All posts by mitch tanenbaum

Lithium Battery Fires Threaten the Existence of Recycling

As more and more communities mandate recycling, there is an ever increasing number of devices being thrown into recycling bins that contain lithium batteries.

In September 2016 a four alarm fire broke out at the Shoreway Environmental Center outside of San Francisco. The fire caused $6+ million in damage and caused the plant to shut down for more than four months, requiring them to layoff 70 employees.

Based on public records obtained by Motherboard, the fire broke out at 8:22 pm. The staff discovered the fire within a minute and attempted to put it out with water and fire extinguishers, but within five minutes, they realized that the fire was getting larger, abandoned attempts to put it out and evacuated the facility.

Around a hundred firefighters fought the fire for hours and a large part of the facility was destroyed.

Motherboard’s FOIA request said that the source of the fire was eventually determined to be an improperly recycled lithium-ion battery.

Unfortunately, traditional firefighting tools like water and foam do not react well with lithium. In fact, lithium reacts with water and produces lithium hydroxide and also hydrogen. Remember the Hindenburg? That’s kind of what happens.

Since the fire above, that recycling plant has had 47 more fires. 45 of them were said to be caused by lithium ion batteries.

There are numerous reports of these types of fires.

As we use more and more consumer electronics and all of those electronics have batteries in them and many of those are not disposed of properly, the risk of fires goes up.

Doug Kobold, executive director of the California Product Stewardship Council says “Every (Materials Recycling Facility) MRF, pretty much, in California is experiencing fires, if not on a daily basis, on a weekly basis,”. He said “We’re on the fringe of losing our recycling infrastructure that we’ve built over several decades to try and recycle this stuff.” 

A UPS cargo plane even caught fire and crashed as a result of batteries, causing the government to require these huge warning labels on any box that is shipped, even if it has a small lithium battery in .

This problem is likely to get worse as we consume and get rid of more electronic toys.

I think it is unlikely that consumers will somehow become more aware of this risk and dispose of batteries more safely, but, I am afraid, we are going to have to do something to reduce the risk. Not sure what.

Credit: Motherboard

Are You Prepared for the Insider Threat?

Security tool provider Proofpoint released a report to identify the costs and trends associated with insider threats.

While the stereotype for insider threat is the malicious insider, that is only one part of the insider threat. Other insider threats include the negligent insider and the compromised insider.

The report, conducted by Larry Ponemon’s group, said that impacted organizations spent, on average, $15 million a year on overall insider threat remediation and it took them 85 days to contain each incident.

Proofpoint says that the combination of sustained remote and hybrid work along with the great resignation has resulted in increased risk around insider threat.

Some of the key points from the report are:

  • Cost due to insider threat is up 34% from 2020
  • The overall number of incidents is up by 44% in the last two years
  • The majority of the insider threat is due to negligence, which means that no organization is immune. We are not talking about spies here, we are talking about people not taking enough care to protect the information
  • A quarter of the incidents were due to malicious insiders and each of those incidents cost more than a half million dollars to fix
  • Credential theft incidents have more than doubled since their last study and cost over $800k each to fix

Not surprisingly, financial service organizations and professional services have the highest average costs.

While large organizations spent more on average to resolve insider incidents, companies with less than 500 employees spent an average of $8 million, which is quite substantial.

Some of the clues that your organization is at risk are:

  • Employees are not trained to understand security requirements
  • Employees do not know how to protect their devices
  • Employees send confidential information via unsecured channels
  • Employees break the rules to make things simpler for them and
  • Devices are not actively patched

For more information, see the report here. Credit: Help Net Security

Security News for the Week Ending January 28, 2022

Biden May Use China Rule on Russia if it Invades Ukraine

This COULD be a bluff, but the administration may use the foreign direct product rule on Russia, like they did on Huawei, if Russia invades Ukraine. Depending on how it is used, it could have crushing implications on anything in Russia that uses microchips. When used against one company in China, Huawei, it reduced their revenue by 30 percent. If it used against a country, it could be worse. This could be a threat, but no one knows if a threat could be real. Credit: WaPo

The Donald Trump Virus

No, this has nothing to do with Covid. The Donald Trump Packer malware delivers both remote access trojans (RATs) and other infostealers. It gets its name from a hard coded password named after Trump. The malware is called DTPacker. The campaign is active and has used fake British football web sites, among others, to deliver its malware. Credit: Threat Post

Let’s Encrypt to Revoke 2 Million Certificates Today

Let’s Encrypt found two bugs in their certificate issuing software and as a result, they will revoke about 2 million certificates on Friday the 28th. That number represents about 1 percent of the active Let’s Encrypt certificates so, while it is a large number, it is a small percentage. Users who are affected will get an email and will have to renew their certificates. This is NOT the result of a breach or a hack, just them being extra cautious. Credit The Register

Microsoft Mitigates Largest DDoS Attack Ever Reported

Microsoft says its Azure DDoS protection platform stopped a 3.47 terabit per second attack last November. This translated to 340 million packets per second. The attack came from about 10,000 computers in multiple countries and used multiple techniques. Can your infrastructure handle this? Credit: Bleeping Computer

World Economic Forum Says it Takes 9 Months to Identify and Respond to a Cyberattack

In 2021 ransomware attacks rose by 151%. Each successful attack cost the company $3.6 million, on average. The Forum says that even after 6 month of a breach becoming public, company share price underperforms the NASDAQ by -3%. More concerning, on average, companies need NINE MONTHS to identify and respond to a cyberattack. Read the details at Cybernews

When Did You Last Patch Your Smart Refrigerator?

