Security News for the Week Ending September 25, 2020

GAO Tells Treasury: Track Cyber Risk in Financial Sector

The GAO told Treasury to work with Homeland Security to better track cyber risk in the financial sector.

The GAO says that Treasury does not track efforts or prioritize them. The “sector specific” security plan was last updated in 2016 and, of course, most of the tens of trillions of dollars of assets belong to private companies.

Not only that but Treasury has not implemented the recommendations from the last audit. Credit: Meritalk

Trump Campaign Spent $4 Million to Buy Your Location Data

The Trump campaign spent $4 million buying data on voters, including location, from a data broker named Phunware. The company makes a software development kit that developers can use to collect your data, including location, and sell it to data brokers. Nothing illegal, but lucrative for the app developers and useful for political campaigns and others. Credit: Vice

Google and Amazon – Both Can Be Un-Secure

We always talk about Amazon S3 storage buckets being configured in an un-secure manner, leaking data. Researchers say that 6 percent of a sample of Google storage buckets are also configured so that the wrong people can read from or write to it. Documents they were able to read include passports and birth certificates. Just like with Amazon, Google will disavow any responsibility if you mis-configure your storage. Bottom line – test your security regularly and do not assume that anything is secure. Credit: Threatpost

Russia and China, Oh, My! (Hacking)

While the current occupant of 1600 Pennsylvania Avenue continues to put pressure on China, he is not putting pressure on Russia and they are definitely going after us.

The Russian government hacking group known as APT28 or Fancy Bear is sending out fake NATO training materials laced with hard to detect Zebrocy Delphi malware. The email attachment has a zipx file extension. At the time researchers got a copy of the malware only 3 virus products detected it. It seems like with this campaign, the Ruskies are going after government computers, but there is always collateral damage. Credit: Bleeping Computer

At the same time, the FBI says that the Chinese are still actively going after Covid-19 research, including vaccines. After all, it is easier to steal a vaccine than to develop and test one. The Chinese read the newspapers, see who is claiming interesting stuff, and then try to hack them and steal their information. They are not alone. Russia and Iran are also trying to steal research and vaccine info. Credit: MSN

Controlling Insider Threats

There are two flavors of insider threats.

#1 is Edward Snowden. Skilled. Motivated. On a mission. Understands that there will be collateral damage. Knows that he or she is breaking the rules. Sometimes it is national security. Other times it is industrial espionage. Still other times it is pure curiosity. Often, but not always (such as sneaking a peak at a celeb’s medical records out of nosiness) money changes hands.

#2 is your average employee. Trying hard to do his or her job. Is a human being. Human beings make mistakes. No money. No evil intent. Just being human.

I don’t have any stats, but I bet for every #1, there are a couple hundred #2s – or more.

Let’s assume that there are a lot more cases of benign insider threat than malicious insider threat, but no matter the intent, the threat is real.

So what can you do?

Here are 5 tips.

#1 – Require cybersecurity awareness training, AKA anti-phishing training of everyone, but the lowest paid employee to the CEO. All it takes is one of them to click on the wrong thing and you are in a full-blown ransomware incident.

#2 – Avoid public WiFi. I know it is convenient and it is just to do this one thing, but it is far from secure. If you have to use public WiFi then at least use a SECURE VPN.

#3 – Enhance endpoint protection. Endpoints, AKA your users’ phones, tablets, laptops, computer computers and home whatever, is THE weak link in the chain. Enhance that and you will reduce overall risk. And it isn’t just company laptops. It is all endpoints.

#4 – Really stay on top of patches. The golden rule is 24/72. This means patch within 24 hours any zero day exploit that is under attack and 72 hours for everything else. Just this month we saw a Microsoft patch that was released late last week (netlogon), that the feds ordered all executive branch agencies to patch within 24 hours (by Monday night) and yesterday Microsoft said the bug is being exploited in the wild. This means patching your operating system and all applications. Even the ones that you don’t use. They are still an attack vector. And this includes employee owned phones — and deal with the ones that are no longer being patched by the vendor/carrier.

