Ransomware with Terms of Service

So you thought only companies like Microsoft and Google had terms of service. Apparently that is not the case.

I keep talking about the horror that ransomware 2.0 is with hackers stealing the data before they encrypt it and threatening to publish the data if you don’t pay.

That means backups alone are not sufficient to protect you.

Now one of the first players to use ransomware 2.0 against victims is upping the ante by creating terms of service like a legitimate software provider.

Here are their terms:

  • If you do not respond to their attack within 3 days, they will publish that you have been hacked on their web site. They say that if you don’t start communicating within 3 days, you only have yourself to blame.
  • They say that negotiating means dialog and finding the “best” solution for both parties. If the “client” is too shy, scared or just can’t negotiate, that is, they say, exclusively the client’s problem.
  • They say that if you can’t figure out how much it is going to cost you to recover without them, they will help you. It will cost you over 10 million dollars. Not sure how they came up that number, but there you go.
  • If the “client” fails to start communication, they will start to publish the data. After 10 days they will publish all of the data. I suspect this is due to victims stringing them along. Maybe they figure that if they are not going to get paid, causing pain may get other people to see things differently. If you see your competitor’s data laid out on the Internet and you get hit, you are more likely to pay, probably.
  • Once they start publishing the victim’s data they will start notifying regulators, customers of the victim and partners of the victim. Every state has a privacy law. If the data that they publish includes personal data of California residents, you can almost guarantee that you will get sued.

All of this likely is to try and put a lot of pressure on victims to pay. As companies improve their backups and business continuity programs, they have been less likely to pay, even though many high profile companies have paid, many of them silently. Many of them have paid millions of dollars each.

Ultimately, you need to do your best to keep the hackers out. That is the best solution. If you need help, let us know.

Here is a screen shot of their terms of service. I am not clear if their bad English is a scam – likely it is, so just ignore that.

Rules For State Sponsored Hacking – There Aren’t Any

Hacking is today’s preferred method of espionage. It is easier and far less risky than the old school version of putting a person in the organization and risking their life.

So what is in the news recently.

First, Russian hackers at the FSB, sort of like our FBI – sort of. They are mainly responsible for internal security, counterespionage, organized crime, terrorism and the like. I say sort of because they are hacking research institutions around the world trying to get a leg up on COVID-19 research. After all, it is quicker and cheaper to steal it than to do it.

The UK’s National Cyber Security Centre (NCSC) says that Russia is hacking them As does the UK’s Foreign Secretary. In the U.S., it was left to CISA, part of DHS, to complain. Canada also says the same thing (according to The Register).

Next comes China. Just a few months ago, the FBI accused China of trying to hack corona virus research. They say that the Chinese were looking for vaccine information. Credit: CNet Again, it is cheaper to steal it than to invent it. Both China and Russia have long histories of doing this.

Why is the White House being quiet about this? Maybe ….

In 2018 President Trump signed National Security Presidential Memorandum 13 which, while highly classified, appears to give the CIA pretty much a blank check to hack anyone they want.

We used to have a vetting process for these activities, but now is it completely at the discretion of the CIA.

The CIA claims there are review processes. Maybe so.

The CIA hacked and then released 7.5 terabytes of data on the Russian company SyTech, which was suspected of doing work for the FSB. This included names, photos and phone numbers of suspected Iranian agents.

This seems kind of similar to the release of the Vault 7 group of CIA hacking tools.

Other covert operations include the release of 15 million debit cards from an Iranian bank according to sources.

Obviously, at least we hope, the CIA is targeting our enemies like North Korea and Iran.

But what is the outcome? Have we turned this into a food fight?

Truth is that no one knows.

Maybe it just makes the CIA more agile. That is certainly one possibility.

Report is that while Russia, China, Iran and North Korea were targets of the memo, it was not limited to those countries. Since the memo is classified, we don’t know if that is true or not.

