All posts by mitch tanenbaum

Cell Phone Providers Face GDPR

British celebrity food writer Jack Monroe had her cell phone number hijacked and, after that, the hackers were able to receive her two factor authentication and access her bank and payment accounts.

She was already doing more than a lot of people do security wise – she was using two factor authentication.  BUT, the two factor authentication method was for the bank to send her a text message.

The attack is called SIM Jacking and it works like this.  The attacker calls the cell company and convinces an employee that the attacker is the phone owner. Then the attacker says that he or she bought a new phone and needs to move her number to a new phone.  The cell phone company employee asks a couple of simple security questions and when the hacker uses either publicly available information sources or data from previous breaches, answers the questions and poof, the hacker now owns the victim’s phone number.

Alternatively, as we recently saw with AT&T, the attacker can just pay off the employees to knowingly break the law and move the number to a phone controlled by the hacker.

In Jack’s case, once this was done, the hacker could now ask the bank to do a password reset and since the attacker now owns Jack’s phone number, the attacker gets the two factor code and the bank gives the attacker access to Jack’s bank account.

In Jack’s case, that cost her 5,000 British Pounds.

The phone company has given her back her phone number but the bank says that it will take a while to get her money back.  I’m not sure what they think she should do in the mean time.

In terms of recommendations, if you can use a two factor authenticator app on your phone such as Microsoft authenticator, Google authenticator, Facebook authenticator or Authy instead of a text message, that will defeat this attack because it is not dependent on your phone number.

If you are not using any two factor authentication on your online banking and other financial services accounts, turn that on now.

And, if you have not registered for online accounts for your banking or brokerage accounts because you think it is too risky – it is more risky to not do it, because then there is nothing to stop a hacker from registering for an online account in your name.

The more interesting part is this.  Some folks in England are slightly upset and are suggesting that the Information Commissioner’s Office needs to investigate whether the phone companies violated GDPR by not protecting consumer’s information.  Assuming the ICO does investigate and it does not like what it finds, it can fine the phone provider up to 4% of their annual global revenue.  While these investigations take time, it would definitely be interesting.

The only reason why these SIM Jacking attacks work is because the phone companies do not want to make it difficult for the customers by making the security effective.  When I forgot my Sprint login, I had to go into a Sprint store and show them a government issued ID.  While this is not perfect, it is probably harder and riskier than most hackers want to deal with.  But also less convenient.

It might also be inconvenient to be fined a few hundred million dollars as Marriott and British Airways recently learned when the same British ICO fined them for violating GDPR and in their case, it wasn’t even willful as it is here.  This may be the only way to get carriers to get serious about security.

But stay tuned;  this is far from over.  Source: BBC

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week


Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register


vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.


Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.


Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

Facebooktwitterredditlinkedinmailby feather

Cyber Insurance For Mere Mortals

We have been trained by the insurance industry that you buy insurance and if you have an event, you make a claim and get paid.

For the most part, with your auto insurance or your homeowners insurance, that is the way it works.

Rarely, but sometimes, you discover that you don’t have the right coverage (like not having flood insurance in New Orleans or not having earthquake insurance in California).

Insurance companies carve out exceptions to coverage to limit their liability and they would say, to make insurance more affordable.

But when it comes to cyber insurance, it is kind of like walking through a mine field with no mine detectors or maps.

Witness this:

AIG is being sued by a customer in New York because the client was suckered in by a series of business email compromise attacks where the customer lost almost $6 million.

AIG’s defense is that their policy doesn’t cover dishonest, fraudulent or criminal acts.

Isn’t that what most cyber insurance is designed to cover – crime?

AIG did provide legal fee coverage when their client was sued by its own client for losing its money.  That was covered until they figured out that this was related to crime.  But getting their $6 million back – that is not covered.

They say the language of the policy is:

alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission or any knowing or intentional violation of the law…

Since we don’t have a copy of the actual insurance policy, so we don’t know if this is really a cyber risk policy or something else.

In another case, Zurich Insurance is refusing to reimburse Mondelez for costs related to the NotPetya attack a few years ago.  Mondelez, the company that owns Oreos, Ritz, Tang and many other brands, lost over $100 million as a result of the attack.

In the Mondelez case, they are trying to use an “all-risk property insurance policy” because, they say, NotPetya resulted in the failure of the Insured’s electronic data processing equipment.

In this case, Zurich says that they won’t pay [probably ‘cuz a hundred million dollars is a lot of money] because there is an exclusion for hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].

It appears – but I can’t be certain – that in both of these cases, the companies didn’t have legitimate cyber risk insurance but rather were trying to claim coverage under other policies that might have some possible overlap.

That being said, cyber risk policies in almost every state are non-standard form policies meaning that the state insurance department doesn’t approve the language of the policy.

Cyber risk policies are also considered “excess-lines” insurance in most states with a big warning about that in the front of the policy.  This means that you cannot file a complaint with the state insurance commissioner if you don’t like how the insurance company is operating.

So does this mean that cyber insurance is worthless?

Not in my opinion.

It does mean that you should not try to claim coverage if you don’t have a cyber risk policy, although, I guess, you can try.

Most insurance companies will not pay cyber claims under other policies.   Their actuarial data just doesn’t allow for that.

I am not sure what to do about AIG’s claim that their policy doesn’t cover fraudulent or criminal actions.  Isn’t that a major reason why you buy insurance.  That seems kind of like if you had auto insurance and your car was stolen, the insurance company says we don’t cover it if someone steals your car.  BUT, if, for example, all you bought was liability insurance, then you really don’t have the right coverage and they won’t pay for your stolen car.

When it comes to lack of coverage due to hostile or war-like actions, well that is pretty nebulous.  I would say almost all hacking is hostile.  Is it done by a government or government agent?  Maybe, but much hacking is done by governments.

I have worked with clients to get insurers to remove, restate or restrict that war-like nonsense.

What does all this say?  When you buy cyber risk insurance – and I think you should do that – you need to have an expert on your side.  One you doesn’t earn a commission from writing the policy.

You also need a broker who understands cyber risk insurance.  One question I always tell clients to ask their broker is how many millions of dollars of cyber risk insurance like the type we are looking for did you write last year.  Or how many policies did you write.  And do not let them include general liability that has a useless cyber rider. 

If they wrote 1,000 or 5,000 policies last year and wrote 20 cyber policies, how much of an expert do you think they are about those 20 policies.

Their world revolves around commissions.  If they made $1,000 in commission from cyber policies and $100,000 from other insurance, where do you think their attention is going to be.

Get the right policy from the right broker underwritten by the right insurer.

P.S., if you need help, contact us and we will connect you with some great brokers.

Source:  Cyberscoop



Facebooktwitterredditlinkedinmailby feather

The Feds Take Another Run At Getting Rid of Encryption


This is not really an opinion piece, but some people might think it is, so I will go for over disclosure and call it that.

The Feds really don’t like encryption.  It gets in their way when they want to do mass surveillance or even targeted surveillance.

For hundreds of years the Feds could listen in to any conversation that they wanted to, whether it was planting someone in the local pub to overhear your conversation, tapping your phone or more recently reading your email.

In concept, when done appropriately, this is a necessary evil.  I would not say it is a good thing, but there are bad people out there and you have to keep them in check.

In the 1990s a guy named Phil Zimmerman invented a piece of software called PGP.  It was free and it brought encryption to a lot more people than had it before.  It was far from easy to use, so most people didn’t use it, but still the government didn’t like it.  For five years the government tried to get Zimmerman locked up for inventing it (technically, they said that encryption was governed by the International Traffic in Arms Regulation (ITAR) and so you could not export it and since it was available on the Internet, he was exporting it).  The public never bought the argument and finally, in 1996, the government gave up.

Once the government realized that they could not put Phil’s genie back in the bottle, they came up with another idea called the Clipper chip.  The Clipper chip had a built in backdoor so the feds could decrypt anything that was encrypted using it.  People realized that encryption done that way wasn’t really private and never signed on to buying clipper chips.

In the mid 1990s the Feds noticed that phone companies were implementing digital central office phone switches and they could come into a phone company office and put a couple of alligator clips on your home phone line to listen to the mob, so Congress passed CALEA in 1994.  CALEA gave the phone companies billions of dollars (literally) to install digital back doors in their central offices.

Things got sort of quiet after that  with the FBI complaining to anyone who would listen, but Congress never listened for some reason.

