Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Cybersecurity and Work from Home

Reports are that reported breaches are down. This is likely not due to the fact that there are less breaches, just less reports.

Wait six months and see what the breach reports look like.

Security firm Tessian released their State of Data Loss report and here are some of the things they found.

  • 52 percent of employees feel they can get away with riskier behavior at home like sharing confidential files by email.
  • Part of the reason for not following safe practices is that many employees are using their own computers rather than a company issued one.
  • Another reason is that security and IT are not watching them.
  • Employees have more distractions at home, making it difficult to concentrate. Distractions include kids, roommates and not being in their normal office environment.
  • Some employees say they are being forced to cut security corners because they are under pressure to get the job done.
  • Half of the people said that they had to find workarounds to the rules in order to work efficiently.

None of this is news.

Employers are the ones that will get to pay for this in the long run. If an employee causes a breach by cutting corners you may fire them (and you may also get sued by them because they may say that you forced them to cut corners – whether true or not), but even if you do, you will get to write that check for thousands or millions of dollars. And suffer the reputation damage.

Many companies do not have good (or any) real time security monitoring and alerting systems in place. The effect of this is that even if you are breached, you won’t know about it.

Do you know the most common way companies find out about a breach?

YUP, it is when some third party like the POLICE, FBI or CREDIT CARD COMPANIES tell them they have been breached.

So while no one really wants to spend the time and money right now, now is the time that you have to spend time and money.

Alternatively, you can spend that money in breach response.

At least 10 times more money.

Assuming you don’t get sued.

or you don’t lose customers.

Credit: ZDNet

They’re Baaaack! – CCPA Release 2

Californians for Consumer Privacy, an advocacy group that started the push for CCPA is back again, pushing for a ballot initiative this time. You may remember that they got enough signatures two years ago and only by some amazing gymnastics did the legislature pass CCPA.

The group says that they have enough signatures to get the new measure on the ballot and have submitted the initiative to Sacramento.

Here is some of what the new ballot measure proposes:

  • Create a new agency to protect and enforce the new rights and provide clear guidance to both consumers and businesses
  • The tech titans have been trying to delay the enforcement of the current CCPA until next year due to Covid-19
  • The new ballot measure adds new rights including on the sale and use of sensitive personal data such as health and financial information.
  • It requires an opt-in to collect such data
  • It triples the fines for breaking the rules surrounding data on children under 16
  • It requires that Californians be informed when their data is used to make fundamental decisions like credit

To get on the ballot requires 620,000 signatures; they have collected 900,000 signatures.

A recent poll says that 88% of the respondents would vote FOR a new privacy measure.

Last time MacTaggart, the developer who pushed for the original ballot measure, accepted a compromise from the legislature, but indications are that this time, he won’t. However, life is always negotiable.

One reason for the ballot measure is to force the creation of a new agency to enforce the law. The current AG has been, at best, lukewarm to enforcing the existing law.

Get your popcorn out; this is going to be a real battle. Credit: The Register

NY Shield Act and Inadvertent Disclosure

About a year ago the Governor of New York signed the SHIELD act into law. Among other things, the law broadened the definition of a breach to include ACCESS to the data, not just stealing it. It also broadened the definition of personally identifiable information. Notice that no one talks about non-public personal information any more; personal information is personal information. It also says that all businesses need to have a reasonable cybersecurity program. My definition of reasonable is one that you can convince 12 jurors, who don’t really want to be there and who have had their own personal information stolen more times than they can remember, is reasonable. An alternative definition is the best commercial practices available consistent with the risk. If you are the corner deli and you email people the daily specials and all you have is their name and email address, that is a different level of risk than, say, a mortgage company. Finally, the law dramatically expanded the reach of the law to include any company, anywhere, that has private information of New Yorkers. That means that if you have a website and it collects personal information, you are likely covered. Especially if you have a breach.

But it also includes an exemption for “inadvertent disclosure”. What is important understand is that using this exemption in case of a breach comes with some risk.

Well what does inadvertent mean?

OF COURSE, the law does not define it, but it does say that to be inadvertent, all of the following must apply: (a) the disclosure was inadvertent (circular reasoning), (b) it was disclosed by someone who was authorized to access the information and (c) the exposure is “not likely” to result in any of the following (1) misuse of the information, (2) financial harm or (3) emotional harm. It also requires businesses to document the findings in writing and keep that documentation for 5 years (in case you get sued, they can hang you, so to speak, with your own documents). And, if the breach affected more than 500 people, you must provide the Attorney General with a copy within 10 days of completing the determination.

There is, however, no case law defining inadvertent or likely. That means that you should use the exemption carefully, after consulting with legal counsel.

It should be pretty easy to determine whether the disclosure was inadvertent and whether the person who disclosed is authorized. What is harder to understand is the potential harm possibility.

Also remember it covers any company who has customers in New York, no matter where the company is located.

Welcome to the world of risk management. Not an easy job these days.

See the article for more details.

Credit: (note-registration required)

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Japan Defense Contractors Hacked Like US Contractors

There is this expression – misery loves company. Well, maybe, the group of U.S. defense contractors who have been hacked feel better that they are not alone.

Of course, maybe not.

I am not sure why this information is coming out now, but, if we assume that the groups who are attacking the Japanese are also attacking us, getting information is good.

The Japan Ministry of Defense said that there was an attack on Mitsubishi earlier this year and information related to bidding for defense research contracts was likely stolen in a breach. This happened because Mitsubishi took paper documents that were sensitive, scanned them and put them on their internal network, which was hacked. Mitsubishi didn’t disclose the breach for 6 months, which probably didn’t make the Ministry too happy. They said, surprise, that China was likely behind the attack.

In January 2020, NEC, another Japanese tech company, admitted their network was hacked back in 2016 and the hack was discovered in 2017. The data that was stolen was encrypted, but decrypted in 2018. They discovered that 27,000+ files belonging to NEC’s defense business were stolen.

Recently, Pasco Corp and Kobe Steel who are also defense contractors, disclosed a breach dating back to 2015, followed by a second breach in 2016. Pasco does aerial image surveillance. What might be sensitive there? Kobe sells underwater submarine launch tubes and other parts to Japan’s military.

While I am not clear why we are hearing about breaches dating back to 2015 just now, the range of companies breached is broad.

This likely means that American companies that are anywhere in the defense food chain are likely targets and should increase their level of vigilance.

One unsettling disclosure it that it took some of the companies years to figure that they had been hacked and even more years to figure out what was taken.

Credit: CISO Magazine