Magically, Carriers Can Stop Spam Robo Calls

For years U.S. telephone carriers have said that they can’t stop spam callers.  Truth is that they make a lot of money from either sending or receiving these calls, so they had zero incentive to figure out a way to stop it.

The problem would decrease a lot if you could believe the information that caller ID was providing you because you could (a) tell if you knew the person who was calling you and (b) you could not answer calls if you didn’t recognize the number.

How many times have you received a call that shows with the area code and exchange (the first 6 digits of a phone number) that looks like it came from your neighborhood.

Caller ID was created decades ago and has zero security in it.    Add to that the fact that adding security costs money to the carriers with no added revenue and you can see why they haven’t done anything about it.

But Congress passed the TRACED Act late last year and this gives the FCC more power to go after phone spammers, it extends the statute of limitations for DoJ to go after spammers and it requires carriers to add security to Caller ID at no cost to subscribers.  It also allows the FCC to fine carriers for first offenses, something the FCC cannot do in most cases.

Magically, when the carriers figured out that they might get fined or even prosecuted, it only took them a couple of months to design at least a partial solution.  This is one of those cases where we don’t want perfect to get in the way of good.

Since most calls are now digital, the current plan, called SHAKEN/STIR, requires Caller ID info to be digitally signed at the source and digitally checked at the destination.

I noticed a couple of months ago that Verizon is now flagging calls as potential spam and is giving me the option to mark any call that I receive as potential spam.  Interesting what happens when the money equation changes.

The FCC *JUST* released rules that require carriers to implement SHAKEN/STIR on the digital portion of their network (such as cell phones) by June 30th of next year.  There is a one year delay for small carriers that may not be able to financially get it done by that date.

Then carriers have to deal with the old analog phone calls.

So while this is far from perfect, the big spammers are all digital because they need to make thousands of calls a hour in order to be profitable crooks.  This new regulation should significantly help this problem.

As long as the FCC keeps the pressure up on the carriers, things should improve over the next couple of years.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Regulators Update Cyber Security Regs for Electric Utilities

Very few of my readers run electric utilities – those are the ones that these regulations apply to directly.

Then there are folks who are suppliers to utilities.  And suppliers to those suppliers.  The new regs require that utilities have a decent vendor cyber risk management program.  That increases the pool of interested parties a bit.

Then there are those folks who use electricity and would appreciate it if their lights stay on.  Except for those who run their own wind or solar farms, that is the rest of us.

And of course, last, but not least, there are other regulators who are going to watch and say “hey, that sounds like a good regulation;  I think I will adopt it for people who do business in my industry or my state”.

So what is in the new regs?

The regulator is NERC – The North American Electric Reliability Corporation.  NERC is a quasi-governmental agency that sets forth standards for the electric utilities to follow.  They call the rules Critical Infrastructure Protection (CIP).

Note that I am only going to touch on the tip of the regulatory iceberg here, but I will give you a link to all of the CIP regs at the end in case you want to steal some of their ideas.

CIP 005-6 Electronic Security Perimeter

Note all the leading zeros in the rule number.  Room for up to a thousand rules.  Plus the sub-rules.  That’s pretty scary.

This rule adds detailed requirements for firewalls, DMZs and network segmentation.  Probably a good idea for everyone.   This includes a requirement to be able to know how many active vendor remote sessions you have (as opposed to employees) and have a way to disable them.  Again, probably a good idea for everyone.

CIP 010-3 Configuration Change Management and Vulnerability Assessments

Again, change control and vulnerability assessments should be things that everyone is doing anyway.  One thing this requires is that you be able to validate that every piece of software in your supply chain.  Can you do that?  Do you even know what software is in your supply chain.  Think of this as software bill of materials (BOM) on steroids.  Once you do know what software is in your supply chain then that helps with vulnerability assessments.  But how do you “validate” each piece of software?  They suggest with crypto checksums for everything.  Ask Equifax.  It is not as easy as it sounds.

CIP 013-1 Supply chain risk management

This may well be the most complex part.  Most companies have a lot of suppliers.  Big companies have thousands.  Small companies have hundreds.  The number of vendors is amazing.  They require a written program and remember, those vendors have vendors.  And the whole process has to be signed off on by an executive who’s head is on the proverbial chopping block.

Check these CIPs out and see if any of them make sense to you.  Then adopt them.

All of NERC’s CIP standards can be found here.

And, just in case you are thinking this is just some private regulator with no clout.  Last year they fined an unnamed regulator (which everyone knows is Duke Energy) $10 million for violating the rules.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending March 27, 2020

Hacker Sells 538 Million Weibo Accounts

Karma is a B**tch.

