Security News for the Week Ending December 31, 2021

W. Va. Hospital Breach Timeline – Way Too Long

The Monongalia Health System was attacked recently and hackers had access to several email accounts, apparently belonging to contractors from May 10 to August 15 or about three months. It took them another 60 days to investigate. They are just not telling us about the breach – more than 7 months after it started. They only figured out that they were hacked because a vendor said that they were not paid (a standard business email compromise attack). They will, no doubt, get whacked by the feds, but this is a lesson to everyone that your vendors are your risk too. Credit: ZDNet

Java Code Repo Riddled with Hidden Log4j Bugs

Remember that you should assume that any code that you download from the net is full of bugs and security holes. If you assume that, and you are lucky, then that is good, if you assume the reverse and you are not lucky, well, not so good. Threatpost is reporting that there are 17,000 unpatched Log4j packages in the Maven Central ecosystem. Many of those will never be patched. CAVEAT EMPTOR

Fallout from Kronos Ransomware Attack – Some Employees Not Receiving Full Pay

Kronos, the international HR firm suffered a ransomware attack several weeks ago. Some employees at appliance maker Electrolux are saying that they are still not receiving their full wages or in some cases, not getting paid at all. In most states the law is pretty specific about paying employees, so if you don’t want to be on the wrong end of an investigation, create a disaster recovery plan. Credit Cyber News

North Korean Hackers Stole $1.7 Billion as an Investment

North Korea considers cryptocurrency a long term investment. As a result, when they steal billions in crypto, instead of selling it, they save it. Maybe that is not a bad strategy. Bitcoin, for example, was worth $313 in 2015, $997 in 2017, $3869 in 2019 and $46,847 right now. So if you stole 1 coin in 2015, your “investment returned 150x today; that is, your $313 crime is worth $46,847. Maybe the North Koreans are onto something. Credit: Dailycoin

Oops, The Dog Ate 77 TB of Our Backups

Well, not exactly, but something ate the backups. Kyoto University in Japan lost 77 terabytes of data when a backup process went wild on their HP supercomputer. The event happened in mid-December when 34 million files were wiped from the system and the backups. The University determined that some of the data cannot be restored. The University has not said how this happened or what the impact of this failed backup process is. Credit: Bleeping Computer

Is Your Data Walking Out With Your Ex-Employees?

As Americans are quitting their jobs in record numbers this year, is your data going with them?

The exodus is being called the great resignation. We (the U.S.) set new monthly records for the number of workers leaving their jobs three times this year. In September, over 4 million workers quit their jobs.

If you have intellectual property, customer data and partner information, it is likely going out with those exiting employees.

A study by Tessian says that 45 percent of ex-employees ADMIT to downloading, saving or sending work data out of the network before leaving their job. That only represents those who admit to doing it.

Why are they doing this?

Possibly they feel like they own intellectual property that they created.

They may think it will help them in their new job or new start-up company.

Maybe they are disgruntled and want to do harm.

In the worst case, they may be cybercriminals-for-hire who infiltrate organizations with the intention of stealing data.

Maybe your strategy up till now was to hope that nothing important was lost or stolen. Probably not the best strategy.

Waiting until after the employee leaves to examine their computer is also not a great strategy.

Before you start looking for insider activity, figure what you want to do and what you need to communicate to employees.

If you want to be successful, you need to start weeks before the employee leaves.

In fact, many companies have an ongoing data loss prevention program. That is probably the optimal way to handle this because the smart employee will steal whatever he or she plans to take long before he or she tells you they are quitting.

There are tools that will tell you about data in email, data sent to personal cloud servers (like Dropbox) and different tools that can detect files copied to USB drives.

Assuming that you see that an employee is stealing data, what is your plan?

Some employees may not know that downloading company data is a crime.

In the worst case scenario, a lawsuit may be required.

The first thing to do is to scope out the issues and decide what you want to try and do.

For more information, see this Help Net Security article.

Why the Internet Does Not Replace Common Sense

Some people say that common sense isn’t so common anymore. Sometimes the Internet doesn’t seem to have much common sense, so those people might be right.

Hopefully most adults can distinguish between smart things to do and not so smart things to do, but not always.

Right after Apple and Google split over Google maps and Apple tried to create their own version of it, the maps told people to do things that they shouldn’t and the term death by GPS was coined. It is a thing and it really happened. More than once.

But kids do not have the experience, sometimes, to figure out the difference between smart and not so smart.

Enter Amazon.

According to Kristin Livdahl, a mother of a 10-year-old child and a writer, her daughter asked Alexa, a digital Amazon Echo assistant, for a challenge to do. Kristin and her daughter were doing physical challenges to warm up and her 10-year-old asked Alexa for more.

Here is what Alexa suggested:

“The challenge is simple: plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs,” Alexa said and set the timer for 20 minutes to complete the challenge.

Besides the possibility of setting the house on fire or electrocuting herself, it seems like an okay challenge – not.

Apparently Alexa stole it from an old challenge that was circulating on TikTok a while back.

Amazon told the BBC that they are fixing the problem. Good plan.

This just points out the fact that you should not trust everything you read or hear. Hopefully most adults already understand this, but given the number of adults that fall for a whole variety of scams, I am not so sure about that. More importantly, you need to train your kids not to. Kids don’t have the experience you do and kids are subject to peer pressure, among other things. Just think about what might have happened to this 10-year-old might if things went a little differently. Luckily, it did not. That doesn’t mean that next time won’t be different. Credit: Cyber News

Senator to Introduce ‘Comprehensive’ Crypto Legislation

Senator Lummis from Wyoming plans to introduce legislation in early 2022 to attempt to rein in some of the wild west of the cryptocurrency world. Stay tuned.

Rumor is that it will add investor protections, rein in stablecoins and create a self-regulatory body under the SEC and the CFTC. That might be a tall order since a lot of crypto is peer to peer. Still, if we at least have some clarity over who gets to be the regulator, that would be good.

An aide to the Senator said that the proposal would fully integrate digital assets into the US financial system. If Congress can actually pull that off, then cryptocurrency could operate under similar rules to banks.

Still, what is different here is that cryptocurrency can be fully decentralized with no middleman to regulate. Do they plan to regulate software somehow? Software that, potentially, is not even made in the US? That sounds like a tall order.

What they might have is, rather than as the senator is calling it, comprehensive, a start to working on the problem.

Most consumers do go through crypto exchanges and at least those in the US would be relatively simple to regulate.

It also, could, possibly, cut down on crypto scam. It is possible.

As a example of how hard this is, many are suggesting that just the tax reporting requirements that are already in the just passed Infrastructure Investment and Jobs Act cannot be met. Imagine what happens if you want to take an entire industry that has never been regulated and try to regulate it. What could go wrong?

A group of Senators already wrote a letter to Secretary Yellen says that the current (new) law already tries to classify software developers as brokers, which it seems to me, they are not. You want software developers to send 1099s to people who download their software? Really?

Other members of the current administration are concerned as well and the Senate held hearings earlier this month on stablecoins. Senator Warren said that (in her view), the peer to peer nature of DeFi – decentralized finance – is the most dangerous part of the crypto world.

Visa just announced that it will partner with 60 cryptocurrency exchanges to allow consumers to make purchases with digital currency at more than 80 million global merchant locations. I want to see how that works out.

You might remember that cryptocurrency started out as a way to get around the banking system.

Now, like with Star Trek’s Borg, crypto looks like it could be assimilated into the banking system, basically eliminating any possible benefit that the people who originally championed it might be interested in.

It sounds like the crypto players may have gotten outplayed.

