Security News for the Week Ending February 25, 2022

Scammers Figure out How to Fake Out Facial Biometrics

Multi-factor authentication is not magic. For the most part, it is software. And if the software is not well written, it can be fooled. That means that we should not be surprised if scammers try to use deep fakes and other techniques to fool automated facial recognition. It is also a trade-off of security and convenience. In Israel, it takes 90 seconds for automated facial recognition to see if you are you. In the U.S., it takes 45 seconds and in the U.K. it takes 35 seconds. Less time means, not surprisingly, less accuracy. Credit: Cyber News

Russia’s Invasion of Ukraine Threatens IT Industry

Some U.S. software companies were founded in Russia. Others have a significant software development presence in Russia. Some company owners, like Gene Kaspersky, are rumored to be pals of Putin’s. The Parallels Desktop software for running Windows on a Mac historically did all of their development in Moscow and Novosibirsk. And there are lots more. Not only is buying new software a concern but so is installing any updates. As if we needed more security challenges. Credit: ZDNet

Anonymous Declares Cyberwar on Russia

This could either be nothing or something. Sometimes the informal hacking collective Anonymous does cause damage, but a lot of the time, they don’t cause anything. One thing in favor of this being something is that Ukraine is a big software development hub and there are probably a lot of Ukrainian software developers who are not terribly happy right now. They might be interested in getting even. Right now, all I can say is stay tuned. Credit: Cybernews

And Then There is the Other Team

The Conti ransomware gang says that they are ready to hit critical infrastructure in support of Mother Russia. This could get seriously messy if they are successful. Everyone remembers the Colonial Pipeline attack. Is worldwide critical infrastructure secure? No, that would be a bit optimistic. Again, we have to wait and see. Credit: CSO Online

Oracle Gets to Play with the Big Boys – Finally

Amazon won the first top-secret government cloud hosting project, building the CIA’s secure cloud. Years later, Microsoft and Amazon waged a bit of a war to win DoD’s version of that cloud. Oracle, which also has a cloud, was left in the dust, but finally, Oracle won something. They are going to host a secure cloud for the Air Force. While this is not a $10 billion contract like the others, it might be worth as much as a billion. Credit: Yahoo

Apple AirTags – The Stalker’s Dream

I can’t really blame Apple for this. Their heart was in the right place. Helping people find their lost stuff sounds like a reasonable goal.

The problem is that no good deed ever goes unpunished.

Initially, people bought an AirTag and then either slipped it into someone’s coat pocket or attach it to the back of a license plate. The goal there was to find out where the Stalkee lived, worked or visited.

Then Apple added software to warn stalkees that they were being stalked. At first it didn’t do that for 24 hours. They have progressively lessened that number of hours as the problem got worse.

Then they added a beep so you might notice the quiet beep. Of course, it the stalker attached it to your car, all they needed was 30 seconds worth of access to remove it. That MIGHT BE possible, depending on the circumstances.

Then capitalists figured out how to neuter the speaker so that it didn’t make any noise anymore. You still might get a warning that you were being tracked, but no beep.

Mind you there are other tracking discs, like, for example, tile, but this one is the most widely used one for a variety of (mostly malicious) reasons.

Of course, if you are an Android user and someone slips a disc in your coat, you won’t get notified – unless you install Apple’s creeper software on your Android phone, but I doubt many people even know it exists.

Now a security expert in Berlin has cloned an Airtag and programmed it to bypass Apple’s security protections. In particular, the AirTag alerts a stalkee if the phone sees an AirTag that doesn’t belong the stalkee around the phone for a number of hours. How does it do that? The AirTag periodically broadcast’s it’s key. If the phone sees the same key a lot and it is not yours, it warns you. So, this clone throws out a new key every time it broadcasts.

In fairness to Apple, this is not even their product at this point. Someone stole their idea and designed to work better for evil.

Other researchers are trying to figure out how to stop these attacks.

It will likely be a cat and mouse game – good vs. evil – for a long time, probably forever.

