All posts by mitch tanenbaum

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

Texas – The Post Mortem

Now that the power is mostly back on in Texas and the majority of people can drink the water, the what-iffing begins. This is relevant because Texas is far from alone. They just got caught this time and they will be pilloried – for the most part appropriately – as a result.

#1 – According to KHOU-11 in Houston, the number of ERCOT board members who have resigned so far is now up to 6. IT APPEARS THAT NONE OF THEM LIVE IN TEXAS.

#2 – Those of us who have studied this stuff know that nationally, the power grid is extremely fragile. In Texas it is even more fragile because they made a deal with the devil decades ago not to tie into either of the national power grids. They did that because Texans don’t like the federal government and by not connecting into the national power they escaped federal regulation. The folks that manage the Texas grid, ERCOT (note the R in ERCOT stands for reliability) said that the state was 4 minutes and 37 seconds away from a total meltdown when they pulled the power plug. Think about that for a minute. If they had a meltdown, the grid would likely have been down for at least weeks because, in part, it is hard to do a cold start – where they don’t have some power to start up the network. In part, also due to damage to equipment from the meltdown.

#3 – Homeland Security has been working for several years at figuring out how to deal with this (see #4 below), but it is a hard problem. Equipment is not standardized; most is not made in the U.S.; much of it is custom made to order and it might take a year to replace some of the damaged equipment.

#4 – Ever hear of Plum Island? Most people have not. It is a small island off New York’s Long Island. It is DHS’s private test bed for experimenting and training grid technicians on doing a cold start, especially when there is an adversary working against them. DHS and DARPA work together to use the island, which is it’s own power plant and power grid, to test theories and train techs, but how many techs do you think you can train? There are probably millions that need to be trained.

#5 – The Trump administration commissioned a study that reported three years ago that the US was in danger of a “catastrophic power outage”. The problem they said was an aging grid dependent on oil and gas (and no, not on wind turbines, solar panels or a mythical green new deal). Here is a quote from the Trump administration’s own report:

“After interviews with dozens of senior leaders and experts and an extensive review of studies and statutes, we found that existing national plans, response resources, and coordination strategies would be outmatched by a catastrophic power outage… that could leave large parts of the nation without power for weeks or months, and cause service failures in other sectors—including water and wastewater, communications, transportation, healthcare, and financial services—that are critical to public health and safety and our national and economic security.”

The report urged “significant public and private action”. What did the administration do? Nothing much.

The governor, who is under a lot of pressure right now, said the problem was due to green energy – wind turbines and solar. He didn’t point out that the Space Station is completely powered by solar (no oil up there) and it operates in a temperature range of minus 250 degrees to plus 250 degrees. Forbes says that wind turbines work in cold climates. Finland uses them and it gets pretty cold there.

The problem is that no one in Texas wanted to spend the money to winterize their grid, even after a smaller meltdown in 2011 and recommendations (but not mandates) to fix the problem.

#6 – The problem is that oil, gas and coal have to be replenished. Oil and gas have to flow through pipelines. Coal has to be transported, usually by train. If you lose the flow for some reason, the power goes off.

#7 – Other parts of the world were cold too. In Colorado it got down to minus 15 (way colder than Texas) in the Denver area and minus 30 in other parts of the state. Colorado uses green energy too. Note that there were no significant outages in Colorado. Why? Because the state was prepared for it.

#8 – It could have been a lot worse. As bad as it was in Texas, the grid only failed there. I grew up in the Northeast and I am old. I remember what is now called the great northeast blackout that started on the evening of November 9, 1965. New York activated 10,000 National Guardspeople and 5,000 police reserves that night to deal with the chaos. That blackout, along with a similar one in 2003, caused the feds to change the rules for utilities that they regulate. One thing they did was automate a lot of what was done manually because in that case, they only had seconds to do an orderly blackout instead of a meltdown. They were able to restore power in about 48 hours as I remember.