Credit: Data Breach Today

Security News for the Week Ending December 24, 2021

Russian Hackers Make Millions by Stealing SEC Earning Reports

A Russian hacker working for a cybersecurity company has been extradited to the U.S. for hacking into the computer networks of two SEC filing agents used by multiple companies to file their quarterly and annual SEC reports. Using that insider information, the hacker traded stock in advance of the earnings being made public and earned millions. The hacker made the mistake of visiting Switzerland. I guess he figured that the U.S. did not know who he was. He was wrong. Credit: Bleeping Computer

Security Flaw Found in Popular Hotel Guest WiFi System

I always tell people not to use hotel guest WiFi systems because they are not secure. A researcher says that an Internet gateway used by hundreds of hotels for the guest WiFi are not secure and could put guest personal information at risk. The gateway, from Airangel, uses extremely easy to guess and hardcoded passwords. You can pretty much guess the rest. Credit: Tech Crunch

Feds Recover $154 Million in Bitcoin Stolen by Sony Employee

The U.S. has taken legal action to seize and recover $154 million stolen from Sony Life Insurance by an employee in a very basic business email compromise attack. The funds were supposed to be transferred between company accounts but were diverted. The hacker was not very smart, was in a country friendly to the U.S. (Japan), used a U.S. bank account and a Coinbase Bitcoin account, making it pretty easy to recover once found. The FBI managed, somehow, to obtain the private key for the hacker’s Bitcoin wallet, which made recovering the funds even easier. What the FBI has not disclosed is how they were able to recover the private key, probably because they do not want to disclose methods. Score one for the good guys. Credit: Bleeping Computer

Former Uber CSO Faces New Charges for Breach Cover-Up

Here is a tip about covering up a breach. Joe Sullivan, Uber’s Chief Security Officer between 2015 and 2017, faces more charges of covering up Uber’s breach. This time it is deliberately covering up a felony, which could bring him 8 years in prison and a $500,000 fine. Knowing Uber, they are probably not paying his legal costs. Moral: don’t lie. Credit: Data Breach Today

Russia Surging Both Tanks and Cyberattacks on Ukraine

In addition to moving 175,000 soldiers to the Ukraine border as Ukraine plans to join NATO, Russia is also stepping up cyberattacks on Ukraine’s financial system and critical infrastructure. In response, the US, UK and other friendly (NATO) countries have sent cyber experts to Ukraine to help defend their digital frontier. What war looks like now. Credit: Data Breach Today

Orange and Thales Partner for IoT Security

Probably most people have not heard of either company. Orange is like the Verizon of Europe, the largest telecom company there and Thales is very large multinational security products company that sells in both the commercial and military space.

The number of cyber attacks against Internet of Things devices is skyrocketing

Orange’s research team says that an IoT device is attacked more than 2,500 times a day, but more than 100 botnet networks, looking for weaknesses.

Right now there are about 12 billion IoT devices connected to the Internet and by 2025 that number will be around 27 billion. Given that most of those devices will never be patched ever, this is a target rich environment.

These attacks can do three things. First, they can steal whatever data the device has. Second it can be used as a launchpad to attack the hosting network the device is on. Since most home users and many business users do not segment IoT devices, this can be easy to do. Finally, these compromises can be used to launch attacks against other businesses and adversaries.

I get notices every day of anywhere from 2 to a dozen new vulnerabilities discovered and reported and that is probably only a tiny percentage of the vulnerabilities that are discovered. That doesn’t even count the bugs that are not yet discovered.

So what can be done?

Orange and Thales are partnering to create an open standard called IoT Safe and it has been approved as an international standard by the GSM Association.

Very simply, it includes a microSD card for the device that includes security protocol code. MicroSD cards are already in all kinds of devices like phones and cameras. They are well understood and physically secure.

The IoTSafe applet is installed on the SDCard as soon as the device is connected to the Internet and the applet generates a new and unique public/private encryption key pair. The public key is sent to the server and the private key is kept on the SDCard.

This allows a vendor to communicate with the device in a much more secure manner, with a key that is created automatically and which is unique to the device – at very low cost. The code is open source.

While this is not bulletproof, it is certainly bullet resistant and is low cost, a pretty good improvement.

Credit: The Hacker News