So once again, Apple had a good idea and hackers turned it into a pile of poop.

Credit:Portswigger

After Congress Dust-up, IRS Changes Rules – Sort Of

Quietly, the IRS was trying to reduce the billions of dollars a year in fraud from people who pretend to be you and me and do things like steal tax refunds. They did this by making it harder to pretend to be someone you are not, including using biometrics.

Some people complained that people who need to get IDs don’t have smartphones (really, today, are there a significant number of people neither have their own, low-end, prepaid smartphone AND also do not have a friend that will let them use their phone to register with the IRS? It is possible, but I don’t think it is a large number).

Congress, looking for any reason to get 15 seconds of air time, jumped on this issue (remember, we still don’t have a federal budget, but clearly this is more important).

The IRS said “me bad” – because no one likes the IRS anyway.

Today they revealed their next attempt at this. One of the complaints was that you had to submit a selfie and the ID service was being run by a private company. Both of these are true, but the service has never had a breach and is currently being used by more than two dozen states.

Anyway, the IRS’s solution is that you can do a live video interview with the same company. I don’t know, but I bet, for legal reasons, they are going to record that interview, so I am not sure that this is much different than ID 1.0.

Some Congresspeople asked why the IRS wasn’t using the government’s existing single sign-on system called login.gov. Since most Congresspeople don’t know anything about security, that is a reasonable question. Turns out that Login.gov uses another, a different private company, (LexusNexis) and actually doesn’t have any security features to stop fraud. Other than that, it is a perfect solution.

Now, the totally underfunded and understaffed Login.gov team is working with the IRS to see what security features might need to be added to Login.gov to make it, actually, secure. Perhaps they should have asked that question years ago when they were first implementing it. It turns out that security was not the purpose that Login.gov was created for. All they wanted to do is cut down the number of accounts that a citizen needed to access government services. One login ID would let you reserve a campsite at a national park and also, buy a ticket for a Washington monument. None of the uses required high security. At least one Congressperson, Senator Ron Wyden, pointed out that the government has not funded it properly and the cost has been billions of dollars of fraud.

Maybe there will be some good news out of this. Maybe Login.gov will get the attention it needs and will ask that other private company, LexusNexis, to help them with a secure login solution. Stay tuned, because that won’t happen quickly. Credit: Brian Krebs

Credit Suisse Cyberattack Reveals Dirty Laundry

The Swiss banking world has always been secret. Very secret. Even after the U.S. worked out a deal to try and get information from the Swiss for tax evasion reasons, there is still not much transparency. Credit Suisse has had its share of troubles recently including helping wealthy customers evade taxes, engaging in illegal business with Iran, and selling toxic mortgages to investors.

Hackers leaked the details of about 30,000 customers who are located all over the world. If Credit Suisse’s reputation wasn’t already in the toilet, it is now. The leak points to a massive failure in due diligence.

The bank is or was holding accounts for a human trafficker, a stock exchange boss who was jailed for bribery, a billionaire who ordered the murder of his girlfriend, and many other less than upstanding citizens.

The whistleblower leaked the data to a German newspaper with the statement that he thinks that Swiss bank secrecy laws are immoral. While the Swiss call this privacy, he says that it is really a fig leaf for the shameful role of Swiss banks as collaborators of tax evaders.

In fairness to the bank, at least some of these allegations do date back to times when Swiss banks did look the other way and accepted large deposits from damn near anyone. Some of the accounts leaked date back to the 1940s, but others were opened in the last 20 years and many are still open today.

Credit Suisse is the first major Swiss bank to face criminal charges EVER, not directly related to this leak.

But the reverberations are going to be far wider than this bank and even that country as many of the customers are not Swiss.

I am sure that tax authorities in many countries will be “reviewing” this data, now that it has been exposed. That could make for more than a few uncomfortable conversations about back taxes.

Whether the Swiss decide to make more reforms to their banking laws or not is to be determined, but there will be, no doubt, pressure to do that.

