All posts by mitch tanenbaum

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Introducing Trump Media & Technology Group

Former President Trump revealed plans for the Trump Media and Technology Group (TMTG). His plan, apparently, is to copy Facebook and Twitter and Google and Microsoft and Amazon and …

Even for him, that is pretty ambitious.

TMTG News would be a competitor to CNN – but also to Fox and OAN and all of the other conservative media that have given him a voice over the last 5 years. I guess it is payback time.

Another part, call Trump Social, plans to compete with Facebook and Twitter, similar to what GETTER and Parler tried to do.

One slide in the pitch deck says that there is a long term opportunity to build a TMTG tech stack that competes with AWS, Google and Azure. And also competes with Stripe.

Also Netflix.

It is immediately being listed on the NASDAQ using a SPAC, a popular reverse merger tool that allows companies to go public with a very thin review. The difference between investors in TMTG and people who buy Trump hats for $40 is that the investors expect a return on their investment and they are very fickle.

The things people should consider before investing in TMTG. Trump has a history of bailing when things get tough, leaving the investors high and dry. He has filed for bankruptcy at least 6 times and that is just the casinos. Other operations like Trump airlines and Trump steaks and Trump wines just went away.

Personally, I think competition in this space is great. I hope he is successful.

But companies like Facebook and Amazon have spent billions of dollars and have some of the brightest minds in tech. If he thinks they are going to lie down and let him roll over them, I think he is mistaken.

They also have massive patent portfolios and they might choose to follow his own history and sue TMTG into oblivion for patent infringement.

Still, the battle will be interesting and we should watch what happens.

Companies like Facebook and Google have laid their own undersea transoceanic fiber optic cables to obtain cheap bandwidth. Netflix alone represents something like 33% of all bits on the Internet. I doubt his competitors will be willing to sell him space on their fiber.

Reports from people who have seen previews of Trump Social (actually they hacked it since you can’t sign up for it yet, which is not a good sign) say it is just a repackaged version of Mastadon, a free, open source social network framework.

If he is successful, even if it is only to a degree, it could mean even faster innovation and lower prices for consumers and businesses, which would be great.

Currently, Google competes with Microsoft, Amazon competes with Walmart. More competition is better.

Stay tuned.

Credit: Vice

NSO’s Pegasus Spyware No Longer Works in the UK, US

At this point, this is only a rumor, but maybe with high confidence. The Israeli spyware company NSO Group continues to get into trouble as they sell their software, pretty much, to anyone who will pay the price.

Earlier this month a UK court ruled against NSO that it was likely that a Dubai princess and her lawyers had their phones hacked by the NSO software, probably at the request of her ex-husband.

Amazingly, at virtually the same time, according to an unnamed source, NSO stopped the software from working on all FIVE-EYES country’s phone numbers (UK, US, Canada, Australia and New Zealand).

For how long is unclear.

NSO is facing a lot of lawsuits right now, so they may be trying to deflect some heat. Since they are not publicly saying what they are doing or for how long, I would not count on the good behavior lasting. Too much money to ignore.

What likely happened is that some parts of the international intelligence community “suggested” they cool it for a while, otherwise, they might be force to take some actions like they did in Iran with Stuxnet. If you remember, Stuxnet generated a complete meltdown of Iran’s nuclear program. It is highly likely that the NSA or GCHQ could do the same thing to NSO if they wanted to. Not saying that is what happened, but…..

The NY Post reported that the Princess paid $6.4 million to keep an affair with her bodyguard secret. When this fact came out the Princess, daughter of King Hussein of Jordan, left Dubai with her two young children from her marriage from the Sheikh. It is likely that all of this ugliness is what caused the Shiekh to decide to hack her and her attorney’s phones.

The Sheikh was a bit unhappy with her sudden departure and tried to get the UK High Court to return the children. I guess in the UAE, all is fair in love, war and child custody. He even tried to kidnap the kids using a helicopter.

All of this is kind of above my pay grade, but it does seem to poke some holes in NSO’s claims that they are good guys and their software is only used to catch bad guys, which is what their public story is.

How long NSO will continue to lose revenue opportunities is not clear.

What this “outing” of NSO means, however, is that fears that the Pegasus software was used to spy on diplomats, politicians, reporters and activists are likely true.

Credit: The Guardian

Coming Clean After A Hack

A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.

The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as the National Registry of Persons.

The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.

But here is where things get messy.

The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.

The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.

Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.

Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.

When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.

The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.

The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.

I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.

If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.

It is also a problem for citizens if their card is used to commit a crime.

BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.

The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?

This is a challenge for everyone who gets hacked – government or otherwise.

I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.

For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Businesses Losing Customers due to Connected Products Security Concerns

59% of cybersecurity executives at large and medium organizations say that they have LOST business due to product security concerns for connected and embedded devices.

connected product security concerns

45% say that customers want detailed information about what is in their devices, but only 11% of companies have high confidence that they can do that, even if they want to.

Only 27% of people interviewed said that their organizations conduct software composition analysis (what is in it) and only 30% say that they can easily generate a software bill of materials (as required by the new executive order).

So what does it take to develop secure products? More resources (62%), more expertise (60%), industry standards (46%). Only 21% said that their have a security supply chain policy.

connected product security concerns

On top of this, only half of the respondents said their organization check out the security of their products before they ship them.

The good news is that 74% of the organizations either have a Chief Product Security Officer or plan to hire one. In the next two years.

And, last but not least, only 10% have full confidence that they know all vendors in the supply chain for each of its devices.

Ready to buy one of them secure connected devices now?

Credit: Help Net Security