Part of the logic might have been if encryption is so bad, crime must be going crazy, but that wasn’t true.  For the most part, in general, crime was level or maybe even going down a little – of course there were exceptions, but nothing massive to indicate that crooks were really smart and hiding all of their actions.

Over the last ten years or so, the FBI and various Justice Department folks said that we needed to put a back door in encryption to find terrorists.  For whatever reason, people still didn’t believe them and Congress has been unwilling to mandate an encryption backdoor.

All during this time, encryption was becoming more and more ubiquitous, including encrypted phones, both Apple and Google.  They said that the world was going dark because of all of this encryption, yet they continue to find and arrest cyber criminals and terrorists.  Maybe not all of them, but a lot of them.

But the Feds are not giving up.  They want Facebook, Google, Apple and others to build in back doors to their messaging applications.

The reason they now want to add encryption back doors?  Its the children.  Poor. Defenseless.  Children.  After all the child molesters and kiddie porn freaks – surely they must be using encryption.  I guess they are.  I mean, what if they catch a kiddie porn pervert and his phone is encrypted.  Surely he will get off Scot free.

Well it turns out that even that isn’t quite true.  The New York City District Attorney signed a deal about two years ago with the Israeli company Cellebrite.  Cellebrite claims to be able to get the data off almost any phone, Android or iPhone.  Probably pretty accurate.  Now it has come out that New York is offering this phone-hacking-as-a-service to other law enforcement agencies as well.  But this is not as easy as vacuuming up all of the data from everyone and looking for anything that seems interesting.

Still the government does have tools.  Raytheon makes a box called a Stingray.  Originally it was designed for the Military to use in the Middle East and other hot spots to watch terrorists, but money wins out and Raytheon will sell it to law enforcement everywhere.  Recently, we have been watching a spy vs. spy game as it has come out that people have found numerous Stingray or Stingray-like devices all over DC, including around the White House.

That is the problem with stuff.  You can’t keep the genie in the bottle.  If we create an encryption back door and say that only the cops can use it, that will last for at least a few months before the secret is no  longer secret.

If you think we have all of this cyber crime now, with all of this encryption, you can’t imagine what it might be like if we don’t have secure encryption.  And this is definitely a genie that you will not be able to get back in the bottle.

Just my opinion.




Facebooktwitterredditlinkedinmailby feather

Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 4, 2019

Just a Wee Bit Over the Top

There is a nut job who bought an old cold war era bunker in Germany and turned it into a “bullet-proof” hosting center similar to what we see in Russia and elsewhere – where they let you host anything, legal or otherwise.

Apparently the Germans got tired of this guy, who calls himself HRH Prince Sven Olaf of CyberBunker-Kamphuis and thinks he runs his own country.

The overkill part is that they sent in 600 paramilitary troops to arrest him and a dozen of his employees who were this bunker.  I wonder how much that cost them.  Source: The Register

Hacker GnosticPlayers Steals User Info From Zynga – 218 million people

This guys seems to be on a mission.  After stealing about a BILLION (yup, that’s right) userids already, he just added 200+ million Zynga gamers to the mix.  While the information isn’t super sensitive, this points to how weak security is in many places.  Source: The Hacker News

Demant Hearing Aids Expects to Spend $95 Million Due to Ransomware Attack

In case you tend to dismiss ransomware attacks, Demant, the Danish hearing aid manufacturer, says that an unidentified cyber incident will cost them between $80 million and $95 million, due to lost sales as the outage (likely ransomware) impacting shipping, receiving and production.  Source: ZDNet

TEN More Hospitals Hit By Ransomware Attacks

Three hospitals in Alabama and seven more hospitals in Australia have been hit by ransomware.  In the Alabama attacks, ambulances are being redirected to other hospitals and if someone walks into the ER, they will stabilize the patient and transfer him or her elsewhere.

The hospitals in Australia also say that patient services are being affected.  Source: ARS Technica


Baltimore Did Not Have Backups For Key Files

Baltimore lost a lot of key data because it did not have effective backup policies.  Users were storing the only copy of data on their local hard drives.

While it is fun to criticize Baltimore, when is the last time that your company actually tested that you have readable backups for **ALL** of your key data, including and especially, data stored in the cloud.

Baltimore is going to spend about $10 million and lose an additional $8 million in revenue due to the attack.  Source: Dark Reading

Facebooktwitterredditlinkedinmailby feather