All posts by mitch tanenbaum

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.

 

National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.

 

Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week

 

Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register

 

Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

The Myths of Multifactor Authentication

Hopefully by now, everyone has at least heard of multifactor authentication.  But most people are not using it.  Google says that about 10 percent of GMail customers use it.  Based on our customer base, the adoption level for Office 365 users is higher, but not great.  And the adoption for other software is horrible.

To be clear, there are many different forms of multifactor authentication.  The most common but least secure is a text message sent to your phone, unencrypted, with a one time PIN.

While this is WAY better than just using a password, this can be compromised and has been in many cases.  Almost always, this is a targeted attack on a high value (either money or position) victim.  But not always.

A less common multifactor authentication method is to use an authenticator app on your phone.  That way nothing is transmitted at all, except during the initial setup and stealing your phone number does not allow an attacker to use your multifactor authentication.  They would have to physically steal your phone and it would need to be unlocked.  There are many free authenticator apps including from Microsoft, Google, Facebook and others.

So why aren’t people using multifactor authentication?

  1. Lack of awareness.  Computer folks understand the risk and how to deal with it, the average person does not.
  2. Fear.   People don’t like change, especially in situations where they don’t understand what or why.
  3. I’m not a target.  The reality is that everyone is a target because these hackers send out millions of emails a day.  They have no clue who their victim will be, for the most part.
  4. Only large companies need it/can use it.    Actually, it doesn’t take much.  Consumer services like Amazon, Facebook and GMail all support it.  Almost all banks support it.  There is a small learning curve, but once you get the hang of it, it is simple.
  5. It’s not perfect.   That’s true, but brushing your teeth is not perfect either.  Still, most people brush.
  6. I think the biggest issue is it’s not convenient. To some degree this is true.   But, as I often say when I am interviewed, is having an attacker empty your checking account or retirement account inconvenient?  More inconvenient than taking the extra few seconds to use multifactor authentication?

The good news is that it is not an all or nothing thing.

Start with your bank or brokerage account.

Add email.

Once you get used to it, it is not a big deal and way less inconvenient than having to deal with having all of your personal (AKA nude) photos posted online as many celebs have learned.

As Nike says, JUST DO IT!

Facebooktwitterredditlinkedinmailby feather

Yet Another Hosting Provider Hit By Ransomware Attack

SmarterASP.net, a web hosting provider with over 400,000 customers, was infected by ransomware over the weekend.

They are, at least, the third provider to be hit by such an attack.

Affected user web sites are down and the company’s website was also down.

Customers logging in might see a directory listing that looks like this

The encrypted files have the extension kjhbx, except for the ransom note below:

The company has not returned calls so it is unclear if they paid the ransom or are restoring from backups.

If this is like the previous hosting provider attacks, it will likely take weeks for them to restore all the data – if it all can be restored.

A2Hosting and iNSYNQ are two other hosting providers that were attacked earlier this year.

In 2017 South Korean hosting provider Nayana paid a ransom of over $1 million after they were attacked.

Hackers understand that if they can get a hosting provider to pay, the payday is likely a lot larger than attacking you or me.  As a result, attacks against cloud service providers are likely going to continue.

There is no obvious notice on the company’s homepage of the attack and for good reason – it is not terribly good for business.  They are likely hoping that this disappears off the radar and they can continue signing up customers.  There is a note buried on the support site, here.  It says don’t bother to call us or email us, we are kind of busy right now.

So what does this mean for you?

First of all, check your cloud provider’s contract that you signed – either without reading it or without caring.  It probably says that they will not charge you while your web site is down.  Beyond that, you are likely on your own.  Maybe your contract is different, but I doubt it.

You can try suing them for damages, but in light of the contract, that probably will go no where.

*IF* you have cyber risk insurance WITH  network business interruption coverage, you will probably be able to collect on your policy, but only if you have that coverage.

From some of the earlier attacks, it took the providers *WEEKS* to recover all the data – if they were able to recover it at all.

ARE YOU OKAY WITH YOUR WEB SITE BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH SOME OTHER CLOUD SERVICE PROVIDER THAT IS KEY TO YOUR BUSINESS BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH LOSING SOME OR ALL OF YOUR DATA FOREVER?

Assuming the answer to these questions is no, it is up to you to figure out a business continuity plan.  Assuming your data is permanently gone, it is up you to figure out what to do.

We have read stories of some companies going out of business after one of these attacks because customers fled or they lost all of their data.  These are the minority, but it does happen.

Plan for it now because dealing with it after the fact is no fun.

AND, your cloud service provider is likely not liable, other than not charging you for the service that you are not getting.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Is Cyber Risk Insurance a Cure?

