Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Covid-19 Does NOT Mean No Ransomware

Three separate ransomware stories – all against healthcare organizations, even though SOME hackers SAID they weren’t going to hack healthcare. Of course, what makes you think you can trust folks who break the law for a living.

#1 – Largest Private Hospital Company in Europe Hit By Ransomware

Fresenius, is Europe’s largest hospital operator and a major provider of dialysis equipment and services. The company said that the hack has “limited some of its operations but that patient care continues”

You can’t expect them to say anything different, but the part of its operations that are limited are likely those that use computers. Which is pretty much everything.

They have four business units – kidney patient care, operating hospitals, pharmaceutical provider and facilities management. I am sure that none of those depend on those ransomed computers.

Fresenius employs nearly 300,000 people.

To make matters worse, the particular malware, SNAKE, targets Internet of Things devices. None of those in your average hospital.

SNAKE is one of the family of ransomware 2.0 hacks that threaten to publish your private data if you don’t pay up – so backups are not a complete defense from these attacks. Credit: Brian Krebs

#2 and #3 – Two other Ransomware 2.0 attacks went after plastic surgery clinics.

One was Dr. Kristin Tarber’s clinic in Bellevue, Washington.

There the hackers published patient medical histories.

The other is in Nashville, TN and attacked the Nashville Plastic Surgery Institute D/B/A Maxwell Aesthetics. There the hackers stole patient history data, health insurance info, surgery info an other information.

I haven’t seen the stolen/published data from these hacks, but in other plastic surgery hacks, they have published photos of plastic surgery of body parts that are not usually exposed, if you get what I mean.

The challenge for the healthcare industry is that the insurance companies and government reimbursements are really reducing margins.

Until the folks that control their reimbursements decide that getting shutdown for weeks or operating off paper charts with no visibility to patient history is a not a good thing, expect there to be a lot more breaches.

For the hackers, this is very lucrative. I would not be surprised if this is a revenue stream for North Korea.

I definitely feel for the healthcare providers. They want to do the right thing, but they don’t have the money.

This year the Department of Defense, which has had its own problems with hackers, decided that security is not optional and will actually reimburse defense contractors for the costs of implementing security.

The healthcare industry hasn’t gotten there yet. Hopefully it will. Otherwise, expect your medical information to be available for sale on the web. Credit: SC Magazine

Third-Party Risk in the Time of Covid-19

Here is an interesting chart from Gartner:

third-party compliance risk

What are legal and compliance folks worried about in the era of Covid-19? Increased cyber risk.

“Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices,” said Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice.

Even if they (compliance managers) think their own organization is following best practices for remote work (which unless they had a strong remote work process before Covid, this is unlikely), they think their vendors might not be so good.

Work with your supply chain team to identify vendors that may have problems meeting their commitments.

Review recent assessments to see if any vendors had challenges during good times.

Mitigate any new risks that you see – this could include contract changes or additional audits.

Consider fourth-party risk – your suppliers’ third parties.

Ask about their new suppliers – as well as your new suppliers.

Here’s the bad news. You don’t have the time or resources to deal with everyone so you have to assess all of your vendors and make an educated assessment about who to review.

And sorry, attackers are not going to give you a free pass just because there is this pandemic going on.

Finally, your suppliers are not trying to get attacked – they are dealing with the same crappy hand that you are. Credit: Help Net Security

Security Risks of Firmware

As software makers start to take security more seriously, hackers are becoming more creative.

When Apple and Microsoft started doing a better job of finding and patching bugs in their operating systems more quickly, hackers started looking at other applications installed on users’ computers.

As the makers of the other software installed on computers started taking security seriously, hackers again moved on.

What is the new target? FIRMWARE!

What is firmware you say?

Is it the layer that silently runs virtually everything today.

Your car? A typical modern car has 100 or more computers, each one running firmware and many of which have been used to attack your car. Unless you drive something like a Tesla, you probably have not patched your car lately.

What about your refrigerator?

Dishwasher?

Smart speaker?

Internet modem or router?

TV?

It is amazing what has firmware in it these days.

So what are the worries?

  1. Firmware updates

Device makers are constantly on the lookout for bugs and often patch their devices frequently.

Some vendors, who are not security focused, DO NOT offer patches. That doesn’t mean that their devices don’t have bugs or are not vulnerable to being attacked. It just means that the vendors don’t see the revenue stream in offering patches.

Sometimes vendors are very good about patching their devices. Apple is one example of a vendor that does a good job in patching, including Apple smart speakers.

But when was the last time you received a patch for your smart TV or refrigerator? My dishwasher had to be patched last year. Apparently, ones that were not patched, on occasion, caught on fire. That is where the virtual universe meets the physical universe.

Most devices that you own (a) contain firmware, (b) have bugs and (c) are never patched from when they leave the factory to when they reach the landfill.

Worse yet, some of these bugs are security problems, like the recent Intel secure enclave bug, and are NOT POSSIBLE to patch. Apple has a similar problem with their boot ROM that can’t be patched either.

#2 Configuring firmware

Most so-called smart devices are connected to the Internet, including most cars built in the last 5 years.

On the other hand, most purchasers are not trained well enough to securely configure these devices. They don’t understand the security implications of the configuration decisions they make. Lets face it – the most popular passwords are password and 123456. That ought to tell you something.

Vendors typically configure their security features to reduce use frustration and eliminate the need for customers to call their help lines which costs the manufacturers a lot of money. One or two calls eliminates the entire profit the vendor made from selling you that thing.

How many times have we heard about misconfigured web services like Amazon or Google which led to a breach. These are services that are usually managed by professionals. If they can’t do it right, imagine what consumers do.

#3 Firmware security awareness

The firmware on all of these devices control what is called the CIA triad —

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

We’ve got to figure out a way to make sure that people understand that this is a risk that they alone are responsible for, even though the company that they bought the device from never said so.

Oh yeah. THE MANUFACTURER DOES NOT HAVE ANY LIABILITY WHEN YOU DO IT WRONG. YOU ARE ON YOUR OWN.

This article is a start in that process. Credit: Help Net Security

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post