With all of the Chinese hacking efforts, someone is hacking back.  Is it us?  Not clear.  In any case, the data includes information like real names, site names, location, etc. and 172 million of the 538 million records include users’ phone numbers, but not passwords.  The data is available for $250.  Given China’s iron grip on the Internet, they should be able to catch this guy.  Unless he is not in China.  Source: ZDNet

Pentagon Increases Progress Payments to Primes

The Pentagon is trying to keep the Defense Industrial Base afloat during these trying times by increasing so-called progress payments to primes and other measures.  Whether it will be enough to keep small subs in business is not clear, but what we have seen is that the bankruptcy courts have seen that these companies’ intellectual property as an asset and sells it off during liquidation – even selling defense information to the Chinese.  In theory, CFIUS should allow the government to stop these (and it absolutely can if it moves fast enough) and FIRRMA (aka CFIUS 2.0) gives the government even more power to stop it but the bankruptcy courts have, for the most part, thumbed their noses at it, possibly (kindly) because they are clueless about the risk.  Source: National Defense Magazine

Experts See Over 600 Percent Spike in Malicious Emails During Covid-19

Barracuda Networks researchers saw a 667% spike in malicious emails using Coronavirus.  The goal is to get you to click on malicious links or download attachments that include viruses.  They saw almost 10,000 coronavirus linked emails attacks in the last three weeks compared to 1,800 in February and less in January.  Phishing attacks are nothing if not tied to current events. Source: The Hill

Netflix Reduces Video Quality in Europe Over Bandwidth Crunch

According to Variety, Netflix uses one out of every eight bits traversing the Internet (12%).  As general  Internet usage goes up, Europe has asked Netflix and other streaming video providers to reduce their video quality from HD to SD.

“As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators.”

Netflix has agreed to reduce its video stream bitrate by 25% for the next month.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

FBI: Building Digital Defense with Browsers

As more of our computing world lives inside a browser, the risk goes up.

As we move to Work From Home, the risk goes up again because we no longer have corporate infrastructure to chop off the top few layers of attacks.  Also many of us have kids that either share our computer or share our network.

The FBI has launched an initiative to protect political campaigns and voters from foreign influence campaigns and cyber attacks called Protected Voices.

The Portland office of the FBI adapted some of the recommendations from that program into recommendations for everyone.

Before I give you the list, let me warn you that it is going to expose that always issue – security or convenience – PICK JUST ONE!

Here are the FBI’s recommendations:

Note: How you implement these will be browser and system specific

  • Disable AUTOFILL
  • Disable remember passwords
  • Disable browsing history

Disabling these features makes it more difficult for malware on your system to steal sensitive data

  • Do not accept cookies from third parties

Note that some browsers do this by default.  Doing this reduces the ability of third parties to track you and aggregate your browsing habits.  And sell them.

  • Clear browsing history when you close your browser or use incognito mode

Note that this means that you actually have to close your browse.  Again, this reduces your fingerprint and makes it more difficult for advertisers (and hackers) to track you.

  • Block ad tracking
  • Enable do not track (there has to be at least one site on the web that honors this)

There are a number of good ad blockers.  Apple and Firefox have built in ad blocking.  Not only does this make it harder to track you but it stops malware laden ads from running on your system.

  • Disable browser data collection

All browsers like your digital exhaust;  that is why they collect it, but it is none of their business.

  • Make sure that if a web site wants your digital certificate, you have to approve each request

Your digital certificate *IS* your signature.   Protect it.

  • Disable caching

Caching makes browsing faster, but apps and web pages can find out what is in the cache and figure out what you are doing and where you have been.

  • Enable browser features to block malicious, deceptive and dangerous content.  Different browsers do this in different ways; some more privacy friendly than others.

What is true about all of these features is that they will have some impact on your browsing experience.  You don’t have to implement all of them, but each one makes things a little more difficult for the bad guys.

It is your call.

Source: FBI

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Fintech Provider Gets Hacked?

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks.  Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others.  Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks.  Banks are regulated.  For the most part, fintechs are not regulated.

Okay, so why am I talking about this?  Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup.  They have 10,000 employees and 9,000 customers  in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago.  Today they said it was ransomware.

So what does all this mean?

Well, a couple of things.  People are using more fintech technology.  Mobile apps.  Data aggregators.  Many other things.

These apps and web sites have your financial data.

Maybe they have decent security.  Maybe not.  For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked.  I know;  I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on.  Many ransomware variants steal data in addition to encrypting it.  Was this one of those?  We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up.  Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this.  These data centers are off line in addition to being powered off.  As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important.  For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised?  Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss.  Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs.  You could be arguing for a while.  Worst case, you might have to sue them.  You might not win in court.  It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked.  They don’t have the money or the insurance to make their clients whole.  They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart.  Understand the risk.  Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather