Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

China Charts Plan for Tech Self-Sufficiency

China’s policymaking body, the Central Comprehensively Deepening Reforms Commission (I did not make up this name) approved a plan yesterday for developing home grown science and technology with an eye toward self-sufficiency.

According to a press release by the state run news agency, Xi said that while China has made substantial progress in trying to develop its science and technology sectors, they are still struggling. Which means that stealing intellectual property from the west is still critical.

And what are they trying to focus on?

Artificial intelligence and quantum computing.

This comes as Biden continues to tighten the screws on the Chinese tech sector, adding another dozen Chinese companies to the entities list, banning US companies from selling to them.

China’s vice premier wrote an article for the People’s Daily yesterday saying, using a lot of words, that innovation is critical and since Xi said that they were still challenged at doing that, it is pretty clear what the alternative is.

China, of course, is not pleased that more companies have been blacklisted, but my guess is that asking us to un-blacklist them will not produce results for them.

Based on this, expect more espionage – both by breaking into US company networks and by planting insiders inside targeted companies. Also expect them to continue to expand the Thousand Talents program.

All in all, this means that US companies with critical tech need to stay on their toes. If you think your tech is important, so does China and they are very motivated to steal it. Likely they will do it very quietly so that you don’t even know that you have been hacked.

Credit: The Record

Get Ready for NIST’s Software Supply Chain Security Guidance

As part of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028), NIST is required to do several things. among those are guides and standards for improving supply chain security and they have already released a number of draft documents related to their tasks.

IF you sell to the executive branch, these will become mandatory. In some cases they can bypass the FAR process, although there will be some FARs created, and just implement the EO as directives to the branch agencies to do this or do that.

The first thing that they did is create a definition of what is critical software. You can see this document here. It provides both specific criteria for attributes of software that meet their definition and then it provides a list of software types (like, for example, endpoint security tools) that meet these definitions.

Earlier this month, NIST released preliminary guidelines for enhancing software supply chain security. This document, called NIST Special Publication 800-161 Rev 1 was released in draft form for comment. A light weight bedtime read of over 300 pages, it is open for comments until December 3rd. It provides a very rich cybersecurity supply chain risk management (C-SCRM) process and it will only get better with comments.

After releasing this, NIST held a workshop to go over the guidance, which is due to be finalized by February 6, 2022.

NIST has also created a new document titled Secure Software Development Framework Version 1.1, also known as NIST Special Publication 88-218, which is available here. Unlike SP 800-161, this one is only 31 pages.

Perhaps I don’t understand all of this, but here is my take.

IF you develop software you want it to be secure.

IF you sell software to the government, you will be required to follow this NIST process.

If you don’t sell to the government, but your customers sell to the government, you may be required to follow this process anyway.

So, you basically have three choices

  1. Do nothing and see what happens
  2. Create your own secure software development framework
  3. Leverage all the work that NIST has already done and will continue to do, follow their guidance, and improve your software’s security.

Which one do you think is the best strategy?

I thought so.

2020 Election Audits Costing Millions but Not in the Way You Think

Arizona’s Republican led state Senate hired Cyber Ninjas to review the election results for Maricopa County. Unfortunately, these ninjas had no experience doing election audits and, apparently, not much experience doing any kind of forensic investigating. They did not maintain custody of the equipment, they did not maintain surveillance on the equipment and they allowed unauthorized people to access the equipment.

The result? The state decertified the equipment which means that the County needs to replace all of it. Since it was leased, they have to buy out the lease from Dominion. And then destroy it. In a deal with the state, which threatened to withhold $700 million in state funding if the county didn’t turn over their routers, the state Senate agreed not to do that if the county agreed to pay the $3 million to replace the election equipment. Credit: AZCentral

In Pennsylvania, another fight broke out when the state started a similar audit. The Pennsylvania Department of State said that they would decertify all voting equipment in all 67 counties in the state if the chain of custody was broken. The state says that could cost up to $40 million. Credit: Reuters

The FBI is investigating a situation in Lake County, Ohio, where a private laptop was connected to the state network in the office of the Board of Commissioners Chairman John Hamercheck, allowing this person to capture network traffic. This is similar to the investigation going on in Mesa County, Colorado. Credit: Washington Post . This data was given to MyPillow guy and used at his August non-cyber-symposium event where he was supposed to show us how the election was hacked and did not.

As I reported the other day, in the Mesa County investigation, images of the hard drives of the county’s election counting equipment were uploaded to the Internet. Images of all of the counties passwords were also posted on the Internet.

The Wall Street Journal is reporting that Iranian Hackers breached the network of newspaper chain Lee Enterprises to test modifying and creating content in the chain’s newspapers. The Justice Department recently indicted these hackers.

All of these, along with other similar events, are costing governments across the country millions of dollars in investigation costs, added labor including overtime, additional security expenses, legal expenses, replaced equipment, downtime and other costs.