The fallout from this will last months if not years and will keep the Swiss’ reputation in the gutter for a long time.

And then there is the conversation about how did this happen. This has to be an insider leak – there is no other possibility. But how did that person do this? Doesn’t the bank have any security at all? Likely bank customers will ask that question whether their personal data was leaked this time or not. How many ultra-high net worth customers will the bank lose? What will the financial impact be? I don’t think I would want to work for the bank right now. Could be a very hard next couple of years.

For more details, see this article in the Guardian.

Security News for the Week Ending Feb. 18, 2022

Missouri Prosecutor Wisely Decides Governor is not Tech Smart

Remember when the governor got his feeling hurt after a St. Louis newspaper revealed that the education department’s website was publishing the PII of tens of thousands of teachers and asked the Highway Patrol to prosecute the reporter who embarrassed him? The PII was, as a reminder, just sitting there in the HTML code for anyone to find. The prosecutor has, wisely, decided to deal with the governor’s wrath rather than getting laughed out of court. I suspect he figures that the wrath is temporary while the court’s verdict is permanent. Don’t be surprised if there is a countersuit filed. Credit: Portswigger

New Tool Renders Pixelating Useless

Most of us have seen a picture when they rearrange the pixels on an image like a license plate or someone’s name to make it more “secure”. Now a tool is available on Github that allows anyone to do this for free. The tool, called UNREDACTOR, needs a little bit of information to do its magic, but it has that, it is game over. Credit: Hackread

Five Canadian Banks Online Systems go Down at Once

Users could not access online systems for hours, stranding them at stores and stopping them from making transfers. The banks – Royal Bank of Canada, Bank of Montreal, Scotiabank, and Canadian Imperial Bank of Commerce – started having trouble around 5 PM Eastern time. This happened right after the government invoked the Emergencies Act amid the truckers’ protest. Are these related? Is the Russia? We don’t know yet. Credit: Bleeping Computer

Dad Takes Down Town’s Internet to Stop His Kids From Using Their Phones

Turns out dad’s strategy was super effective. Possibly a little too effective. Dad wanted his kids to go to sleep at night instead of playing on their phones. SO, dad went out and bought a signal jammer. Apparently, it was a pretty good one. Turns out this French father took out the cellular network in the neighboring town. The French authorities traced the jammer to dad and now the jammer-er may go to the slammer – err bad pun. But the French prosecutors are investigating. Penalties could be as much as (e) 30,000 and 6 months in jail. It is a similar crime here. Credit: Bleeping Computer

Russia Continues to Make Token Effort to Reduce Cyberattacks

Russia continues to make modest efforts to cut down cyberattacks against other countries. They have arrested a third hacking group; this one specializes in fraudulent credit cards. While the Russians have not provided any details, three carding websites have mysteriously gone away (they actually show a banner that says they were seized) – likely the work of the nice folks of the Russian police. This is only a spit in the ocean, so we should not get our hopes up too high, still, any help is good. Credit: Bleeping Computer

MFA Fatigue – It is a Real Problem

When hackers are faced with multi-factor authentication, they look for another weak spot – often it is the human being.

For example, Office 365 users are being bombarded with push notifications requesting access. After a while, they just say yes to make it stop.

Now the researchers have given it a name – Multi-factor authentication fatigue.

The problem is that the attack is simple. Using a botnet, spray passwords across a big network of compromised machines to attack accounts using passwords from previous attacks. Done slowly enough, it won’t trigger the account lockout, and given that the hackers have millions of accounts to try, that slow speed is really not an issue.

Just to make sure that the attackers know how to make this attack work (it’s pretty simple), security firm GoSecure has published proof of concept attack code.

GoSecure has suggested several ways to mitigate the threat, but it is clear that the hackers are not going to give up, so that means IT departments need to come up with a plan.

Allowing push notifications is done for convenience. This may mean that a somewhat less convenient method of MFA is going to have to be used.

Credit: Portswigger