All posts by mitch tanenbaum

Why 5G Security is Going to be a BIG Problem

While 3G and 4G cell tech have their own well known security issues, so does 5G, including the recently announced 5G network slicing security issues (see here). But this is probably not the big concern for 5G security.

The hype around 5G is that we can use it for everything and anything. And we probably will.

So the first issue is that if we are moving 100 times the amount of data that we are moving today and the risk of any bite of data being compromised is exactly the same (likely not, but that is a different issue), then it is likely that 100 times the amount of data that is being breached today will be breached when 5G is fully deployed.

The next issue is that in order to make all this 5G nirvana happen, there is going to need to be a lot of software written. I am sure that all of this software will be bug free. Like Windows or iOS or any other modern software. Which is why vendors often release 100 patches every month. Buggy software leads to breaches. Move “use cases” for 5G lead to more breaches.

But this is probably the biggest issue.

What is that data and system being used for. If you own a self driving car and that car has software and that software can be updated “over the air”, can you guarantee that those updates will be secure? I am sure that SolarWinds said their update process was secure, also. How did that work out?

Here is an article on how to hack a Tesla. Over the air. Without touching the car.

What if that hacked update tells the car to drive into a tree. We basically saw a prototype of this on 60 Minutes a couple of years ago when researchers took control of a Jeep driving down the highway at 60 miles an hour.

You say that is unlikely. Maybe. But we have already seen lower tech versions of this used in targeted assassinations.

Of course, right now, we don’t have any idea how hackers will structure their attacks.

What if a hacker took over the control of your car via some 5G wiz bang feature that you absolutely have to have and then told you that if you transferred a million dollars (or whatever) to the hacker, they would NOT drive your car into that tree? Or what if you have a 5G controlled medical device like an insulin pump. Give me your money or I will up your dosage by a factor of 100. We saw a very low tech version of that last month when an attacker increased the amount of a chemical going into a Florida water treatment plant by 100 times. Luckily, someone saw that happen and was able to fix it. As 5G automates more of this, the luck will run out.

Right now nation state actors are only trying to steal our money.

What if those same actors (for example Russia or North Korea) instead focused on destroying our critical infrastructure? I am sure that all of those thousands or tens of thousands of providers have 100% secure systems. How about 50% secure. Probably not.

Hackers typically go after the weak link. Since there seems to be an incredible rush to deploy 5G, I am quite certain that there will be no security holes in any of the applications; no blind spots and no human weaknesses.

That is the risk behind 5G.

Curiously, this conversation came from an interview with Verizon’s executive director of security services. At least he understands the problem; maybe he can have a positive impact on things. Credit: The Record

AT&T Lies About California Net Neutrality Law; Says it Bans Free Data

Net neutrality seems to be a politically charged concept. I am not sure why. All net neutrality says is that you have to treat all content providers equally.

AT&T, apparently, doesn’t like that and so they are making up stories that have nothing to do with the truth.

After the Trump FCC decided that they didn’t really like the federal net neutrality rules and reversed the decision that was made by the Obama FCC, California passed its own net neutrality law.

California’s law was passed in 2018. It said, basically, that you can give away free data as you give away free data equally.

So how does this impact AT&T?

AT&T owns HBO. They decided that AT&T customers could watch HBO and the data that they used while watching HBO would be exempt for any data caps. So, assume that a user had a 100 gigabyte data plan and they used 50 gigabytes watching HBO during the month. Effectively, that would raise there data plan to 150 gigabytes at no extra cost. This is a significant benefit to people who have low data “caps”.

BUT, and here is the problem. If you used those 50 gigabytes to watch a competitor’s TV, say Netflix, that data usage would not be exempt and if you exceeded your data plan cap as a result, you have to pay an overage charge or whatever the plan did in a situation like that.

The Internet providers sued California because they wanted to be able to give preferential treatment to some providers. Maybe it was providers they owned or maybe, like Apple, it was providers that paid them millions of dollars a year. In any case, it was illegal under California’s 2018 law and they sued.

That law finally took effect last month after a federal judge refused to issue an injunction – an indication that this judge did not think the likelihood of the Internet providers winning was high.

So what did AT&T do?

What they could have done, according to Stanford law professor Barbara van Schewick is treat all providers equally and give customers free data whether they chose to watch HBO or Netflix.

But that is not what they did.

Instead AT&T decided to shut off what is called “sponsored data” (meaning that the sender – the content provider – is paying, in some way, for the data that you use) OUTSIDE OF CALIFORNIA. Also inside, but outside. I don’t exactly understand why they think that California law prohibits them from giving away free data in, say, Georgia. It does not.

Of course, giving away free data is only important if the Internet provider has ridiculously, low data caps. Typically this affects poor people more than affluent people.

AT&T is claiming, and this is where they are lying, that California law prohibits them from giving away free data and prohibits them from giving away free data in states like Idaho.

They were never very subtle about what they were doing. They wanted to favor their own services to the detriment of competitors and that is exactly what net neutrality is designed to prevent.

Stay tuned; this is not over. It is also unclear whether the Biden FCC will reinstate net neutrality nationally. They at least seem to be investigating the blatant lies that the Internet carrier cartel has been promoting that everyone has great Internet connectivity and plans. The pandemic proved that statement very false.

Credit: Ars Technica

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

The Frankencloud Security Model

That is a great name and it well describes what we are dealing with.

