All posts by mitch tanenbaum

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Credit Cards in the Cloud, Oh My!

Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud.  It was 52 pages.

This month the PCI SSC released a new version of that same document.  It is now 83 pages.

This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.

Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”.  For a copy of the new standard, click here.

Information for this post came from The Register.

What does this mean for you?

Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.

Some companies have outsourced payment cards to companies like Paypal or Square.  That used to mean that you weren’t accountable for security, but that changed a couple of years ago.  The requirements are simpler, but you still are responsible.

But lets say you are a company that does e-commerce and the servers run in the cloud.  You may collect the credit card info and hand it off to a gateway.  This applies to you.

In general, all companies that accept credit cards are required to complete an assessment at least once a year.  The PCI Council has created over a dozen different assessments, depending your configuration.

For everyone but the largest players, you can do the assessment yourself.  You can also get an outside provider to help you complete the assessment.  We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.

Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.

Also, the assessment is pass-fail.  Either you answer all the questions correctly, or your fail.  One NO is a fail.

If you have questions, please give us a call.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

GrayKey iPhone Cracking Software Can Unlock Phones in a Few Hours

it wasn’t so long ago that 4 digit passcodes were the norm.

Now 6 digit passcodes are obsolete.

GrayKey, the new kid on the block offering low cost cracking of iPhones up to and including the iPhone X requires users who are concerned about that to change their password habits.

Pricing on Graykey, supposedly, is $15,000 to unlock 300 phones ($50 a phone) or $30,000 to unlock an unlimited number of phones.

At that price, the cops are falling over themselves to buy these things.  DHS is interested, along with the FBI.  The Maryland State Police has bought some as has Cincinnati.  My guess is that, at that price, there are lots of other agencies that have bought them.  This likely means that the conversation about “going dark” is a bit overblown.

In fact, Congress asked the FBI to ‘splain itself.  As the FBI is saying that they need to weaken device and app security by adding back doors that are unlikely to stay secret for long (you may remember that the master keys that DHS has for those travel locks on your luggage were ALL compromised when some genius at DHS allowed reporters to take pictures of the keys for an article), Congress is asking if they have used products like GrayKey to try unlocking those devices.

Since, for the most part, people choose short, obvious PINs (1234 or maybe 123456), those tools likely work pretty well.

6 digit passcodes (I gather this means 6 numbers) can be cracked in 11 hours on average (double that, worst case) using the software.

According to noted Johns Hopkins Cryptographer Matthew Green, an 8 digit passcode would take 92 days worst case (46 days on average) and a 10 digit passcode would take 9,259 days.

Information for this post came from Motherboard.

 

What this  means for the user is that, if you care about privacy, longer passcodes are better.  Alphanumeric passwords are better.  Words not in the dictionary are better.  Combining upper case, lower case and numbers is a somewhat random way (Monkey123 doesn’t count as a strong even though it technically meets most of the criteria) is the best strategy.

It’s really pretty simple.  Longer is better.  The Graykey software cracked some passwords in 30 seconds.

Facebooktwitterredditlinkedinmailby feather

Email Breach at Oxygen Equipment Maker Affects 30,000

Oxygen equipment maker Inogen announced that information on 30,000 customers was hacked as an attacker compromised the credentials of an employee.

In the grand scheme of breaches, this one barely registers.  Yes, HIPAA protected information was taken (and Health and Human Services may come after them in say 2021, but it is another example of totally preventable self inflicted wounds.

OK, now that I have sufficiently beaten them up, lets look at what they did wrong.

The company is publicly traded so they need to be SOX compliant.  They should have a Board advising them on issues like cybersecurity, but likely not.  Totally silent on the issue.

The breach went from January 2 to March 14 – certainly not the longest breach, but certainly not the shortest.  I know of an incident recently where a company received indicators of a breach at 6:30 AM one day and had contained and mitigated the breach before 9:00 AM the same day and they are looking to shorten that window.  What kind of monitoring and alerting did Inogen have?  Over two months for the hacker to do the dastardly deed?  Obviously, not good enough.

The stolen emails contained name, address, phone number, email address, date of birth, date of death, Medicare ID number, insurance information and type of equipment.  What is that doing in email?  That belongs inside a secure application or web portal.  Not only is this a HIPAA violation before the breach, it is a privacy breach after the event.  The company is based in California, so the Attorney General may be rattling their cage as well.

