All posts by mitch tanenbaum

The Weakest Link

According to an article at Cult Of Mac, one of Apple’s suppliers, Quanta, posted Powerpoint documents with instructions on how to log in to a database containing confidential Apple documents on new, yet to be announced products.

Apparently, the document contains default credentials, which it says, the business partner should change after they log in the first time.  All Quanta suppliers were given the same initial default password.

Unfortunately for Apple, details on several products were compromised.

In addition, a quick Google search using the search terms “Quanta Confidential” and “.ppt” pulled up a number of other Quanta confidential documents, according to Cult Of Mac.

The moral of this story is that people will find the weakest link in the chain to attack you and if that is a supplier, that is OK.  The Target and Home Depot attacks started this way.

Part of your enterprise risk management plan should be to manage risk that is located with third parties that have access to your confidential information.  After all, from your point of view, if a hacker gets your confidential information, the pain is no less if the information was stolen from one of your vendors than if it was stolen from you.  Another part of your ERM plan should be to make sure that if your business partners are the source of leaks, that they have the needed insurance to make you whole and have an incident response plan to deal with the situation.

Regarding Quanta and Apple, Cult of Mac reached out to both of them with no response.  However, the default passwords no longer work.

As a suggestion, you might want to Google your own company followed by one of a set of words, appropriate to your organization such as [company] confidential or [company] proprietary to see what comes up.



U.S. Central Command (Centcom) Gets Hacked

U.S. Central Command, responsible for the military’s activities in Iraq, Afghanistan, Iran, Saudi Arabia, Syria and a number of other countries in that region was the victim of a hack earlier today.

Centcom’s Twitter feed and You Tube channel were compromised and defaced.

Twitter quickly disabled the feed but not before some charts and contact information for some military personnel was posted.  The You Tube feed had some jihadist videos posted to it and is now down with a message that says “This account has been terminated due to repeated or severe violations of our Community Guidelines.”

While some people said that classified information was posted, that does not appear to be the case.  Probably the biggest concern was the posting of personal information for some senior military personnel, including some generals.

This all happened at the same time President Obama was making a cyber security speech.

Most likely, this occurred as a result of some social media person getting their credentials phished.

What was the biggest casualty of this event was the ego of Central Command.  As a military organization responsible for hundreds of thousands of U.S. troops and the wars in Iraq and Afghanistan, it is more than a little embarrassing to have your social media presence hacked and your message compromised.

The lesson to be learned is that even though there is not a lot of sensitive information on things like Twitter and You Tube, there is a potentially significant negative press associated with your brand being on the CNN and Fox News message crawls at the bottom of the screen all day.  My guess is that Centcom will add two factor authentication before these social media feeds are turned on again.  I would also recommend that social media access be conducted from a dedicated console, separate from email and web surfing, to reduce the risk from phishing attacks.

The good news is that this will likely be forgotten in a few days.

Except for the person who had their credentials compromised.


Did You Visit The Huffington Post Web Site Last Week?

CNN is reporting that visitors to HuffPo and several other major sites last week might have caught a virus from malware infected Advertisements.

The malware only infected Windows PCs and only those running Internet Explorer 8 (does anyone really use IE any more?).  Even though IE11 is the current version of IE, according to CNN, IE8 is the most used version.

The ads were served by AOL’s ad network at least between December 31 and January 5, but may go back as far as October.

AOL refused to say how many times they served up the poison ads.  Perhaps they are worried about lawsuits, maybe?

BTW, you did not need to click on the ad to be infected.

The good news is that this malware does not actually encrypt your files, it just blocks your access to them, so there are ways to get your data back without paying the ransom.

This does point out some of the nasty side of online advertising.  The ad networks are moving so many ads and the ads are so dynamic that nobody is actually looking at the ads.  This particular piece of “malvertising” redirected the content 8 times until it arrived at a server in Poland that served up the malware.

Apparently, every single visitor to HuffPo during this time window was served up the ad.

Malvertising is becoming a bigger problem all the time and as people close down other attack vectors, this one may become more popular.

One reason it is such a problem is that most of the ads are active meaning code is executed when the ad is displayed without the user clicking on anything.  If the device is susceptible to the malware, it auto-magically becomes infected.  No muss, no fuss, no bother.

If the malvertising is covert, it could just lay in wait on your computer only doing something when told or when the computer is idle or at 2:00 in the morning or whatever.  You likely wouldn’t know unless you anti-malware software catches it.

Nice, huh?

NOTE: while HuffPo got caught up in this last week, this is not really a HuffPo problem but rather a general issue with online advertising.  The malware isn’t even resident on HuffPo’s site. Over the years, many sites have been the victim of this and it is only getting worse.  The sites are just trying to make a few bucks while giving away content.  There is nothing that HuffPo or anyone else is doing wrong;  it is something that the online advertising industry is going to have to figure out and other than going back to static, text based ads (can you say FAT CHANCE!), there is not an easy answer.



The Cloud Conspiracy

Former Microsoft Security Advisor Caspar Bowden gave a presentation at 31C3, the hacker conference in Hamburg last month, that gave the conspiracy theorists some more ammunition.   An article on his presentation appears here, his slides are here, and a video of the talk is on YouTube here.

A quote from the article gives you a taste for where he is going:

Bowden served as Chief Privacy Officer at Microsoft for nine years, responsible for advising 40 National Technology Officers from different countries. During an internal strategy conference in 2011, with Microsoft deputy general counsel, cloud management personnel and the NTOs in attendance, Bowden warned, “If you sell Microsoft cloud computing to your own governments then this [FISA] law means that the NSA can conduct unlimited mass surveillance on that data.”
After that, Bowden said the deputy general counsel “turned green” and the room was dead silent. During the coffee break, Bowden was threatened with being fired. Two months later, Microsoft decided Bowden was redundant and fired him.