#5 – Proactively manage remote desktop/remote control tools. We are seeing multiple nation-state attacks that are going after remote access solutions. RDP. VPN. Remote control. They are an easy attack vector and we know for a fact that they are being actively exploited by hackers.

While these seem simple, doing them right is hard. If you need help, contact us. Credit: SC Magazine

Ransomware. Healthcare. 1 Old, 5 New.

The Hacking Group Dark Overlord hacked Athens Orthopedic 4 years ago and they are still dealing with the fallout, including paying a 1.5 million dollar fine to the feds.

The feds say that Athens management was not being good. In fact it was being naughty. HHS audited the doctors after the attack and found systematic non-compliance with HIPAA.

The hackers stole over 600,000 patient records. A journalist found some of their patient records on the dark web. Within a few days, the hackers contacted Athens demanding a ransom.

So this points out that ransomware 2.0 – the kind where hackers steal data, encrypt your systems and then hold both your systems and your data hostage – has been around for years. It is just becoming more popular now.

In addition to losing four years of their life and $1.5 million, the doctors now have to implement a corrective action plan (CAP). A CAP is HHS’s term for getting your security act together.

Oh, yes, the source of entry for the hackers? Credentials stolen from a third party. I guess the doctors will now implement a vendor cyber risk management program. A bit late, but better late than… Credit: Health IT Security

HHS also fined 4 other healthcare providers this year, fining them as much as a million dollars.

Fast forward to today.

This month hackers have posted the data of 5 different medical practices on the dark web in an effort to extort money. UCSF paid hackers over a million dollars just a couple of months ago.

So what are we seeing now?

Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario and Nonim Medical are all dealing with their data being hacked and posted on the dark web.

Assured Imaging is notifying 244,000 patients that their data may have been compromised. The hacker only had access to the data from May 15 to 17.

So what does all this tell us?

  • The hackers are using any available option, including third parties.
  • They do not need to have access for a long time to do a lot of damage.
  • Some health care providers are not following the HIPAA rules including getting annual third party risk assessments.
  • The companies that get hacked will be cleaning up the mess for years.
  • And will likely pay HHS a lot of money as well as getting to execute a CAP.
  • Finally, there will be lawsuits. There always are.

So I am going to leave you with just one thought and it doesn’t only apply to healthcare. Credit: Health IT Security

Do you feel lucky, punk?

I am sure that these organizations didn’t think they were going to get attacked. At least some of them were not taking security seriously enough.

Are you taking your company’s security seriously enough?

Election Security Status

With elections less than two months away and lots of stories about election hacking, what is the real story.

Unfortunately, the real story is classified so even if I did know, which I don’t, I couldn’t tell you. The government won’t admit that straight out, but they know a whole lot more than they are telling us.

But at this year’s Billington Cybersecurity Summit, experts talked about their opinion about what is so. Here is some of what they said.

Chris Krebs, head of DHS’s CISA and the government’s point person on election security says that we have turned the corner in a really meaningful way. Chris is a good guy, a smart guy and no one’s fool, so I think he honestly believes that.

What has CISA done? Well one big change from 2016 is that at least this time the vast majority of election officials (there are around 10,000 election entities in the U.S.) are no longer sleeping at the switch. That is a big improvement but it doesn’t fix the problem. At least they know that there is a problem.

Since the last election, CISA is working with a lot of election officials in every state. Not every official by a long shot. CISA says that they are working on supporting 8,800 election officials, whatever that means.

Remember that there is a lot of tech. There are voter registration systems, election night reporting systems, vote processing systems, public web sites and, of course, voting machines. This is far from a complete list. You also have voting tech vendors. Some of them, like one of the biggest, ES&S is completely scared. They are so scared that they are arguing before the Supreme Court that researchers who try to find bugs in their software should be thrown in jail. Is that really the smartest response? Better we should leave those bugs there for the Chinese and North Koreans to abuse. But their ego and reputation is much more important than the safety of your vote. Maybe they should spend more money on security instead of lawsuits.

