All posts by mitch tanenbaum

Just Because You Can Doesn’t Mean You Should

Amazon added a new feature, very quietly (I wonder why – not) last year to some Ring products and some Echo products. Amazon Sidewalk takes some of your Internet bandwidth (a small amount) and lets your Ring/Echo enabled neighbors use it in case their Internet goes down (and vice versa).

What could possibly go wrong. Let’s name a few past Amazon mistakes.

  • Last year Gizmodo was able to map tens of thousands of Ring doorbells using Amazon’s neighbors app.
  • Vice and Gizmodo both found instances of hackers breaking in to Ring cameras (ultimately leading to a class action lawsuit).
  • Or that Amazon forgot to mention in its privacy policy that humans might listen to your echo voice recordings.
  • A Portland couple had a private conversation recorded by their Echo sent to a colleague because of Amazon’s software getting confused.

Does this feature intentionally spy on you or steal your bandwidth? NO, not INTENTIONALLY.

You as the consumer have to opt out if you don’t want to play and you have to know how to do that. IT IS ENABLED BY DEFAULT. You have to do that from your Alexa app (see link below for more details).

Of course Amazon is scared to death that if even if just a few people opt out the whole thing collapses because it only works if neighbors very near by have it turned out. I don’t know what the range is, but it can’t be more than a very few hundred feet.

Anyway, if you are concerned and clearly Amazon is not being terribly transparent here, just turn it off if you have one of the Sidewalk enabled devices. Credit: Gizmodo

How Long Does it Take to Recover from Ransomware?

First the wise guy answers: Too Long and It Depends.

Unfortunately, both are true.

For a lot of companies, 30 to 60 days seems to be the average.

Company size doesn’t seem to be a factor. We recently worked with a smallish company (less than 150 people) and it was 30 days before they were mostly back to semi-normal.

Travelex, the huge foreign currency exchange company was closed for 30 days and they wound up having to file for the equivalent of bankruptcy.

Today’s story is about the University of Vermont Medical Center.

The attack started during the week of October 25th. The system, which includes hospitals, home health and hospice care and which employs a thousand doctors plus 2,000 other medical staff, caused the system to have to cancel procedures such as chemotherapy.

The governor even brought in the National Guard’s cyber team to help recover (don’t you wish you could get that treatment if you had a cyber attack)?

A month later, they are still picking up the pieces.

Just last week they got their electronic medical record system back online and restored their online patient portal. At least medical staff doesn’t have to deal with paper charts any more. Of course, now they have to enter a month’s worth of backlogged patient chart data.

There are still other systems to be restored.

While the online patient portal is working again, new patients still cannot sign up. Also billing and payments are still a problem area, not great for cash flow during a pandemic.

Due to the outages, up to 300 employees have either been transferred or furloughed.

Now translate this to your company.

How long would it take you to recover from a complete cyber meltdown?

Do you have the funds to tide you over?

Do you have a plan to be able to continue to perform your key business functions during this time?

Can your IT team deal with the challenges?

If you don’t plan now, it will take longer to recover in the event that the worst does happen. Some companies have just shut down after a ransomware attack. They do not have the resources to recover.

Many companies hope that it won’t happen. Many companies have been wrong about that. Credit: Threatpost

California Privacy Rights, Part 2

The California Privacy Rights Act, CPRA, AKA Prop 24, was approved by voters on November 3rd. This is a continuing story on its potential impact.

Some simple answers first:

When does it go into effect: January 1, 2023.

Who has to comply: That is still murky. There was a $25 million revenue minimum in CCPA and that is still here. It now says that the revenue was for the prior year, but it does not say whether that is California revenue or worldwide revenue. Do you feel lucky?

Number of records: That number has doubled from 50,000 to 100,000, but for most companies, that is still a small number of visitors to a website. It also now excludes devices in the count, so that adds some relief to the number. It is still a small number.

Revenue: CCPA only counts revenue from selling data, but companies like Facebook don’t sell your data – so they tried to claim they were exempt. CPRA says revenue from sharing your data (a new term) is now included in the calculation.