Let me cut to the chase – the answer is no.  It is a way to help pay for the damage, but that is about all.

In the article referenced below, the author thoughtfully explains the role of cyber risk insurance –  a post-fail risk offset.

The key word there is fail.

Failing in the sense of failing to avoid the breach in the first place.

The after affects of most breaches is damage control and lawsuits that go on for years.  Some percentage of companies – a small percentage – go out of business after a breach.  Usually there are scapegoats – someone or some people have to be fired.

While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years.  Depending on the cost of the litigation, it might not even pay for all of the costs of litigation.  It won’t pay for you to find a new job and it won’t make customers come back to your brand.

Cyber risk insurance is an important tool but just a tool.  Like every other tool, it is important that it is the right tool.  While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.

And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer.  Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered.  In the case of cyber risk insurance this happens more often than with some other forms of insurance.  This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage.  My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies.  Insurance sales people are commissioned.  If cyber risk insurance represents a small part of their paycheck, you can figure out the rest.  If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area.  It is a bit of a wild west.  You are pretty much on your own.

All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.

Most of the time, cyber crime is an opportunistic crime.  Believe it or not, Equifax was not specifically targeted.  But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.

I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole.  It will reduce the pain, but that is not the same time.

So what should you do?

#1 – implement a great cybersecurity and privacy program

#2 – get some cyber risk insurance because stuff happens.

But do it in that order.

Source: Dark Reading

 

Facebooktwitterredditlinkedinmailby feather

Expect Cellular Prices to Go Up; Service to go Down

This is really an informational piece, along with some whining on my part, since there is not much you can do about this.

The FCC today approved the merger between Sprint and T-Mobile, thereby reducing the number of cell carriers from 4 to 3.

The republican members of the FCC said that history not withstanding, this is good for you and me.

Somehow, they think, with less competition, carriers will be more motivated to spend billions of dollars upgrading their networks to support 5G.  They didn’t explain their logic.

It is likely true that the remaining cell phone companies will install some 5G cell towers in super densely populated areas like in the downtown areas of major cities, but beyond that, they have zero motivation to attempt to keep up with countries like China, which already has 10,000 operational 5G cell base stations.

Here is a map of each city where at least one carrier has one 5g cell site.  Colorado’s was in front of Denver City Hall, but the carriers are working on turning on more sites.  Remember that (a) you must  have a 5G capable phone (Apple is rumored to be releasing one mid next year) and (b) be located OUTSIDE within a few hundred yards of that 5G cell site.

5G Coverage

 

For example, taking Denver (cuz I am partial to that), Verizon claims to have at least one cell tower live in 5 areas: Potter Highlands, Highlands, LODO, Central Business District, Capitol Hill and the Denver Tech Center.

Contrary to the FCC’s claims, none of these are rural;  rural customers should expect to see 5G cell sites sometime after never.  After all, I can’t even get broadband Internet and I am  only 20 miles from downtown Denver, but in a sparsely populated area.

Expect the combined T-Mobile/Sprint to fire about 10,000 to 20,000 people (according to Wall Street) as they close redundant stores and merge back office operations.  The union says the number is likely closer to 30,000.  You can’t really blame T-Sprint for doing that.

According to insiders, the FCC actually approved the merger in May, months before the Justice Department said the merger was anti-competitive, but the current administration is more willing to allow the market to do whatever it does.

The FCC did require Sprint to sell it’s prepaid phone business (used by people who don’t enough money to buy a traditional phone plan, hence not very profitable to anyone) to Dish and also to sell Dish some spectrum.  Dish is now planning on getting into the phone business as the satellite TV business continues to decline.  For the moment, since Dish has, well,exactly, zero towers, it is going to buy service from the 3 carriers who do have towers, but within the next 5-10 years, they will build out networks, likely in the same densely populated areas as where the current 5 G build-out is being done.

After all, the deregulation of Ma Bell worked well.  That business is completely in the toilet now and will probably disappear in a few years.

By the way, both Canada and Ireland reduced the number of cell carriers in their countries from 4 to 3 and prices went up for consumers in both cases.  I am sure it will be different here.

Sprint has been trying to merge itself into profitability for years now, but this time, they were smarter.  They hired a number of ex-FCC commissioners to lobby for them and dramatically ramped up their use of Trump’s DC hotel.   Hmmm.  What could possible be wrong with this?

Stay tuned.  This deal is still not completely done as a dozen State Attorneys General have filed suit to block the merger.  Whether the courts say that they have any standing in the matter is to be determined.  Source: Vice

 

Facebooktwitterredditlinkedinmailby feather