What is the Back Story on China’s Hack of Microsoft Exchange Servers?

One possible answer is that they wanted to steal your email, impersonate you and use your email accounts to send spam and malware. This is certainly possible, but there is another, more sinister possibility.

What if – China was looking for mountains of data to train its AI systems?

The attacks gave them tens of billions of messages, calendar information and other files.

That translates to trillions of bits of information.

This is what some government officials and security experts are saying.

And, of course, this is addition to all the data that they have already stolen.

This includes, for example, entire security clearance files from the OPM breach, medical records from the Anthem breach, travel information from the Marriott breach and financial information from the Equifax breach.

William Evanina, former director of the National Counterintelligence and Security Center says that the Chinese have more data on the average citizen than we do.

Sounds a bit scary to me. Credit: The Register

Cali AG Tells Us About His CCPA Hot Buttons

California AG Rob Bonta has been enforcing the California Consumer Privacy Act for over a year now and we are learning what he doesn’t like.

One bit of good news that we learned is that notices of violations that he sends out triggers a 30 day cure period and that seems to be working.

He said that 75% of the businesses that received a notice fixed the violation. Some of the rest are still in that 30 day period. The remaining, well, they are in trouble.

He published a list of 27 case examples of non-compliance and why. The examples are anonymous. It appears that he is trying not to turn non-compliant businesses into villains – as long as they clean up their acts. This is a good thing for businesses.

As a warning, a lot of the notices were related to privacy policy issues.

There is some argument about opt out, however, and hopefully that will get cleared up. Soon. The AG says that businesses have to comply with global opt out flags that some browsers can send.

Businesses don’t like that. They want to make it as hard as possible, if not impossible, for consumers to screw up their business model. In fact, a number of the examples that the AG talked about were related to that specifically – that companies were making it hard to opt out.

The conflict with the global opt out flag is that the CPRA (think of that as CCPA revision 2) allows businesses to choose between honoring global opt out OR via a DO NOT SELL link.

Obviously businesses figure if people have to opt out a hundred times a day and try to remember where they opted out and where they didn’t they will get tired of that and let businesses continue to sell their data. This is versus setting a one time flag and not having to worry about it ever again. This does not appear to be a technical issue, but rather a desire not to have their apple cart turned over if a lot of people say don’t sell my data.

The AG, however, has created an online privacy tool. Using this tool, a California resident can answer a few questions and if the business fails, the tool collects information to identify who is complaining, what the business is and creates a draft notice for the consumer to send to the business.. Note that filling out this form does not mean the business is a scofflaw, but it does put the business on the AG’s radar.

It is important to understand that this 30 day cure period goes away when CPRA goes into effect on January 1, 2023, so consider this a gift and not a way of avoiding the problem.

Credit: Ballard Spahr

Security News for the Week Ending August 27, 2021

Third Party Risk – You Can Ignore it, But It Won’t Ignore You

DataBreaches.net is reporting that a hacker claimed to have hacked an HVAC vendor and remotely accessed systems at the vendor’s customers. One of those customers is reported to be Boston Children’s Hospital. The HVAC vendor is reported to be ENE Systems in Canton, Mass. The hacker showed the reporter schematics and wiring diagrams that the hacker claimed were taken at Children’s Hospital. The hacker attempted to extort ENE after the breach. Hopefully, the affected hospitals, including Mass General, did a good job of isolating the affected systems from the rest of the network, but if so, that would be unusual. I’m hoping. Credit: Info Risk Today

Samsung Can Turn Off Any Samsung TV Worldwide Remotely

Samsung admitted/announced that they can turn off any of their TVs worldwide remotely. The idea is to kill the market for stolen TVs. The TV checks if it is on a stolen TV list and if it is, they shut it down. However, if they turn it off by mistake, you better hope you kept your receipt. They say if you can prove you bought it legally and have a valid TV license (whatever that is), they can turn your TV back on in as little as 48 hours. Otherwise, you have a really expensive paperweight. Of course, if you are like me and think the only smart TV is one that is not connected to the Internet, their solution doesn’t work. On the other hand, I wonder what happens when they get hacked. Now that it is known, hackers might choose to have fun at Samsung’s expense. Credit: Bleeping Computer

Ransomware Gang Targets Specific File Types

Researchers found a Powershell script used by the Pysa ransomware gang that shows exactly what sort of file names they are looking to steal. Those include tax files like 941, 1040, 1099, insurance files, scans, payroll, Pwd and others. See a more complete list here.

What Not to Put in Checked Baggage

The TSA has a long list of things that you cannot legally put in checked baggage like fireworks, but then there are really stupid things to put in your checked luggage. An Alaska Airlines passenger checked their cell phone in their baggage and as the plane landed the phone caught fire, (possibly due to the change in altitude?). The Port of Seattle Fire Department responded, the 182 people on the plane were evacuated and this passenger will not get the information off their phone. Note that this is not illegal, just not smart. There were some injuries and everyone had to be bussed to the terminal. Credit: MSN

White House Cybersecurity Summit – Big Yawn?

