All posts by mitch tanenbaum

Developers Using Unprotected Databases Exposing Millions of Passwords

Thousands of Android and iPhone mobile apps use the Firebase database.  The database runs in the cloud and, apparently, by default has no security.

The net effect of this is that 100 million records, or more, are exposed for anyone to capture.

Firebase, a database run by Google, is very popular with Apple and Android developers.  It is popular because it allows for synchronizing data automatically across devices.

The data stored includes userids and passwords and even banking records, all unencrypted unless the developers protected the data themselves.

Researchers discovered 3,000 apps leaking 2,300 databases with over 100 million records or 113 gigabytes.

The vulnerable Android apps, which are the majority of the 3,000 apps, were downloaded 620 million times, so this is a mainstream problem.

Developers are responsible for protecting the data that they collect and users count on them to do that.

So what are you to do?

First, if you are a developer, you need to consider security when you design applications.  If you can’t figure out whether the data you are storing is secure, you should not be in the development business.

Unfortunately, as an end user, you don’t really know whether the people who developed the app that you downloaded is secure. 

You can do research on the apps, but until this security flaw was announced, research would not have told you there was a problem.

The only other alternative is to be very selective about what apps you download.  That certainly is not a great answer either.

You also can be selective about what data you give the apps, but if, as some of these are, health data apps, and you don’t give the app your health data, what good is it?

Ultimately, the responsibility for this particular mess falls, for the most part, on the development community, so folks, you need to up your game.  Just my two cents.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

The Risk of the Insider Threat

Elon Musk, CEO of Tesla, sent an email to all employees over the weekend telling them that the company was hacked by an employee who changed code on an internal product and sent company data outside without permission.

The software, the Tesla Manufacturing Operating System, is likely used internally in the manufacturing process.

The employee created false user names and then modified the software without approval.  He also sent large volumes of sensitive Tesla data to third parties.

This investigation is not over and there is a question about whether outsiders were involved.  There are lots of people who do not like the idea of an electric car, starting with the oil and gas industry and some Wall Street insiders.  The traditional car makers, who seem perfectly willing to lie and cheat to pass emissions test could also be motivated to harm Tesla.

In this particular case, the employee said he was mad because he was passed up for a promotion.  THAT was probably a good move since it is going to be hard for him to work from prison.

This is an important notice for all employers.

Every company, except those with one or two employees, have employees who are not happy.  Would an unhappy employee become a saboteur?  Hopefully not, but the larger the company is, the more likely that at least one person will have a grudge and could, possibly, act on it.

In Tesla’s case, even though this person created fake accounts to try and hide his deeds, the company had sufficient tools in place to uncover the sabotage and figure out who the employee was.

For your company, how much damage could a disgruntled employee do and could you detect it?  How quickly could you repair the damage?  Could you figure out who did the damage in order to prevent a repeat performance?

In today’s world it probably does not take much to get just one employee really peeved and if you have someone outside the company who could motivate that action with money – well you have really increased the odds.

Information for this post came from CNBC.

Facebooktwitterredditlinkedinmailby feather

IoT is Going to Set Security Back a Decade, at Least

Axis Communications, the Swedish maker of high end security cameras (up to $1,000 each), announced patches to seven vulnerabilities that affect almost 400 camera models.

Axis is not some cheap Chinese knockoff;  these are well respected cameras used in businesses the world over.

The vulnerabilities, discovered by the security firm VDOO, comes with in depth documentation and proof of concept code for all of the kiddie hackers to copy.

The vulnerabilities, used in combination, allow an attacker to take over a camera knowing only it’s IP address and not needing the password.

If the camera has a public IP address and is not meant for public consumption, these flaws would allow a hacker to bypass the security that the owner put in place and look at whatever the camera is pointed at, in real time.

So what do you do?

One more time, this is an example of the Internet of Things at its most challenging.

Most companies do not have a patch regimen for IoT devices.

In fact, most companies don’t even check for firmware updates for IoT devices on a regular basis,

This is like PCs 10 years ago.

So, the first step is to inventory all of your IoT devices and keep the inventory current.

Step 2 is to set up a protocol for checking for firmware updates at least monthly. Since IoT devices could be a dishwasher, TV and refrigerator, you will likely be checking with multiple different manufacturers to find all the patches.

Finally, the last step is to set up a protocol to patch your smart coffee maker and security cameras whenever new firmware is available.

Definitely a pain in the <bleep>, but necessary.

Facebooktwitterredditlinkedinmailby feather

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

DoD Moving Forward on Cybersecurity After Breach

In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting.  Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.

Among the data compromised is cryptographic information about how the subs communicate.

Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.

DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done.  It is likely that we will never find out the true impact of this breach.

The category of information that was breached is known, generally, as controlled unclassified information or CUI.  The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that.  December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked.  Again.  The instructions to industry were that they just needed to have a plan for becoming compliant.

But the problem is that no one was assigned to fix the problem.

In the wake of this new and recurring scandal, Defense Secretary  Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this.  The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too.  The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.

Given this, what should defense contractors and sub-contractors do now?

While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI.  Starting with the primes – and letting them handle the subs.  We have seen that this has already started, but we believe it will accelerate.

For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.

If you are a contractor, you should be actively working on becoming compliant.  You should have been already doing this, but there should be more urgency now.  Starting with implementing the policies, procedures and practices and moving on from there.  Adding the controls and monitoring; incident response and so on.

While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem.  All he needs to do is make it happen.  Remember, Generals, especially Marine Corps Generals,  are very good at “making it happen” and I would not question his desire to not be embarrassed again.  He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted.  Not a fun conversation.

Given all this, being prepared is a really good plan.  We can help.

Information for this post is based on a memo from the Pentagon.

Facebooktwitterredditlinkedinmailby feather

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather