All posts by mitch tanenbaum

I’ll Teams You

Okay, so Teams is not a verb. But neither was Google, as in go Google it.

Hackers have figured out that as people are just learning about collaboration software like Teams and Slack, there is a lot of squishiness around the edges.

Say you are part of a Teams group that includes employees, contractors and vendors. Say you get a message that someone is going to connect with you. You assume that you are inside this bubble and it is all secure.

But it is not.

What if that contractor’s credentials got compromised and it wasn’t even the contractor that sent you the message.

What if you get that Teams meeting message in email (I get most of mine that way)? And what if that link is actually malicious? (Have you looked at a Teams link? It is completely undecipherable, unlike a Zoom or Go To Meeting link.

Likewise you might get a Teams request to share a file, but in large groups do you know if that request is legit? Or that the file shared is safe?

Researchers found one financial services firm whose Teams channel had been compromised for a YEAR!

The hackers did recon first. Very quiet. Hard to detect. They collected intel.

Then, when they saw a request for a file, they launched. They sent the file. Only it wasn’t the file, it was malware and everyone who opened it was toast.

For more details on how some of the attack scenarios work check out the SC Magazine link below. Note that this link is readable by humans; just hover over it.

It is up to companies to train their users in a new attack method. Sorry.

Credit: SCMagazine

Or if you don’t trust links, here is the URL: https://www.scmagazine.com/application-security/ill-teams-you-employees-assume-security-of-links-file-sharing-via-microsoft-comms-platform/

Its Been A Bad Week for Parler and it is Only Monday

First Apple and Google removed the Parler app from both of their app stores.

Then Amazon kicked them off Amazon’s AWS platform for violating their terms of service.

That would seem like a problem for most companies, but that was the good part of their week.

Yesterday a security researcher who goes by the nickname “crash override” said that she was “crawling URLs for all videos uploaded to Parler”. About a million of them. Including ones that may have been deleted or marked private.

In total, about 70 terabytes of users’ posts was compromised.

And indexed and made public by the researcher.

This includes videos made and uploaded during the riot.

Which can be tied to the Parler user’s ID, IP address, etc.

Which if they were inside the Capitol during the riot …

But that is not all.

Parler’s CEO said that many of it’s vendors have decided that Parler’s money is not worth the reputational damage of being associated with them. Actually, he didn’t say that. He said “every vendor from text message services to email providers to our lawyers all ditched us too”. You draw your own conclusion. Credit: The Independent

Apparently Parler encouraged people to upload their drivers license to get a verified person badge. Not great if the videos show you participating in a felony.

The researcher said that her plan is to archive every single post from the day of the riot. I am sure that the thousands of FBI personnel working on the case will appreciate her thoughtfulness. Credit: Gizmodo

The response of one Parler user was “It would be a pity if someone with explosives training were to pay a visit to some AWS Data Centers – the location of which are public knowledge.”

This is the “party of law and order”.

As of the writing of this post, if you try to go to Parler’s web site you get a site not found message.

Parler has filed a lawsuit against Amazon and is trying to get a TRO.

Reports say that the researcher was able to exploit a bug in Parler’s API. This is not a big surprise as APIs are notoriously difficult to make secure.

From what I understand, Parler has some deep pocketed investors, but will they be willing to pony up more money after this? And will users come back after their privacy was destroyed? All of this remains to be seen.

Suffice it to say, this story will be in the news for a while and if I were someone who posted anything on Parler, I would be nervous the next time there is a knock on your door.

Security News for the Week Ending January 8, 2021

Britain Says Assange Cannot be Extradited

Julian Assange, a long time thorn in the backside of some folks in the US government, cannot be extradited to the US, a British court says. The court said that while he probably can get a fair trial in the US, the court system in the US is unlikely stop him from committing suicide (a la Jeffrey Epstein, another very high profile prisoner). The US is expected to appeal. Credit: Cybernews

Covid Stimulus Bill and UFOs

The first question is why? and the answer is Congress? Buried deep in the Covid stimulus bill is Intelligence Authorization Act which mandates the Pentagon release a report on its UFO task force report. Stay tuned. Credit: Vice

New York Stock Exchange Changes Mind About Delisting Chinese Stocks

After the NYSE said it was going to delist 3 Chinese telecom stocks because the President said they were tied to the Chinese government/military, they suddenly changed their mind. They said that they made the decision after consulting with their regulators. Not sure what this means in the long term, but it might mean that the DoJ thinks the President is on shaky ground legally in doing that and rather than get sued, they are going to let it play out in the courts. Credit: Cybernews

