Security News for the Week Ending July 30,2021

Internet Rot Causes Porn on Legit Sites

News sites like New York Magazine and others accidentally displayed porn because they had links to the old and now gone Vidme video sharing site. Vidme went out of business in 2017 and a porn site bought the domain. Since there is no easy way for web site operators to detect that a linked site has been sold and since there are billions of old pages out there, you have the making of an embarrassing disaster. Needless to say, the web sites fixed this little bit of rot, but there are millions of other bits of rot lurking. Credit: Wired

Ex eBay Security Boss Sentenced to 18 Months for Cyber-stalking and Witness Tampering

The former global security manager for eBay was sentenced on Tuesday to 18 months in prison and was ordered to pay a $15,000 fine for his role in the cyber-stalking and harassment of a Massachusetts couple who published a newsletter critical of the internet yard sale. Philip Cooke, a former police captain before joining eBay was the last of 7 charged in a scheme to threaten and silence a couple who wrote a blog that was negative about eBay. eBay executives say that they were not aware of the tactics, but…..really? Credit: The Register

9th Circuit Limits Feds’ Confiscation of Electronics at the Border

The 9th Circuit Court (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, Mariana Islands, Oregon and Washington) ruled that border agents, which until now have had a complete free-for-all with your digital devices, severely limited what a border agent can search for without a warrant. They can ONLY search for digital contraband such as child porn. Under the Trump administration, CBP had a blacklist of reporters, humanitarian workers and lawyers and would regularly seize their phones and laptops under the ruse of Homeland security and copy all of their content. Assume this will wind up at SCOTUS sometime in the next 5-10 years, but in the meantime, this is the law in the western US. Credit The Washington Time

Ransomware Up 93% in Last 6 Months Adding TRIPLE Extortion

In a report, Checkpoint Security says, that overall cyber attacks are up 17% in the US and 36% in EMEA over the first 6 months of the year. But, they say, Ransomware is up 93%, caused by ransomware 3.0. For those not following this, in ransomware 1.0, the crooks just encrypted your data. In ransomware 2.0, they steal it first, then encrypt it and threaten to release it if you have good backups and don’t want to pay. In ransomware 3.0, they steal it and encrypt it, but also try to get your customers, whose data they have stolen, to pay. Credit: Cyber News

DOJ Admits Hackers Got Into Emails of 27 US Attorneys’ Offices

7 months after the SolarWinds Attack was announced, DOJ now says that Russia was able to browse their emails between May and December, including sent, received and stored, and also including attachments. DOJ admits that Russia had access to at least 80% of employees emails in the Eastern, Northern, Southern and Western district of New York. They also got access to emails in California, DC, Florida, Georgia, Kansas, Maryland, Montana, Nevada, New Jersey and 6 other states. Credit: Bleeping Computer

How to Defend Against NSO Spyware

Or at least try!

The NSO Group is the Israeli company that sells spyware to governments. And which evidence suggests also sells to all forms of unsavory characters, although they deny that.

Evidence also says that they target journalists, activists, business executives and lawyers around the world.

But they come from the Werner Von Braun school of rocketry – once they go up, who cares where they come down. They say that how their customers use the software is not their business.

While iPhones are usually good at stopping malware, in this case they are about as secure as a screen door against NSO’s Pegasus software.

While there is no such thing as perfect security, that doesn’t mean that you should just give up and allow the hackers in. The Pegasus software gives the hackers unlimited access to a target’s mobile device. It allows the hacker, which may be a government, to:

  • Remotely and covertly collect information including
  • – location
  • – relationships
  • – phone calls
  • – plans
  • – activities
  • Monitor Voice and VoIP phone calls in real time
  • Siphon contacts, passwords, files and encrypted content from the phone
  • Use it to monitor the room around the phone by turning on the microphone
  • Monitor the phone’s location
  • and, monitor connections through apps like WhatsApp, Facebook, Signal and other apps

All that being said, it is just an old fashioned remote access trojan.

So, what can you do to even the odds?

  1. Avoid click bait – text messages or WhatsApp messages that try to get you to click on a link (and install the malware). The messages may appear to come from your bank, for example.
  2. Separate sensitive work from non-sensitive work on different devices. I know that is a pain, but so is getting hacked.
  3. Use out of band verification if you get a link that you are not expecting

That is just one form of attack. Another is to intercept unencrypted web traffic and redirect it to malicious sites. To help thwart this:

  1. Always type the HTTPS:// in front of the URL
  2. Bookmark known sites and only go there from the bookmarks
  3. Use a VPN

Unfortunately, there are also zero-click exploits, ones that you don’t have to interact with to get infected. There was a recent iMessage attack that worked like that. Just send you a malformed iMessage and you were infected. To reduce the odds of this working:

  1. UNINSTALL **ALL** apps that are not absolutely essential
  2. Regularly audit your apps to make sure there are none there that you don’t need
  3. Regularly install all patches to the OS and apps – but only do that when you are on a trusted network
  4. Use a tamper bag to stop a phone from communicating with its handler when you are not using it

Obviously, the simplest attack is physical access. To help thwart this:

  1. Keep your phone under your control at all times
  2. Do not believe the myth that hotel room safes are secure. They are not.
  3. Put your device in a tamper-evident bag if you need to leave it somewhere. At least that way you will know if someone attempted to get into it.
  4. Use burner phones and change them like underwear

I know that all of this is a pain in the rear. You have to decide what your level of paranoia is.

Remember: Security or convenience, pick one.

