on the transaction fee. If you think that you do not want to run up a big credit card bill to have to pay at the end of the month, if you are using a debit card, there is NO DIFFERENCE in terms of what happens whether you select credit or debit. In both cases, the money will be removed from the account that the card is linked to in a few minutes to maybe 24 hours.

TIP#4 – Always select credit and not debit when you are using you debit card in a store or gas pump. If you use your debit card as a debit card and enter your PIN, if the card reader has been hacked, the hacker can clone your card and use it at an ATM. From there, they can empty your bank account. They cannot do that if you use it as a credit card because they won’t have your PIN.

TIP#5 – Banks always set a DAILY CASH LIMIT and DAILY TRANSACTION LIMIT on your debit card (and probably also on your credit card, although that is likely looser). The cash limit restricts the amount of cash you or a hacker pretending to be you can withdraw from your bank account in any given day. The transaction limit is the total amount you can spend in any given day. You should talk to your bank about what these numbers are and set them as low as you can while not inconveniencing yourself too much. This is a risk- benefit trade-off. The higher the limit, the less likely you will be blocked from doing something and the more money a bad guy can get away with before being detected.

In this case, whether the victim will get her money back is less clear than if she was dealing with the bank directly. Venmo is considered a “non-bank money transmitter” so it is not required to comply with all of the banking laws and you are not protected in the same way as if you were dealing with a bank. It is required to comply with “Reg E” under certain circumstances, which does protect you to a degree. This is a risk you accept if you choose to use Venmo or any similar service. My guess is that her bank will work with Venmo and get her money back, but it is a much more slippery slope than the same situation with a bank. See this article for details on this situation.

TIP #6 – DO NOT use “accounts” at sites like Venmo and Paypal where they act like a bank and store money for you. Those accounts are not protected under federal banking laws. If you tie those accounts to an actual bank account, you have more protection under federal law.

TIP #7 – If you are more paranoid than some or just risk averse, but you want to use services like this, tie them to a separate bank account that is not linked to any of your other bank accounts. That way, if the account is compromised, your liability is absolutely limited to what is in the account. I have one of these and I never keep more than $200 in that account. Even though the account is not linked to any of my other accounts, I can transfer money in out of the account online.

TIP #8 – Always use two factor authentication for financial accounts and if possible use an app for that second factor. These apps are way more secure than text messages. Free apps to do this include Google Authenticator, Microsoft Authenticator and Authy, among others. The web site has to be set up to use one or more of these apps.

Hopefully this person will get her money back, but you can use her pain to improve your security.

Last tip – TIP #9 – All banks offer the ability to receive an email or preferably a text message any time a charge or credit to your account happens. This includes checks, debit card transactions, credit card transactions and even ATM transactions. You will receive text messages within seconds of the charge happening. Recently one of my cards was compromised and as SOON AS I got the first text message, I was on the phone with my bank’s fraud department (call the number on the back of your credit or debit card and ask for the fraud department). Banks are very motivated to stop this fraud because they eat the losses. In my case, as I was talking to the fraud department, the card was being used in three different stores. They immediately shut down the account, credited those charges and sent me a new card. If you think it is annoying getting text messages about the use of your account, think about how annoying it is if a hacker empties that account.

If you need more assistance, please contact us.