Keeping Your Google Account Safe

Here are some great tips for protecting your Google account. The ZDNet link at the end of this post provides more detailed information.

STEP 1 – Create a new, strong password. The password should be unique from all other online accounts. If you don’t want to have to remember it, use a password vault application like LastPass. LastPass will also generate crazy strong passwords. Creating a new password helps make sure that you are not accidentally sharing this Google password with other sites.

STEP 2 – Turn on two step or two factor authentication. You can do this via text message but we don’t recommend this. Use an authenticator app like Google Authenticator or Authy. If you use an app then even if your phone number is hijacked, the hacker cannot see your second factor authentication.

STEP 3 – Print out the recovery codes. This allows you to get into your account even if the authenticator app is deleted or stops working. Store these codes securely.

STEP 4 – Add a recovery email address. This will allow Google to tell you if they think your account has been compromised or if you forget your password. You will need two methods to confirm such as one of the recovery codes PLUS a code sent to your recovery email. It is better to make this email address a NON-GOOGLE email.

While nothing is bullet proof, this is probably a lot more secure than what you are doing right now.

Credit: ZDNet

If Covid Doesn’t Get You then Cyber Bugs in Medical Devices May

Well if that isn’t depressing ….

Experts warn that medical-device security is a chronic problem, now exacerbated by COVID-era healthcare challenges. Hospitals have been forced to prioritize budgets and staffing to focus on lifesaving care – meaning that IT security often takes a back seat. Adding insult to injury, hackers are aware of this, and are also now capitalizing on these healthcare strains with a barrage of ransomware and phishing attacks and more.

Many hospitals and healthcare services were hit by ransomware in 2020. Universal Health Services was one of the larger ones with an attack paralyzing 400 facilities.

Right now, attacks on medical devices are rare, but think about it this way. If a hacker sends you an email that says “I have hacked your pacemaker (or insulin pump or whatever device) and if you don’t pay me x Bitcoin, I will turn it on/off/change the settings. Would you pay the ransom?

One of the challenges is the medical device regulator itself. The FDA, like most government agencies, make snails look agile. That might have been acceptable in 1848 when the FDA was founded, but not in 2021. Hackers don’t move at FDA speed. Hospitals and medical device makers are not even allowed to install patches to known, actively exploited bugs, in many cases, without FDA permission.

There are a number steps that folks can take like inventorying all of their medical devices and trying to get vendors to tell them what ingredients are in their devices.

An example of one IoT (called IoMT for Internet of Medical Things) defect is a bug called Ripple20. It is *thought* that Ripple20, a bug in the device’s Internet communications software, affects around 53,000 medical device models.

A study of 5 million Internet of medical things that lasted for a year found that 86 percent of healthcare deployments had more than 10 FDA recalls inside their network. Recalled IoMT devices can be considered either defective or posing a health risk, or both. Credit: Threatpost

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

NSA Offers Advice on DNS Resolvers

DNS, that service that converts (or whatever) to is one of the last bits of the Internet that is not encrypted. Or at least it was.

Google and others have developed two different solutions to encrypt DNS – DNS over TLS and DNS over HTTPS. These are variations of each other and I think that DNS over HTTPS or DoH will probably win out. But why is this a security problem and why is the NSA weighing in on this?

First a side thought.

When you enable DoH, assuming your DoH provider is NOT your ISP, your ISP can no longer see your web surfing habits and as a result, it is harder for them to sell your browsing habits. Many ISPs claim that they don’t sell your browsing data and that may be technically true, but what they do sell is ads that are based on your browsing, so, really, same thing. The ISP universe created a huge snowstorm when DoH came out saying how bad it was because they could no longer sell your data, but now that at least some ISPs are offering DoH services, they have gotten over the problem.

In a corporate world, companies often use web filters to block content that they do not want their users to see. It can be anything from objectionable content like porn to time wasting content like sports to data stealing sites like Dropbox. If they can’t see your DNS requests, it makes it harder for companies to filter this content. In addition, DNS controls connections to internal web sites and if a user uses an unapproved DNS provider, that data is exposed on the Internet, which may not be what the company wants from a security standpoint.

So what does the NSA say? They say that you should block third party DNS services so that you as a company can decide which DNS queries are visible externally and which ones are controlled internally.

NSA has no problem with DoH, they just say that you should control how it is used on your network.

Here is a link to the NSA’s advice, which we concur with.

I’ll Teams You

Okay, so Teams is not a verb. But neither was Google, as in go Google it.

Hackers have figured out that as people are just learning about collaboration software like Teams and Slack, there is a lot of squishiness around the edges.

Say you are part of a Teams group that includes employees, contractors and vendors. Say you get a message that someone is going to connect with you. You assume that you are inside this bubble and it is all secure.

But it is not.

What if that contractor’s credentials got compromised and it wasn’t even the contractor that sent you the message.

What if you get that Teams meeting message in email (I get most of mine that way)? And what if that link is actually malicious? (Have you looked at a Teams link? It is completely undecipherable, unlike a Zoom or Go To Meeting link.

Likewise you might get a Teams request to share a file, but in large groups do you know if that request is legit? Or that the file shared is safe?

Researchers found one financial services firm whose Teams channel had been compromised for a YEAR!

The hackers did recon first. Very quiet. Hard to detect. They collected intel.

Then, when they saw a request for a file, they launched. They sent the file. Only it wasn’t the file, it was malware and everyone who opened it was toast.

For more details on how some of the attack scenarios work check out the SC Magazine link below. Note that this link is readable by humans; just hover over it.

It is up to companies to train their users in a new attack method. Sorry.

Credit: SCMagazine

Or if you don’t trust links, here is the URL:

Its Been A Bad Week for Parler and it is Only Monday

First Apple and Google removed the Parler app from both of their app stores.

Then Amazon kicked them off Amazon’s AWS platform for violating their terms of service.

That would seem like a problem for most companies, but that was the good part of their week.

Yesterday a security researcher who goes by the nickname “crash override” said that she was “crawling URLs for all videos uploaded to Parler”. About a million of them. Including ones that may have been deleted or marked private.

In total, about 70 terabytes of users’ posts was compromised.

And indexed and made public by the researcher.

This includes videos made and uploaded during the riot.

Which can be tied to the Parler user’s ID, IP address, etc.

Which if they were inside the Capitol during the riot …

But that is not all.

Parler’s CEO said that many of it’s vendors have decided that Parler’s money is not worth the reputational damage of being associated with them. Actually, he didn’t say that. He said “every vendor from text message services to email providers to our lawyers all ditched us too”. You draw your own conclusion. Credit: The Independent

Apparently Parler encouraged people to upload their drivers license to get a verified person badge. Not great if the videos show you participating in a felony.

The researcher said that her plan is to archive every single post from the day of the riot. I am sure that the thousands of FBI personnel working on the case will appreciate her thoughtfulness. Credit: Gizmodo

The response of one Parler user was “It would be a pity if someone with explosives training were to pay a visit to some AWS Data Centers – the location of which are public knowledge.”

This is the “party of law and order”.

As of the writing of this post, if you try to go to Parler’s web site you get a site not found message.

Parler has filed a lawsuit against Amazon and is trying to get a TRO.

Reports say that the researcher was able to exploit a bug in Parler’s API. This is not a big surprise as APIs are notoriously difficult to make secure.

From what I understand, Parler has some deep pocketed investors, but will they be willing to pony up more money after this? And will users come back after their privacy was destroyed? All of this remains to be seen.

Suffice it to say, this story will be in the news for a while and if I were someone who posted anything on Parler, I would be nervous the next time there is a knock on your door.