#9 – Texas is big into the concept of a free market economy. Like California before them, they deregulated the energy industry decades ago. As a result, some consumers were charged the going market rate for electricity. Electricity that normally cost 2 cents per kilowatt hour shot up to $9 per kilowatt hour. This means that some people got electric bills of $5,000, $10,000 or even $15,000 for the week of cold. Needless to say, Texas legislators are bearing the brunt of the upset from unhappy residents.

Bottom line, there was plenty of warning that this could happen, but no one – not the Texas regulators, legislature or governor or the national administration – did anything to mitigate the problem.

While we have only started dissecting the situation and there are a lot of investigations sill going on at all levels, including Congress, we already know many things that have to be done.

And, while Texas is in the spotlight, they are far from alone, so hopefully utility regulators in other states will make changes without having to have a meltdown.

I think we will have to wait and see.

New York Issues Cyber Insurance Framework

Early this month, New York’s Department of Financial Services, the regulator for banks and insurance companies, issued guidance on cybersecurity insurance.

Unfortunately, the guidance was not to insurance customers; it was for insurance companies.

The regulator is concerned that big breaches may cause insurance companies to go out of business.

DFS advised insurers against paying ransoms, in part because they may run afoul of new Treasury Department regulations that consider those payments aiding terrorists.

Insurance companies had to pay out almost $3 billion after the Not Petya attack for policies that didn’t say anything about cyber events.

DFS wants insurers to consider 7 specific practices. These practices are designed to help insurers understand risk, set prices and control payouts.

None of this helps clients.

Attacks like SolarWinds may cause insurers to exclude coverage to companies who bought insurance to get coverage.

ONE THING THAT CARRIERS ARE DOING IS MAKING COMPANIES COMPLETE SECURITY QUESTIONNAIRES AND IF THEY DON’T LIKE THE ANSWERS, THEY ARE EXCLUDING CERTAIN COVERAGES.

All this means that it is even more important than ever to have an insurance agent who is specifically knowledgeable in cyberrisk insurance.

Credit: <a href="http://

” target=”_blank” rel=”noreferrer noopener”>CSO Online

What the Heck is ‘Zero Trust’ Anyway?

If you read the security news or talk to security vendors, the buzz word of the year is ZERO TRUST. Many vendors tell you that they have the zero trust answer. The reality is a lot more complex.

Zero trust is not a product or even a family of products. It is not a platform. It is really a strategy built are one concept: “never trust, always verify:.

Vendors and their products are certainly a component of zero trust, but not a silver bullet.

Still, zero trust is a good idea and you should begin to understand it of you do not already.

One challenge with the traditional security strategy of “moat and drawbridge” is that the strategy worked reasonably well when you knew where the castle was. But today, there is no castle as people are everywhere and so are servers and services. Zero trust is designed to be flexible.

Zero trust is a journey. It requires education and research and even I can’t explain it in a blog post. Here are some things to consider in the zero trust journey.

  • Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 
  • Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 
  • Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Here is a tutorial on zero trust.

Credit: Forrester

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

Lawsuits Often Follow Ransomware

Last October Wilmington Surgical Associates was dealing with a ransomware attack.

Allegedly, the Netwalker ransomware group stole 13 gigabytes of data, which in today’s world easily fits on a flash drive, and leaked that data online.

The patients of the North Carolina clinic whose data was stolen and leaked are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…” 

Hackers often post “proof” that they have really stolen the data. In this case, the initial post leaked 3,702 files and 201 folders, which included both patient and employee data. Given the nature of the business, most of the data stolen was likely sensitive.

The clinic notified 114,00 people just before Christmas, likely within the legal notification timeline.

The lawsuit says that Wilmington Surgical inadequately protected the PHI and PII in their possession and maintained data in a reckless and negligent manner.

They also claim that the clinic failed to properly monitor its network, system and servers.

The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical  to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.

While some of these suits are settled quietly, others come with multi-million dollar settlements. There have been a number of these lawsuits filed recently.

So here is my question for you. If you had a breach and the claim was similar to the one above in red, how would you or could you defend yourselves? Just asking.

Credit: Health IT Security