His basic premise is that the FISA act and it’s amendments give the government the right to surveil foreigners outside the U.S. and then minimize (but not eliminate) access on U.S. persons after collection.   A clause was added to the 2008 FISA reauthorization that added coverage for remote computing services, i.e. cloud computing.  Since the FISA court operates in complete secrecy and a provider would be in contempt if they even talk about things that they have done in support of FISA warrants, we don’t really know the extent of this.

Just to be clear, I am less concerned about what the NSA is doing.  There are likely abuses and hopefully the political processes will deal with that – eventually.  What I am more concerned about is that we should not think that what the NSA can do is unique.  If we don’t think that China, Russia and a handful of other countries don’t have hackers just as good as the ones we hire, then we are fooling ourselves.

But even if you are not ready to join the tin foil hat crowd, you might want to consider this.  If companies like Microsoft, Amazon and Google have added back doors to their cloud computing capabilities to support FISA warrants, do you really think that other state sponsored actors or even hackers will never discover these back doors?  That seems unlikely.

And, as I have said for years, the good hackers – state sponsored or otherwise – are never discovered.  Until they want to be.  The hackers inside Sony were likely there for many months before they went nuclear.  If they just wanted to steal information and use it for their own purposes, they likely would have never been discovered.

So the question becomes this:  does having this ability to spy on the people we want to spy on ultimately work for or against us?  Is it really possible to control this “spy genie” and keep it in the bottle?  My opinion – we cannot keep it in the bottle and it will likely come back to bite us.  Just my two cents.


Guilty Until Proven Innocent – Software Licensing

Lewitt, Hackman, Shapiro, Marshall and Harlan, a law firm based outside Los Angeles, has an interesting take on software licensing.  They don’t say whether they have been representing plaintiffs or defendants in software piracy lawsuits, so I don’t know if there is a bias in their blogging, but it is an interesting point of view.

They talk about the Business Software Alliance or BSA, an industry trade group made up of heavyweights like Microsoft, Adobe and Intel, that offers rewards to current or former employees to turn in their company if they suspect they are using pirated software.  Note they say “suspect” and not “have evidence of”.

The BSA investigates about 15,000 companies a year, starting by asking them to do a self audit and then “negotiating” for damages.  Having been on the wrong end of that deal once, we had to write a check with way too many zeros before the period.  Not fun.

That is old  news.  The BSA has been kicking this dog for a long time and they try to get the occasional large penalty in order to try and cut down piracy, which from their point of view is understandable.

Here is what is interesting.  According to Lewitt, Hackman, under the law, all the BSA or Microsoft or whoever has to do to prove infringement is the following:

  • That it owns the copyright for the software
  • That the (soon to be) defendant used the software

They don’t have to prove that you pirated it or that you are using more copies than you bought.  At this point, you are assumed to be guilty and have to prove your innocence, something that very few companies can do.

Your claim that you are using the software legally is a legal defense.

The law says, according to Lewitt, Hackman, that it is your burden to prove you have a license from the copyright owner.

I doubt there is any company on the planet that has zero disgruntled ex-employees and if reporting you, anonymously, to the BSA is a way to get both revenge and cash, I could see that some people might do that.  The BSA even runs ads in magazines suggesting pretty much this.

How many companies can show an invoice or check copy for every copy of Windows, Office, Photoshop or any other piece of software you have installed on any computer in the office.  By the way, whether you are using the software or not is irrelevant to your defense.  If it is installed and unlicensed, you are guilty.  Been there, have the scars.

So, one part of your business risk management program should be to keep copies of all software receipts, licenses and other records so that if the issue comes up you don’t have to recreate history.

Food for thought.



Enterprises Are Still Failing At The Security Basics

VentureBeat wrote an interesting item pointing out some of the obvious things that Target messed up.  Fixing these items won’t stop every attack, but it certainly would slow the attackers down.

According to a lawsuit filed in federal court recently Target missed the ball on a few things.  Of course, at this point, these are just claims, but they have been widely reported in the media and not disputed by Target corporate.

  • Target did not take written warnings from Visa seriously.
  • The attackers got in by compromising the credentials of a vendor.  The thieves gained too much information from Google searches.
  • The security problem grew due to weak security at that vendor. Target should have required better security procedures of their vendors.
  • Target IT staff gave security warnings to their superiors, which were ignored.
  • Target’s network was not properly segmented.  As a result, access with the vendor’s credentials to the vendor billing application gave the hackers way too much access.
  • Target did not use two factor authentication, which did slow down the attackers at JP Morgan Chase.  Except they found ONE server that did not have it installed.
  • Target used the FireEye security software which alerted Target’s security team to the presence of malware, but the team took no action.
  • Target failed to remove unused default accounts, which that attackers took advantage of.
  • Target used Symantec Endpoint protection, which also generated alerts that were not acted upon.
  • Target did not block traffic to cyber thief havens like Russia, which allowed the hackers to use a command and control attack server in eastern Europe.  My guess is that Target has no stores in Russia and probably does not ship clothing there either.  This one is hard with multinationals, but it can be done.

The article goes on to talk about Chase, Sony and basic human nature.  It provides some interesting food for thought.

So, as I have said for years, you have to take care of the basics before you worry about rocket science.