Right after this happened the exchange got a call from Secretary Mnuchin and, apparently he changed their mind. Again. So now they do plan to delist these stocks. Until they change their mind again. This is really a symbolic move since only about 2% of their shares go though the NYSE. Credit: ZDNet

Hackers Use Fake Trump Scandal Video to Load Malware

Want to see a (purported) Trump sex scandal video? Well ignoring your thoughts on the subject, the email is just click bait. If you fall for the bait and click, the malware will install a Remote Access Trojan or RAT on your computer, allowing the hacker to connect to your computer and rummage through (and steal) all your stuff. They could, in addition, deposit some ransomware when they are done, so no matter how curious you might be, don’t click. Credit: Hacker News

Nissan Seems to Have Lost Control of their Source Code

A car is not only a vehicle these days, but also a computer on wheels. More accurately, probably a hundred computers on wheels, plus a bunch of server software plus some mobile apps plus. You get the idea. So one might expect that you would protect that. Nissan did; with Userid:admin and Password:admin. A bit of a problem and it may even be difficult for Nissan to sue because they didn’t take reasonable care. Credit: SC Magazine

Did the Feds Kill Cell Service During Capitol Riots – No, Rioters Did

This one is gonna get a little geeky, so if that is not your cup of tea, but can just skip this post knowing that the feds did not shut down cell service to keep the crowd from communicating; the crowd did it to itself.

Many people reported that they had no cell service as the rioters stormed the Capitol. These reports are accurate, but here is what likely happened.

One 4G cell can reasonably handle a hundred users. After that, everyone else gets the equivalent of a busy signal.

A cell site can have multiple cell sectors. A Verizon one off the west lawn of the Capitol has 12. 12×100 = 1200 calls. 2 blocks south is another one with 8 sectors. A few blocks north is one with 5. Assuming all of those are pointed directly at the Capitol – and they are not, we have (12+8+5) x 100.

AT&T appears to have 6 sites with about 23 cells.

T-Mobile appears to have 6 sites with 38 cells.

And Sprint has 7 sites with 30 cells.

Add those all together (25+23+38+30) x 100 and you might be able to support as many as 11,500 users.

But if all of the AT&T slots are in use, it makes no difference to your phone is Verizon has capacity. Add to that the fact that probably less than half of those cells are pointed at the Capitol and maybe, if you are lucky, 5,000 can get service.

Then you have the problem of network bandwidth. If everyone is streaming video in real time that takes a lot more bandwidth than calls to grandma.

On a normal day, that is fine.

But when there are tens of thousands people are there and a lot of them are trying to use the phone, it is guaranteed that some people are going to be out of luck.

In places like football stadiums, the carriers have data about how many of the say, 80,000, people want to use their phone at once, where they are in the stadium and statistically, they know exactly how much capacity to build.

In this case, no one called the cell carriers a year in advance to say that we plan to invade the Capitol at 1PM on this day and would you please make sure that you have enough capacity.

Even if they had, there would be no way for the carriers to where in or out of the building the people were and which carrier they used. One off events are almost guaranteed to fail.

Which brings us to the point that in case of a disaster, counting on your cell phone to work is like tossing a coin. Your land line, assuming the infrastructure has not been damaged, will more likely work because the carrier knows where each phone is and they can build enough capacity.

Credit: PC Magazine

Trump Bans 8 More Chinese Apps

Donald Trump has signed an executive order banning the use of eight Chinese apps, namely Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.

The EO says that the apps can track users and capture personal data –

Just like, say, Facebook or Fox News or any other American app.

But Trump doesn’t like it that China is collecting that data because, basically, China bad. And, realistically, that is hard to argue with.

Part of the problem is that users “over share”.

Another part of the problem is that users opt for convenience over security and that means that these apps – including all of the American apps – can vacuum up an amazing amount of data that lives on most user’s phones.

Consider this. The last time YOU installed an app on your phone it probably asked for some permissions. Did you consider whether that app really needed those permissions? Almost no one else does either.

Some how Trump ties what these apps are doing to the Anthem and Office of Personnel Management breaches. I guess in the sense that all of those desire to collect your data – just like Twitter does – that is true. I am sure that even though Trump hates Twitter, he would hate it even more if it was not financially viable and disappeared. Therefore, if they have to harvest your data without any real permission – yes you can disagree, but if you do, they will delete your account, that is okay.

The basic difference here is not WHAT is being done, but rather WHO is doing it. All apps collect, use and monetize your data. Who are the good guys is a little less clear.