All of this money is coming out of taxpayers’ pockets.

While this may be justified, if this was done within channels – which the people wanting the audits don’t trust, the cost would dramatically less.

This is just the tip of the iceberg. All of the recounts, all of the audits, even if they are done within channels still cost tens of millions – probably hundreds of millions.

Of course there is no tally of all of these costs. But you and I get to pay for them.

Security News for the Week Ending November 19, 2021

Old Scams Never Die, They Just Get a Fresh Coat of Paint

Scammers have been posing, according to a warning by DHS, as Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) agents in San Antonio. The scammers call the mark, pretending to be HSI and tell them there is a problem with their passport and if they just pay the scammer/HSI agent some money, the problem will go away. They threaten that they will be arrested if they don’t pay. The victim’s passport, they say, was involved in a crime and police will be dispatched to their house to arrest them. Marks can call the ICE tip line at 866-347-2423 if they are able to “mark the mark”, so to speak. This type of scam is decades old; the only things that change are the targets and the agency who the scammers claim to represent, although DHS is a popular one. Credit: Infosecurity

Hackers Use Real FBI Email Account to Send Spam Cyberattack Spam

I don’t think this qualifies as a hack. Instead it is really poor software design. The FBI runs a portal for law enforcement, but until Saturday anyone could sign up for an account. The prankster sent out at least 100,000 emails and the FBI was flooded with calls. For admins, it was hard to disregard the alert since it came from the real FBI email server and was signed with DMARC. A bit of a black eye for the FBI and they only said that they were working on fixing the hole. Their temporary fix was to shut the system down. Probably a good idea. The hacker talked to Brian Krebs and explained what he did and why. To point out crappy security. Credit: Brian Krebs

Election Conspiracy Theory Lives On

For those of us in Colorado, there is a full blown election conspiracy fight still going on. Tina Peters, the election official in Mesa county, the reddest part of the state, is in the middle of a fight for her political life. A Republican, she was booted out of her role as election chief by Jena Griswold, a Democrat and the state’s chief election official. Griswold appointed another Republican to oversee Mesa County’s elections. So far, the courts have sided with the state. Peters did things like turn off the cameras in the secure counting area and made covert copies of the disk drives from the counting machines Somehow, copies of all of her voting system passwords and a copy of the rogue disk drive image were posted on the Internet for anyone to download. She says that she doesn’t know how that happened. Her legal expenses are being paid for by the MyPillowMan. Check out the story here.

CISA About to Name Members of New Advisory and Investigation Panels

DHS’ CISA officially created the Cybersecurity Advisory Committee this month. It was authorized in the 2021 NDAA. The committee is limited to 35 people and must include one each from 12 key industries including finance, tech, communications and healthcare. The remaining slots will be appointed by CISA’s director. The Cyber Safety Board was created by executive order this year and will operate similar to the way the NTSB examines transportation accidents. It will include both Govies and private sector people and will convene when needed. Credit: The Record

Hackers Are Getting So Rich That …..

How rich are they?

There is a class of computer vulnerabilities called zero-days. They are called that because they are not publicly known and either can be or are being exploited since there are no patches for them.

Many zero-days are discovered by nation-based spies like the CIA or NSA here in the U.S. (but all nations at least try to mimic this). But many of them are discovered by hackers or researchers. In the case of bugs found by spies, they may keep the bug to themselves, but in any case, they rarely to never sell them. That is just not their gig.

But bugs found by private hackers and researchers, well, they either sell them to the company that makes the software (or an intermediary). Or, they sell them to the highest bidder.

Historically, those bidders are other nations. You can either find bugs or you can buy them. Maybe you get exclusive rights to the bug (that costs a lot more) or you just get access to it and the researcher/hacker that found it can resell it again.

Apparently, some of the ransomware groups are getting so wealthy from stealing from you that they can compete with nation states to buy those zero-days.

That also requires that these hacking groups are sophisticated enough to leverage those zero-days and, apparently, they are doing that as well.

Of course, it is legal (at least in their own country) for nations to buy zero-days.

Hackers, on the other hand don’t really care whether it is legal. After all, their entire operation is not legal.

Is it legal to sell a zero-day? That also depends. Where are you? Do you know it is going to be used to break the law?

So lets assume that a hacking group buys a zero-day for, say $3 million. What then?

One thing they can do is set up a hacking service.

Rather than trying to recover that cost all by themselves, they advertise a particular attack method on the dark web and sell access to it. Possibly they sell it for cash; possibly they get a cut of the money their customers extort from panicked users.

Alternatively, the hacker who discovered the vulnerability sets up the hacking service. If they do this they don’t have even the fa├žade of legitimacy, but depending on what country they are in – that may not matter.

Isn’t this a pleasant thought – now?! Credit: ZDNet