Credit: The Intercept

How Long Does it Take to Fix Your Bugs?

The average time to weaponize a new bug is seven days. that means that you have about half that time to harden your system to that attack. Almost no one regularly patches serious bugs that quickly. In 2019 Threatpost said that it took organizations 102 days to patch (see link above). That was in 2019.

What has happened since then?

NTT Application Security says that the average time to fix is on the rise while the time for severe bugs is down a little bit.

NTT says the average time to fix vulnerabilities has dropped since last month from 205 days to 202 days.

Note that is basically double what it was in 2019. Down is a relative term.

That number is actually up since January 1. In January the average time was 197 days.

The average time to patch “high” vulnerabilities grew from 194 days in January to 246 days in June.

Remediation rates for critical vulnerabilities fell from 54% in January to 48% in June. The rate for high vulnerabilities fell from 50% at the beginning of the year to 38% at the end of June.

NTT is in the business of managing companies security, so they have a lot of actual data.

More than 65% of applications in the utilities sector had at least one serious bug throughout the year – exploitable bugs.

Given that it takes hackers no more than 7 days to figure out how to exploit bugs and it takes businesses 200+ days to deploy patches, it is not surprising that hackers can take down a gasoline pipeline or almost poison a water supply. Or ransom thousands of companies.

Even if the numbers were flat since January, which they are not, that still means 7 days for the hackers, 200 days for the defenders.

And the part about 65% of the applications in the utility sector were not fully patched during the entire year. That’s pretty scary.

Of course, there is almost no consequence for businesses to ignore the problem.

After all, they are the victims.

I’m not so sure.

Credit: ZDNet

How Does Your Lawyer Protect Your Data?

Law firms are a target for hackers. After all, what does a law firm do? They know where the proverbial bodies are buried.

Case in point.

Campbell Conroy & O’Neil, law firm to companies like Apple, Boeing, Exxon Mobil, Ford, Honda, IBM, Toyota and many others, suffered a breach.

They discovered the breach in February. They are not saying when the breach happened or how long the hackers were inside the company.

They are also not saying why it took them five months to report the breach. Depending on what states are affected, that could be a breach of state law.

They eventually figured out that they were hit by a ransomware attack. Possibly it took them several months to figure out what was taken. Maybe?

Among the data potentially stolen was names, dates of birth, driver’s license numbers, payment card info, medical info, health insurance info, biometric data and account credentials. Among other stuff.

Not to worry, however. The firm takes its responsibility to protect the data that they didn’t protect seriously.

And to show you how serious they are about your security, they are reviewing their policies and procedures and working to implement additional safeguards.

Of course, they are not saying what corporate information was taken that belongs to any of their Fortune 100 clients. They are not required to disclose that by law.

That brings me to the point of this post.

Your law firm or firms have a lot of sensitive information of yours. Potentially lawsuits, mergers and acquisitions, employee information, patent information and more.

Most law firms, in their standard boilerplate engagement letters say that security is hard and they are not responsible if anything bad happens.

Is that acceptable to you?

If not, then you need to be proactive.

Ask the firm about their security practices. Who is the firm is accountable for security?

How soon do they have to notify you if they have a breach? Five months is a long time. DoD requires their contractors to tell them within 72 hours.

Do they have cyber insurance? Who takes the lead in case of a breach?

There are lots of questions and, in many cases, law firms are either not prepared to answer your questions or don’t want the liability for their answers.

And, you want the answers in writing. Which they really won’t like.

Your call. How important is your information?

Credit: Campbell Trial Lawyers

Google Says They Don’t Sell Your Data – That is True, They Give it Away!

Google is being sued. Again. This is not news. What is news is why they are being sued.

Google says that they don’t sell your data. While that may be accurate, they do, according to a new lawsuit, give it away to anyone who wants it.

How does that work?

Google sells ads. While some of those ads are blind, meaning that the buyer does not know who it is being presented to, those ads don’t sell for much. My kids are fully grown. Showing me a diaper ad is not terribly useful to the diaper company. I am highly unlikely to buy any diapers any time soon.

Most ads are sold using Google’s real time bidding system. This bidding happens in a blink of an eye.

It works something like this.

You visit a web page. The site owner has a deal to buy ads from Google. While the page is loading, the site owner tells Google that it has a box that is so many inches by so many inches available.

They also tell Google everything they know about you. This includes everything the browser tells them like your system information and IP address and any other information the site owner has about you. Then Google adds information it knows about you based on other data they have collected from other sites you have visited and other data that they have bought.

So far, it would appear, they are not lying.

But they also have not sold any ads.

What happens next is this. Google provides all of this information to anyone who is bidding for ads at the moment. That entire collection of data is provided, free of charge, the lawsuit says, to all of the potential buyers.

In the blink of an eye, someone wins the bid and Google charges them and gives the ad to the website to display. This could be Facebook. Or your web site if you display ads.

But what happens to all that data that was sent to the losers?

According to the lawsuit, they get to keep it.

Some people bid on ads with the intention of NOT winning. All they want is your data. They offer to pay a penny knowing that they will never win. Maybe they have to shell out a few pennies if literally no one else bids.

After the bidding period (blink) is over, they can take that data, aggregate it and sell it. Or use it in some other way.

This is the crux of the lawsuit.

If there are a hundred bidders for that ad. Or a thousand – they all get to keep the data according to the plaintiffs.

You would think Google would care, but maybe, because they collect some much data every second, they don’t.

I guess we will see how this plays out in court. Credit: Law Street Media

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.