Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

8% of Companies That Pay Ransom Get All of Their Data Back

Well that is a pretty depressing headline, but that is what the statistics say.

According to a Sophos study, the average cost of a ransomware attack jumped from $761,000 to $1.85 million over the last year. The average ransomware payment is now $170,000.

More worrysome, only 8% of the organizations say that they got all their data back. 29% said they got less than half of their data back.

In part this is not because crooks are dishonest. They are just not great at developing software that works – no different than the rest of us. So, when you pay the ransom, only then you find out that their software is buggy and cannot decrypt your data.

Fewer organizations were attacked last year – the number fell from 51% to 37% and fewer of them had to deal with encryption. That number fell from 73% to 54%.

What the hackers have figured out is that you steal the data and then threaten to publish or sell it if the company doesn’t pay up. That is almost impossible to defend against unless you just keep the hackers out.

Now here is a bit of bad news. The number of companies that paid the ransom increased from 26% to 32% – even though only 8% said they got all of their data back. That may be because they don’t want their data on the front page of the New York Times.

And, recovering can take years. Even if you pay the ransom, you still have to recover the data that you lost and you have to rebuild your systems from the ground up because you certainly can’t trust a previously hacked system. Then you have to figure out how to harden them. And, of course, there are lawsuits. And on and on.

So what should you do?

  1. Assume you are going to be hit and plan to deal with it.
  2. Make backups. Several copies. Make sure that at least one is offline. You can’t hack what you can’t get to.
  3. Build layers of protection. One solution will not stop everything, no matter how great it is.
  4. Use human experts. Smart people with smart software is more secure than software alone.

And if you don’t have the skills in house – well (plug) hire us or (not) someone else. Don’t hope you are going to skate by. Hope is not a strategy. Credit: Help Net Security

Supply Chain Attacks -Its the New Thing

The most famous supply chain attack of the last few years was the SolarWinds attack. That attack was a home run for the Russians. Other hackers (or maybe the same ones) thought that was a great attack vector. Now it seems to have become quite popular.

Then came DevOps tool provider Codecov. Hackers compromised Codecov, then they stole the software that was inside their customers’ code repositories. Codecov offers software testing tools. The hackers found a weakness in their code upload process, which gave the hackers access to any code that was uploaded. Sometimes developers are stupid and hard code credentials into their code.

HashiCorp is a client of Codecov. Some of HashiCorp’s clients used the compromised Codecov software. HashiCorp said that their private PGP (GPG) signing key was exposed. That means that the attackers, if they knew what they had, could have signed malware with HashiCorp’s key and presented it to their customers as legit.

Codecov has (or had) 29,000 customers. HashiCorp was one of them. They dodged a bullet by detecting the compromise. What about the other 28,999 clients.

Next comes Australian password manager firm Click Studios, makers of Passwordstate. Their software update process was compromised and a malware loaded update was live for 28 hours. The good news is that they detected it in a day. The bad news is that they are telling their customers to change all of the passwords they had stored in the software. Given that they also had 29,000 customers – unlike the big password manager firms who have millions of customers – it affected a small population and finally many of these password managers offer a feature that allows you to let the software automatically reset all of your passwords, making things a little easier. For those of you who use password managers, two thoughts – first use one of the big products – they have the money to implement better processes and second, even with the rare breaches of password manager software, and they are very rare, it is still better than people doing what they do otherwise – pick password123 as their password for many sites.

These are just the supply chain attacks this month.

You have a lot of suppliers. Those suppliers have suppliers. You use cloud software like HashiCorp. They have suppliers too.

The matrix of all of your suppliers and their suppliers and so on is large. Very large.

That means you need to improve upon your plan because the attackers seem to have figured out a weak spot.

Note that they haven’t stopped doing everything they were doing before. Your attack surface just got larger.

Sorry to be the bearer of bad news.

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

Security News for the Week Ending April 23, 2021

USTRANSCOM Starts CMMC Lite Now

The DoD’s transportation command, the folks who are in charge of getting all the stuff that the military needs from where it is to where it needs to be, has announced that they are implementing a light version of CMMC NOW instead of waiting for the five years that it is going to take DoD to fully roll CMMC out. The plan for TRANSCOM is to be able to confirm or deny cyber compliance, they say. This is even though the DoD delayed its report to Congress on vendors’ compliance with CMMC. It was due in March but now won’t be ready until June. TRANSCOM’s plans come at the same time that some are complaining that security is too hard and too expensive – even though they have been certifying for three years that they were fully compliant with the standard. Now that someone is actually saying “prove it”, they are saying it is hard. The move to actually protect own nation’s service members and information from our adversaries will not be easy, as we learned when the SolarWinds attack was revealed, but that doesn’t mean that we should not do that. Credit: Federal Computer Week

FCC Allocation of New Bandwidth for WiFi – A Duel to the End

Last year, as WiFi usage skyrocketed, the FCC allocated 1200 MHz of bandwidth in the 6 GHz range for unlicensed WiFi. But the problem is that someone’s ox will always get gored since there is no “unallocated” bandwidth. While this is great news for WiFi 6, the new WiFi standard (and WiFi 6E in particular), the people who currently use that bit of spectrum (like some carriers and first responders), are not thrilled. Last October, the DC Circuit Court of Appeals denied a request for an emergency stay, even though the court said that they would hear the arguments later. Last month the arguments started in court, saying that this FCC order would interfere with them. Now oral arguments begin. No one knows how this will end, but the fight is just starting. If, however, the courts refuse to issue a stay, it is going to be a moot point.

After Google gets you Hooked, they Are Changing the Rules

For Google Photos, effective June 1, 2021 and for Google Drive, effective February 1, 2022, All that free unlimited storage is gone. NEW files uploaded to your account after the effective dates will count to your storage quota, whatever that quota is. To ease the sticker shock, existing files will be grandfathered in. You can see what your storage usage is, here.

Google and Microsoft are Fighting – Can You Imagine That?

Google is trying to figure out how to track people to sell advertising as state privacy laws make that more difficult. Their newest invention is something named Federated Learning of Cohorts. It has been widely criticized by privacy folks. In short, it puts users in anonymous (supposedly) buckets by behavior and tries to show you ads based on what FLoC you are in. It is turned on in Chrome 90 and I don’t see a way to turn it off. Microsoft did not include it in their new build of Edge. Take that Google! Credit: Bleeping Computer

EU Creates AI Rulebook

The European Commission released a draft version of a new regulation on the use of AI – the first time a regulator has proposed to do this. The EU says this rule is to create transparency in the use of AI and ban “systems considered a clear threat to the safety, livelihoods and rights of people”. Whatever that means. It also is proposing stricter rules on the use of biometrics such as facial recognition. Here is the draft rule.

What Will the New State Privacy Laws Mean

As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?

Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:

The only one of these that is not LAW YET is Washington.

Here are a couple of interesting hand grenades.

For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.

What does sensitive personal information mean? It depends.

For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.

Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.

You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.

Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.

Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.

Needless to say, it is probably better to follow the rules.

Credit: Ballard Spahr