The order doesn’t take effect for 45 days, so likely it will be up to the next administration to figure out what to do.

Personally, I would be fine if half of the apps on the Apple and Android stores just went poof. No, actually 90% would be a good number to banish. I would not miss them at all. Just my opinion. Credit: The Register

Nashville Bombing Part 2

As I said last week, while the bombing is a horrible event, it does point out how brittle our telecommunications world is. That being said, for most companies, the rest of the IT infrastructure is probably more brittle.

Companies should use this as an opportunity to review their situation and see if they can make improvements at a price that is affordable.

While AT&T was able to strike a deal with the City of Nashville to commandeer Nissan Stadium, home of the Titans, to set up a replacement central office, you probably will not get the same treatment if you asked.

AT&T was also able to deploy 25 tractor trailers of computer equipment to replace the equipment that was damaged.

Finally, AT&T was able to temporarily reassign personnel with every skill that they might possibly need from fiber techs to computer programmers. Again, you likely would not be able to do that.

The question for you to “game out” is what are my critical vendors and what would I do if they had a meltdown. I don’t mean a 30 minute outage, I mean a meltdown. We have seen, for example, tech companies that have gotten hit by ransomware.

Perhaps, like many companies, you use a managed service provider or MSP. A number of MSPs have been hit by ransomware and when they do, often so do their customers. Does your MSP have the resources to defend all (or most of) its customers from a ransomware attack at once. How long would it take your MSP to get you back to working? Even large MSPs (which equals many customers) likely don’t have the resources.

If that were to happen to you – and of course, they have the only copies of your data, right? – what would they do and what would you do?

Maybe your servers are hosted in your office. There are a lot of possible events that could occur.

Even if your servers are in a colo, things can occur that can take you down.

Here is one thing to start with –

For each key system from personnel to public web sites, both internal and at third parties, document your RECOVERY TIME OBJECTIVE or RTO. The RTO is the maximum acceptable downtime before recovering. For example, for payroll, it might be 24 hours. But what if the outage happens at noon on the day that payroll must be sent to your bank? So, think carefully about what the maximum RTO is and remember that it will likely be different for different systems.

Then, for system, document the RECOVERY POINT OBJECTIVE or RPO. The RPO is the point in time, counting backward from the event, that you are willing to lose data. For example, if this is an ecommerce system, maybe you are willing to lose 30 minutes worth of orders. Or maybe 5 minutes. If it is an accounting system, maybe it is 8 hours (rekeying one day’s worth of AR and AP may be considered acceptable). Again each system will likely be different.

Then get all of the lines of business, management and the Board (if there is one) to agree on those times. Note that shorter RTOs and RPOs mean increased cost. The business units may say that they are not willing to lose any data. If you tell them that you can do that, but it will cost them a million dollars a year, they may rethink that. Or management may rethink that for them. The key point is to get everyone on the same page.

Once you have done that, make a list of the possible events that you need to deal with.

  • Someone plants a bomb in an RV outside your building and there is severe physical damage to your building.
  • Or maybe the bomb is down the block, but the force of the blast damages the water pipes in your building .
  • Or, the bomb is down the block and there is no damage to your building, but the city has turned off water, power and gas to the building. And the building is inside a police line and will be inaccessible while the police try to figure out what is going on.
  • In the case of AT&T, they had to pump three FEET of water out of the building. Water and generators are not a good mix. Neither are water and batteries. While AT&T lost their generators as a result of the blast, their batteries were distributed around the building so they did not lose ALL of their batteries.

Note that you do not need to think up all the scenarios yourself. You can look at the news reports and after-action reports from other big, public meltdowns. Here is another article on the Nashville situation.

Now create a matrix of events and systems for your RTO and RPO numbers. In the intersection box, you can say that you already can meet those objectives or that it will cost $1.29 one time to meet it or a million dollars a year. You need to include third party providers if they run and manage any systems that are critical to you.

Once you have done all that, you can go back to management and the lines of business and tell them here is the reality – what risk are you willing to accept? This is NOT an IT problem. This is a business problem.

The business will consider the likelihood of the event – even after Nashville, an RV filled with explosives is an unlikely event and the cost to mitigate the problem is likely high. For some systems the cost may be low enough and the risk high enough that management says fix it. For other systems, probably not.

The key point is that everyone from the lines of business to management to the Board all understand what the risks are and what the mitigation costs are. From this data, they can make an informed BUSINESS decision on what to do.

If you need help with this, please contact us.