Commonly controlled entities: The new law says that you only have to add numbers together for commonly controlled entities if the entities have common branding and consumers are likely to understand that the entities re the same company.

New data category: sensitive information: Like GDPR in Europe, there is now a category of sensitive information that includes your ID numbers, financial information, account credentials, geolocation data, race and ethnicity , biometric information, health information and sexual orientation. That is a lot of the information that companies collect today.

New right: Limit the use of my sensitive information: This right says that a resident can say that they only want the business to use sensitive information to perform the function that I asked you to perform. This may require a new, special, opt-out link.

New right: Correct my information. Somehow CCPA forgot this one. Now residents will have the right to have their information corrected and businesses will need to track these requests.

Opt out rights expanded. The new law allows not only the right to opt of sale but also the right to opt out of sharing data for behavioral advertising purposes, whether money changes hands or not.

Expanded right to deletion: Under the new law, you now have to track everyone that you share data with. If someone asks you to delete their data, you have to get third parties to delete that data too.

Watch for part 3. This law is a bit of a beast. Getting ready now is a good plan.

Credit: The Jones Day law firm

Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Remote Work Policies

When Covid happened 9 months ago no one really knew what to expect. I am not sure that anyone still knows what to expect, but it looks like that Work From Home (WFH) is here to stay.

Many companies have decided that it has not negatively impacted productivity and some even say that productivity is better.

Some companies have decided that it is a great employee benefit and helps with recruiting. It also allows companies to recruit talent anywhere in the country (although companies need to watch out for the potential impact of having to comply with personnel, privacy and tax laws in multiple states). Facebook, for example, has said that they anticipate that 60% of their employees will work from home forever.

But it does mean that we should consider security impact of WFH. Here are some thoughts.

#1 – Your employee’s computer, even if it is a company provided one, is operating in hostile territory. You have no control over the rest of the employee’s family, what their computing habits are, whether they ever patch anything, what web sites they go to and even if their wireless has been updated since, say 2013.

This means that you have to assume a zero trust environment. Your employee’s computer is likely operating in a war zone full of land mines and snipers. Are your computers’ protections up to the task?

#2 – If you allow your employees to use their own computers, it is even worse. Not do you not understand the security of your employee’s family’s computers (and phones and video games and IoT devices), but you don’t even know the security setup of your employee’s computer. For example, when was the last time it was patched. Not just the operating system but every application that is installed on the computer.

#3 – If employees have to VPN into your network or into a cloud network, do they have access to the entire network? Does every employee have access to the entire network? Do they need access to everything. This is where sub-netting and segmentation come into play.

#4 – Continue and enhance employee security training, phishing training and now, also, vishing training. Attacks are up and the environment is hostile. Attackers know that and are taking advantage of it.

Some things that you can do:

Provide employees a personal HARDWARE firewall that they are required to place between their computer and the rest of their home network. Not inexpensive, but highly effective. This firewall can establish a VPN tunnel between the employee’s computer and the company’s office or data center transparently.

Create policies about BYOD computers. It is a pain to enforce, but your company is at risk.

Implement network segmentation. It may mean that you need to buy, one time, some consulting expertise, but once it is done, your IT assets are much more secure.

For company owned computers make sure that patching remains a high priority and encourage employees to patch personally owned computers.

Ask employees to, if possible, connect via a network cable and not via wireless. Wireless connections are significantly more vulnerable to attack.

If employees have to use wireless connections, make sure the default router password has been changed and that the router has been patched.

If possible, implement a device management solution such as Microsoft Intune, JAMF for Mac or Airwatch.

The security situation is not going to get any better any time soon. You are in control of your company’s destiny as cyber is a key to protecting your company. I read stories every single day about companies that have been hit by cyber attacks of one form or another and how it is impacting their business. One company I read about today has been down for a month trying to recover. Another can’t ship products. A third has its online services offline. That is just today. Do not be the next news story. Please.

Feds Pass IoT Security Law – Its a Start

The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.

While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.

We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.

The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.

So what does it do?

NIST is Required to Publish IoT Security Standards within 90 Days

This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.

NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days

This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.

Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)

This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.

NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days

NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.

The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted

This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.

This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.

While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online