Between 2013 and 2017 the U.S. attempted to negotiate some boundaries for state sponsored cyber attacks, but that, again apparently, didn’t go anywhere and, after all, can you really trust Russia, for example.

I would say that we definitely have the makings of a food fight. But then again, were we always in a food fight except we didn’t have any food.

Russia and China might say that they are not trying to damage our research, unlike our Stuxnet attack on Iran. They are just stealing information – a time honored spy thing, just doing it by hacking rather than breaking in and stealing it. It is more “efficient”.

So the bottom line is that we, they, everyone, have moved into a new form of spying. The French and Israelis, for example, supposedly our allies, have been stealing information from American businesses and business people for decades. Is this anything new really?

There have never been any “norms” for cyber spying and there still are not. There likely won’t be any norms any time soon, so expect the hacking to continue. Credit: ZDNet and The Register.

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read

OMG – Twitter Hacked!

The details are a bit sketchy, but a number of high profile Twitter accounts were hacked on Wednesday. Among the accounts hacked were Apple, Elon Musk and Joe Biden. Other accounts include Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffet, YouTuber MrBeast, Wendy’s, Uber, CashApp and others.

Read to the end to find the OMG part.

In this particular case, all the scammer wanted was money.

The scam went like this: If you send me a $1,000 in bitcoin, I will send you back $2,000. Only doing this for 30 minutes said Joe Biden’s account.

Needless to say, Biden did not send the Tweet, nor did fools who believed this too-good-to-be-true story get their money doubled.

Twitter acknowledged the problem just before 3PM Pacific Time on Wednesday, saying that they had a little problem.

Now comes the OMG part.

As Twitter tried to get their arms around how many accounts were compromised and how it happened, they locked down a number of high-profile accounts. Those accounts COULD NOT TWEET. WHAT IS THE WORLD COMING TO?

Later in the afternoon Twitter said that things were getting back to normal, but they reserved the right to lock down more accounts if they needed to.

Just in case this is not obvious, this is not a case of a user picking a bad password.

Based on conversations others have had with hackers, backed up by screen shots, it appears this was an inside job. This is only speculation at this point.

The scam itself is pretty vanilla. What is brazen is hacking all of these high profile Republican, Democratic, multiple presidential candidates and other so-called “verified accounts”.

The Bitcoin account in question had racked up over a hundred grand by mid afternoon and going up quickly.

What if, instead of a stupid scam that no one SHOULD believe, the hackers instead Tweeted that the President had been assassinated or that China had launched a nuke aimed at Miami, Dallas and pick your least favorite city?

Mass panic.

Financial chaos.

Ultimately, it boils down the speed that social media moves at and the trust that some people place in news pushed by social media.

Even if Jack Dorsey figures out what happened and I think it is likely that he will, it may be impossible to stop this from happening again.

This is definitely an example of “Buyer Beware”. Credit: Tech Crunch

A Little more information has come out but not a lot. Twitter is saying that rather than their employees being crooks, they are just stupid and were duped by the hackers. Not sure which is worse.

Apparently, Twitter has an internal tool that allows an employee to do things like change the email associated with an account with no notification and no validation.

Some people posted screen shots of the internal Twitter tool. Twitter’s solution to this “problem” was to delete those tweets and disable those accounts. Apparently, they don’t understand how the Internet works because with Google and 30 seconds, you can find ten copies of those pictures. We are still waiting for Twitter to come clean. That may have to wait for the lawsuits. After all, people did lose thousands of dollars each. Credit: Brian Krebs.

Here are some out of the box thoughts. – What if this was an effort by the North Koreans or Chinese? What if this was just a test run? What if this happened the day of the presidential elections? What if the hackers said that candidate [pick one] dropped out of the race, so don’t bother voting. If people are willing to send thousands of dollars of Bitcoin to a stranger in response to a Tweet, the above is not so far fetched.