The Solarwinds attack worked because it took advantage of a supply chain that no one understands; not even the people within it.

Think back to Equifax. That happened because they did not understand a piece of software, which was vulnerable, was running on one of their servers. At that point, the game was over.

Like Frankenstein, corporate networks are pieced together with lots of piece parts from different vendors and those vendors have lots of suppliers. For a typical company of a couple hundred employees, they are probably dependent on a thousand suppliers. Most of whom, that company does not deal with or even know about.

Security teams at medium sized and bigger firms use 25-50 security tools from 10 different firms. Or more.

This creates blindspots. Hard to connect the data.

Add to that “hybrid clouds”. That means we take a server in this cloud; another server in another cloud. Some servers in the office. A couple in a data center. Mix in some software as a service.

How could that possibly leave any holes?

Do you use the Frankencloud?

Time to get a coherent strategy.

The head of the NSA said that the reason that the SolarWinds attack worked is that they could not connect the dots (more about that in another post). YOU need to be able to connect the dots, Frank.

Credit: Techcrunch

Apple MAY Join Many Others in Separating Security Patches from System Upgrades

Since the beginning of Apple-time (or is it i-time?), Apple has always bundled security fixes into iOS upgrades. This means that a user could not install a security update without also upgrading the OS. In general, Apple has always forced users to upgrade their iPhones and other mobile devices. This tends to make Apple products more secure because a higher percentage of the users are on the current version of the OS.

This is different than, say, Microsoft, who will push out monthly security patches even though they might only add new features once or twice a year.

According to 9to5Mac, Apple may be planning to separate security fixes from feature upgrades in the next version of iOS.

Of course, sometimes, Apple may release a new version of their OS just to patch a bug, but users never know what else might be bundled inside that upgrade.

But there is a new setting in the software update menu called “Install Security Updates”.

It could be that this is only a feature to install emergency fixes, something that has become more common at Apple as their software becomes more complex.

It also appears that if a user installs a security update they may have to uninstall it prior to installing a version upgrade. If this turns out to be true, this would be very unlike Apple and this makes it harder for users to stay current.

iOS 14.5 is going to be a big deal. One feature in it is that checks for fraudulent web sites will be run through Apple’s servers to protect user privacy and that could, possibly, break things or slow things down. This new update also requires users to opt-in to data sharing.

iOS 14.5 is expected to be released officially in a couple of months. Credit: The Hacker News

CISA-ICS CERT Releases 4 ICS Advisories

Earlier this month Homeland Security released 4 different advisories for industrial control system vulnerabilities. This comes in the wake of a successful breach of a water treatment plant in Florida. While that hack took advantage of poor cyber hygiene practices (obsolete unpatched software, shared passwords, etc.), it did call attention to the fact that our critical infrastructure is under attack.

#1 – JOHNSON CONTROLS EXACQ TECHNOLOGIES EXACQVISION

DHS says this vulnerability is remotely exploitable and requires only a low skill level to exploit. It affects all supported versions of the software and can expose sensitive information of hackers. For more details see this ICS CERT ADVISORY.

#2 – Hitachi ABB Power Grids eSOMS

Again, DHS says that this vulnerability requires only a low skill level to exploit. This vulnerability allows a hacker to gain access to report data. For more details see this ICS CERT ADVISORY.

#3 – Hitachi ABB Power Grids eSOMS Telerik

This is a different Hitachi ABB problem and it is related to path traversal (get to a directory that they should not have access to), deserialization of untrusted data, improper input validation, inadequate encryption and insufficiently protected credentials. This scores a 9.8 (out of 10) on the vulnerability Richter scale. A hacker could upload malicious files, steal sensitive data and execute arbitrary code. For more details see this ICS CERT ADVISORY.

#4 – Rockwell Automation Logix Controllers

This is an update to the alert issued last month and this one rates a 10 out of 10 on the vulnerability rating scale. This one is also exploitable remotely and requires low skill to exploit. The vulnerability would allow a hacker to bypass the login requirement, alter the system’s configuration or change the code in the controller. For more information on this alert, see this ICS CERT ADVISORY.

If we look at this as a whole, what do we see:

  • Most can be executed remotely
  • Not limited to a single vendor
  • Most require low skill to achieve
  • Hackers can steal data and/or corrupt the system

If these attacks were applied to systems like the Florida water system that was compromised, you could, potentially, cause physical damage (like an explosion), turn off services (like turn off power or gas) or poison people (as could have happened in the Florida water treatment plant attack).

The other problem is that industrial control system owners are notorious for not applying patches. They are concerned, probably rightfully, that a patch could cause an outage (Microsoft or Apple never, ever, broke anything when applying patches, right?) or stop the system from working.

Unfortunately, given the typically poor cyber hygiene practices and the increased connectivity to the Internet of these systems, along with the information about the vulnerabilities that are now publicly available, don’t be surprised if hackers take advantage of this.

As a consumer, unfortunately, there is not much that you can do. That means that regulators, who are often in bed with the regulatees (the Chairman of the Texas PUC was just caught on tape reassuring investors that the millions of dollars they stole from Texans during the deep freeze this month was safe and they would not be forced to give it back. AFTER the recording was made public, the Governor asked him to resign – only AFTER). Given the often too cozy relationship between the PUCs and utilities, I am not counting on much pressure, but we can hope.