IoT – Internet of Things – devices are great. Whether it is Siri telling you the score of a sporting event or your refrigerator telling you to buy more milk, it makes life easier.

But there is a problem with them. Many of you know that I am not a real advocate of smart whatevers, but that doesn’t mean you should not use them. It means you should be smart about using them. Understand the risk.

I said there was a problem with IoT devices and here it is. IoT devices have software in them and software has bugs. Bugs could mean that your TV crashes and you have to turn it off and back on. But bugs could also mean that your firewall could quit protecting you and join the other side.

Fast forward to today.

The authors of malware that targets a variety of IoT devices released the source code to the malware on the Internet (GitHub). That means that any script kiddie can use it to infect their own set of IoT devices.

It is named BotenaGo and it comes with exploits for 30 different vulnerabilities for products from vendors like Linksys, D-Link, Netgear and ZTE. And likely, soon, more.

And since you have not patched your smart refrigerator lately (or maybe you have? Have you?), your smart device could be the next source of attack.

Why the authors decided to make it public is not clear. However, that does make it easy for other attackers to use it as the base for their own version of malware. Or many other versions.

AT&T’s Alienvault says that only 3 out of 60 anti-virus products on VirusTotal can detect BotenaGo, but consider this. With the source code out there, hackers could make a hundred variants, none of which might be detected.

AND, are you running anti-virus software on your refrigerator?

Probably the most important thing to do at this point is make sure that your IoT devices are patched – assuming your vendor even releases patches and segment those devices to the maximum degree possible. If they are not patchable, you might want to consider replacing them. New devices should always be self-patching. That way YOU don’t have to worry about patching your refrigerator.

Credit: Dark Reading

News Flash: Google Tracks Your Location

That is probably not news to most people.

What is probably news – maybe – is that even when you think you tell Google not to collect and store your location data – it does so anyway.

Or, at least, that is the several lawsuits claim.

In the lawsuit filed Monday in a District of Columbia court, D.C. Attorney General Karl Racine alleges Google has “systematically” deceived consumers about how their locations are tracked and used. He also says the internet search giant has misled users into believing they can control the information the company collects about them.

https://www.securityweek.com/dc-3-states-sue-google-saying-it-invades-users-privacy

The DC AG says “in reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location”.

And, just in case you think the DC AG has gone crazy…

The Attorneys General of Texas, Indiana and Washington state have all filed similar lawsuits.

If you think about it, Google makes 80% of their revenue from selling ads. Location is an important part of selling targeted ads. Showing me an ad for a restaurant or retail store a thousand miles away is unlikely to translate to a sale. Location is very important to them.

Google, of course, says these Attorneys General are wrong and Google deeply cares about your privacy. I would add to that …. unless it affects our profitability.

In December 2020, ten states filed a federal lawsuit accusing Google of anticompetitive conduct.

In October 2020, the U.S. Justice Department joined by 11 states filed an antitrust lawsuit against Google for abusing its online search dominance.

European regulators have imposed multi-billion dollar fines for anti-competitive practices.

In May 2020, Arizona filed a lawsuit accusing Google of deceiving customers about protections for their personal data. Documents unsealed in this case showed some Google engineers were troubled by the way the company secretly tracked movements of users who did not want to be followed.

There seems to be an awful lot of smoke here for there to be no fire, but it will be years before all of this plays out. Still, get some popcorn. It will be interesting.

Credit: Security Week

UEFI Bootkit Virtually Impossible to Remove

Bootkits are designed to be undetectable but typically you can reformat the hard drive and reinstall the operating system or, worst case, you can replace the hard drive to disinfect the computer.

But wait, there is more.

Security researchers from Kaspersky. the Russian cybersecurity company that we can never figure out who’s side they are on, disclosed a new bootkit, code name MoonBounce.

This bootkit does not hide anywhere on the hard drive like most bootkits do. That means that formatting the disk or even replacing hard drive WILL NOT get rid of the malware.

So, if it does not hide on the hard drive, where does it hide?

It infects flash memory called SPI memory on the motherboard by taking advantage of flaws.

There are only two ways to get rid of the malware. One is to reflash the SPI memory, an extremely complex task. The other is to replace the motherboard and destroy the old one. Neither is terribly attractive.

Worse yet, given where it lives in the SPI memory controller, there is no easy way to even detect that it is there.

UEFI was designed as a replacement for the old computer BIOS because the BIOS was not secure. The UEFI uses a number of techniques to secure a chain of trust during the boot process to try and stop malicious code from compromising that process. That all works until hackers find bugs in it.

Kaspersky is aware of three bootkits – this one plus LoJax and MosaicRegressor.

But other researchers have found several more including ESPectre, FinSpy’s UEFI bootkit and others.

Kaspersky says this means that what we once thought was impossible – compromising UEFI – is clearly far from that. Still extremely hard, but not impossible.

MoonBounce, Kaspersky says, is the product of China’s APT41.

I am sure that we will learn more about these very rare incursions over time, so stay tuned.

Credit: The Record