President Biden staged a big photo op yesterday at the White House to discuss how to improve cybersecurity. As we all know, those kind of meetings, no matter which party is in the Big House, are not actually done to accomplish things, they are for show. So what came out of this dog and pony event? Actually a couple of things might, possibly, have some substance.

  • NIST will collaborate with industry to develop a new framework to improve the security and integrity of the tech supply chain. The good news is that Microsoft, Google, IBM, Travelers and Coalition (insurance) agreed to participate. The bad news is that the standard will be voluntary. For now. The Prez could sign an EO making it mandatory for executive branch departments AND THEIR VENDORS.
  • The administration is expanding the industrial control systems (ICS) cybersecurity initiative to natural gas pipelines. The TSA, which has responsibility for regulating pipelines and has a very cozy relationship with the pipeline operators, probably got taken out to the woodshed.
  • Apple agreed to establish a new program to improve the security of their supply chain, which includes more than 9,000 vendors in the U.S. They are going to shove MFA, security training, vulnerability remediation, event logging and incident response down their vendors’ throats. Generally good for industry. Probably not as exciting if you are an Apple supplier. Depending on whether they actually enforce it.
  • Google announced it will spend $10 billion over five years to expand zero-trust programs, help secure the supply chain and enhance open source security. It will also help 100,000 people earn certificates related to cybersecurity. Who? Unknown. What? unknown. When? Unknown. You get the idea. How much of that $10 billion were they already spending? Unknown.
  • IBM says it will train 150,000 people in cybersecurity skills over the next three years (are they going to tell people don’t click on links?). They will also partner with historically black colleges to establish cybersecurity leadership centers. Whatever that means. Could, possibly, be good.
  • Microsoft will spend $20 billion over 5 years to integrate cybersecurity by design and build cybersecurity products to sell you and me. They will also make the equivalent of $150 million of their staff’s billable time to help government agencies improve their horrible security practices. They will also expand their partnerships with community colleges and non-profits on cybersecurity training. Who, what, when, how all undefined. Is this a penny more than they have been spending? Also unknown.
  • Amazon will make the security awareness training it uses internally publicly available for free. Depending on how good that is, that could be a win. They are also going to give away some multi-factor authentication hardware tokens.
  • Now here is something that will make some people UNhappy. Resilience insurance said it will require policy holders to meet a threshold of cybersecurity best practices if they want to keep their insurance policies. Or get a new one. Not clear what that threshold is.
  • Coalition insurance said it will make its cybersecurity risk assessment tool (this is a tool that looks at publicly visible data to detect problems. There are a number of people who do this, but they charge a lot of money. If they give this away for free, that is good) available to anyone for free and it will also make its continuous monitoring platform available for free. Depending on what is in it, that could be very useful.
  • Code.org says it will teach cybersecurity concepts (again, don’t click on links?) to over 3 million students in 35,000 classrooms over 3 years. Were they doing this already? Don’t know.
  • Girls Who Code, a non-profit who works to increase women in tech, (A passion that is shared by super-model Karlie Kloss’ Kode With Klossy who, yes, codes, and runs a coding bootcamp for girls only every summer). announced a micro-credentialing program for historically underrepresented groups. This is great, but I don’t know if this is an increase over what they were doing.
  • The University of Texas said it will expand an existing and develop new short-term credentials in cyber-related fields to increase the workforce. They are going to do it through their UT San Antonio’s cybersecurity manufacturing innovation institute. This is outside a normal college degree program, but it is not clear how it will work.
  • Whatcom Community College said it will be a new National Science Foundation Advanced Technological Education National Cybersecurity Center. They will provide education and training to faculty and support program development to make cyber education in colleges more practical. Again, who, who, where, when, how much all undefined.

While I am a bit skeptical as you can tell, you can’t argue with the concepts.

We need to keep these company’s feet to the fire to make sure that they follow through.

Credit: The White House

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

Ford Patents Distracted Driving

Maybe I should title this “what could possibly go wrong”. This is not specifically a security issue, but it could be. Mostly it is a safety issue.

In new cars, you have a big ole screen in the front. It is designed to replace the dash controls and instruments.

If you are Ford and you are looking for new revenue streams as people are buying fewer cars, you come up with one and patent it.

What if Ford figured out where you were on the road and what billboards you are passing (or stores or whatever) and throw up an ad on that screen. After all, those self driving cars have a bunch of cameras. Surely they could lock into an image that a company paid Ford to display.

After all, what could possibly go wrong if Ford displays an ad for that big sale at the XYZ store. Surely you are not going to look at that ad instead of crashing into the car in front of you.

Oh, wait, that is not what they meant.

Of course, if the car is fully self driving. FULLY. self driving. Maybe that wouldn’t be such a risk. Are they only going to display ads when the car is in full self driving mode.

Is the driver going to hit the brakes when he or she sees an ad that attracts him or her. I guess that will test all of other cars collision avoidance systems.

Of course, I am sure, it would be impossible to hack. Picture this. Your car is now encrypted with ransomware and if you want to drive it again, pay us 1 Bitcoin.

What could go wrong? The possibilities are limitless.

Credit: Ford