Here is another thought. We the direct messages of all of those compromised accounts stolen? Are we going to see those DMs made public. Say right before the election. Shades of Russia/2016 election. Stay tuned.

TomTom Bills for Services Not Delivered

This is an interesting story and interesting warning.

The good news is that it is manageable and the exposure is low, but as the Internet of Things continues its march to take over the world, the problem is only going to get worse.

Here is today’s story.

A guy in the UK woke up one morning to discover that his credit card was being charged for TomTom’s satellite navigation services.

The only problem is that this service was for his Mazda CX-5.

Which he sold last year.

But this owner did the right thing. When he sold his car back to the dealer, he dug though the manual to figure out how to do the equivalent of a factory reset on the infotainment system so as to wipe out all the data. All of his contacts, logins, etc. He thought he did the right thing.

The car sat on the dealer’s lot for months, but then he got this bill.

He reached out to both Mazda and TomTom.

Mazda said that they didn’t keep financial (AKA credit card) data and when the customer did a factory reset, it wipes out the contact information and all other PII.

No matter what question the reporter asked Mazda’s spin doctor, the answer came back that they don’t keep personal information and if the consumer contracts with a third party for services, that is the consumer’s problem (basically, he said it a little more covertly).

Technically this is true, but perception is reality.

TomTom was a little better. They said that they screwed up and sent out billing notices when they should not have and quickly corrected the problem.

At least in the United States, **IF YOU PAY WITH A CREDIT CARD**, your ability to get your money back for situations like this are good as long as you notify the credit card company quickly.

But it points to a bigger problem.

Obviously this guy didn’t realize that there was a third party relationship associated with is part of his car – the navigation system. It is built into the car. He followed the directions to wipe it. Shouldn’t that be it?

How many IoT devices do you have that use one of your credit cards or your bank account? Do you even know which devices have what information?

Example: I have a ring video camera. They charge my credit card a few bucks every month for storing my videos. I could literally take the camera out to my driveway and run it over with my truck and I would still get a bill from Ring every month.

They don’t care that I don’t have the device.

Worse yet, if I sell the device and someone else is dishonest or just not knowledgeable, they could use the device in a way that charges my account.

The way the game is set up is that it is your responsibility to keep track of everything that uses your account information so that you don’t get charged for something that you don’t own, don’t want or can’t use. It is completely up to you.

While I understand why the vendors like it this way, it is important that you, as a business owner or consumer, understand what you have gotten yourself into.

As a consumer, you might see a $10 charge or $25 or whatever and say “hey wait, that’s not right”. And go through the hassle to fix it.

But as someone in the accounting department of a company, even a small company, the odds of catching a $25 or $50 erroneous charge on a business credit card – a charge that has been showing up every month for years but is no longer valid – is much lower. The vendors like it that way.

The ball is, as they say, in your court. Credit: The Register

Trust Your Internet Provider at Your Own Risk

I am not saying that Internet providers are evil. They just may not be as concerned about your security and privacy as you are.

I have often said that your ISP provides you with the modem/router that they can buy for $12.95. While this is a bit of hyperbole, it is, none the less, all too true.

Two security researchers discovered severe vulnerabilities and intentional security backdoors in 29 different fiber termination devices from vendor C-Data. This is just one example.

These devices for terminating fiber to the home called FTTH OLT or fiber to the home optical line termination, are deployed all over ISP’s networks wherever they want to convert from fiber to ethernet.

Not surprisingly, these devices are made in China. They are in consumer’s homes, businesses and data centers.

The researchers found multiple very severe vulnerabilities in multiple devices.

Our recommendation that you install your own firewall that you and only you control between the ISP’s connection and your equipment. While this seems logical, you would be surprised at the number of networks that rely on the ISP to secure them.

Hopefully most businesses have their own firewalls, but for small and medium businesses, they too often are trusting their ISP to secure them.


More importantly, many of these vulnerable devices will never be patched.

You are responsible for protecting your own network. Sorry. Credit: ZDNet