One thing that is absolutely true is that way more votes will have an audit trail. In part this is due to the fact that many more people will be voting by mail. Nearly 75% of voters will be allow to vote by mail. We don’t know yet how many will. Each of those votes will be auditable. In addition, more and more voting machines will create a HUMAN READABLE audit trail for votemasters to use to verify your vote. It used to be that many voting machines had no audit trail at all so there was nothing to recount. Then there were voting machines that created a 3D barcode, but since you couldn’t read that, there was no way to know if your vote was recorded correctly. Or at all. Now most voting machines create an audit trail that says that I voted for, say, Sue for Secretary of State. You can look at that piece of paper before you deposit it in the ballot box and see if that is really who you voted for.

The states asked for a lot more money than Congress gave them to bolster election security. They got less than a half billion when the amount needed was 1-2 billion or maybe more. There are a lot of small election districts that have a zero dollar security budget and zero security expertise.

This time disinformation campaigns are much more of an issue than hacking voting machines. It is a lot more cost effective. We already saw that the Russians stood up an entire fake media organization to create and publish fake information to attempt to shift the conversation. If they can do that, it is way more cost effective.

At the same time, social media is getting a little bit better about kicking the disinformers off their platforms. Since chaos builds traffic and traffic is money, they really don’t want to do that at all, but they know that if they don’t at least make a half-hearted attempt at it, Congress will legislate what they do and they sure don’t want that.

All in all, we are better than 2016. Significantly better. The biggest issue is still human beings because they believe what they want to believe and don’t fact check what they are reading.

There is still a lot of room for improvement, but at least we are fighting the battle. Credit: CSO Online

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Presidents’ 2020 Apps Not Secure

I am not sure whether this is a surprise or not.

The apps for both Biden and Trump are not secure. Does that show up as a surprise to you?

Let’s start with Biden’s App.

Biden’s iOS app did not even validate the email addresses, so anyone, say in North Korea can download and abuse the app.

They take your contact information and merge it with information from Target Smart’s voterbase, using your data to enrich their profile of 250 million consumers. While some of the fields are not exposed in the user interface, they are available to anyone reverse engineering the app. The starting data is public voter rolls data, but where it becomes valuable is when they can add your information (where your is thousands or millions of downloads) to their database.

Of course a bad actor could download the app and corrupt the database with millions of compromised contacts.

When the researchers notified Joe’s team, they fixed the flaws (whatever that means) almost immediately.

Now let’s move on to Trump’s app.

Their first problem was a little worse. They exposed hardcoded secret security keys to their Twitter and Google accounts.

In addition, Don’s app learned a lesson from TikTok. They are scraping every piece of user data off the phone that they can find. I think he called that a national security threat when TikTok did that.

In a very smart move (and perfectly legal), Trump’s app turns raising money for the campaign into a game. People get points for raising money and could wind up on a leader board if they raise enough money OR if they get their friends to install the app.

In both cases, the exposure comes from taking public data and, as the data scientists call it, “enriching it” with non-public data such as data collected by friends or by polluting it, with data collected by foes. It appears that it may be possible for folks to steal some of that enriched data.

The exposed security keys are a different story, of course. That is just a problem.

It just shows that political apps are not any more secure than any other app. Which should not be much of a surprise, but means users should not let their guard down.

No politician wants to spend money on tech, although every politician uses tech. In fact, these days, tech is critical, but so is cost containment.

It also points out that politics, these days, is all about the data and both the red team and the blue team are trying their best to collect the most data while at the same time hoping that no one will corrupt their data, either maliciously or accidentally. Or complain about their practices. Credit: Bleeping Computer