The worker’s credentials were compromised and then the attacker logged in. From another country.  Two factor authentication would have neutered the attack and, failing that, conditional access geo-fencing would have stopped the attacker cold.  Where was their CISO?  Do they even have one?

One thing they did right – they disclosed the breach in their latest SEC filings. In light of the SEC’s new cybersecurity transparency rules, that is probably a very smart move (to disclose).  One less party out to sue them.

In the SEC filing the company said they hired a forensics firm and made users change their passwords.  Definitely impressive (not).

They have also turned on two factor authentication.  A little late, but better late than never.

Oh, yeah, they have started training.  Nice.  Would have been nicer years ago.

One challenge is the founders are a few young kids who did not, until this, have many battle scars.

I am guessing they are getting those scars now.

Finally, they say in the SEC filing that they have insurance but it may not cover the costs.  Cyber insurance is good, but you better have enough and the right options.  Depending on what lawsuits happen and what regulators (such as Cali and HHS) go after them, this could cost them a couple of million or more.  Depending on what coverage they have, they could be writing all or part of that check themselves.

As a side note, Airway Oxygen, likely a competitor, told HHS last June that they had a breach affecting 500,000 customers.

Cardionet paid a fine to HHS last year of $2.5 million.  That is just the fine and doesn’t cover any other costs.  With a fine like that, Inogen’s total costs could be in the $3-$5 million range.  If they have a $1 million cyber policy, they will be writing a large check.

Other companies could learn from their lessons.  The learning part is free.  OR, they can wait until their story is in the news.  That can be a tad more expensive!

Information for this post came from Careers Info Security.

Facebooktwitterredditlinkedinmailby feather

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).

Facebooktwitterredditlinkedinmailby feather

President Signs SESTA/FOSTA; Web Sites Start Shutting Down Services

SESTA/FOSTA was a bill that was supposedly designed to shut down sex trafficking sites on the Internet by effectively repealing the protections provided by Section 230 of the Communications Decency Act which protects online service providers like Facebook and Google from being prosecuted for the postings of their users.

The bills, which have been around in different forms for a couple of years, was snuck into the budget bill in the dark of night.  There was no debate, no committee hearing and no markup of the bill.  Likely, knowing DC, it was a Quid Pro Quo to get someone to vote for the budget bill.

Section 230 of the Communications Decency Act protects online service providers from being held accountable for what their customers post.  While the “claim” is that this bill is designed to punish web sites that post prostitution ads, it is so poorly written that it could be used as a club against any web site that a federal prosecutor chooses to.  The main target of the bill was Backpage, which did post, in my opinion, prostitution ads, but that site was shut down and the people responsible for it arrested days before the President signed this bill, so, apparently, the feds did not need this law to shut down what was proclaimed to be the target of the bill.

Fringe dating sites, sex trade advertising sites, parts of Craigslist and other sites have already shut down.  Google has started wielding a meat axe on their site to ensure they are not charged.  All this before the law likely is implemented, some time next year (Source: Motherboard Vice).

Given this, what should you do?

First, this really only affects you if you run a website and you allow users to post content on that site.

For the moment, lets assume that you do run a website that allows users to post content such as comments or reviews.  Up until now, the rule was that if you did not impose editorial control over that content, then you were not liable for it.

Now, apparently, you are.

This means that you need to do one of two things:

1. Shut down the part of the web site that allows users to post content.  If this destroys your business model, tough.  Write a letter to Congress.  What Congress giveth, Congress can taketh away.

2.  If that is not an attractive option, then you have to create a process to review every post to make sure that it cannot be misconstrued by some over eager federal prosecutor to charge you.

Remember, you do not have to be guilty to be charged and proving yourself innocent can be very expensive.

I am not sure if cyber insurance will start covering this.  Prior to the effective repeal of Section 230, they did.  Now, it is not clear at all.

Fundamentally, you have to exercise full editorial control over the content.

Don’t be surprised if people start figuring out which sites do not monitor posts and start using those sites as a replacement for the ones that shut down.

As we get closer to 2019, there could be some clarity and, possibly although unlikely, Congress could amend the legislation.

In the meantime, stay tuned and start setting up those processes.

 

 

Facebooktwitterredditlinkedinmailby feather