Category Archives: Alert

Security alerts

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Wireless Home Security – Good Theater, Bad Security

Alarm companies like wireless alarm sensors because they cost less to install and are prettier since there are no wires.  They are also remarkably less secure.

It is useful to understand that you neighborhood junkie might not be able to pull off the attack, but any serious burglar would not have a problem.

In this particular case, a lawyer who has an interest in security was able to buy a signal jammer for $2 that disabled the SimpliSafe alarm system in his house.

While the alarm company disputed his claim with statements like “this is not practical in real life:, the lawyer stands by his claim.

To me, the attack is obvious.  If you can jam the signal, the alarm will not go through.

SimpliSafe says that they will detect what they call interference and the lawyer agreed that it did, but only sometimes.  He also said that the interference never actually triggered an alarm.

People often purchase an alarm for peace of mind, but if the alarm is jammable, is the peace of mind justified.

If you really care about your personal security, demand that all of the sensors are hardwired to the control panel.  If the alarm company can’t or won’t do that, find a different company.

Of course, if the alarm is just for appearances, a wireless system will be just fine.

The second half of the problem is the communication between the alarm and the monitoring station.  Some alarms use your internet; others use a cell modem.

The Internet based alarm is easy to defeat as the wire for your internet connection is typically exposed in a plastic box outside your house for the convenience of your internet provider.  All it takes is a wirecutter to defeat it.  For cell based alarms, a cell jammer does the trick.

In general, you want two different communications paths back to the monitoring station.

All of this depends on how serious you are about your alarm system protecting you.  Most consumer alarms are really designed to lull you into thinking you are secure and it works because most people don’t have the security knowledge to understand what the weaknesses are.

To watch a video of the hack, additional recommendations on being safer and more details of the attack, go to the article on the Verge.

Facebooktwitterredditlinkedinmailby feather

THIS is Why Patching Your Phone Is Important

I tend to be a bit of a dog on a bone when it comes to patching your phone.  Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.

But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone.  For those phones, Google releases and installs patches like Apple does.

For every other Android phone, Google publishes the open source code to a public repository every month.  Then the phone’s manufacturer had to download it and integrate any changes that it made.  Up until recently, this was a completely optional decision on the part of the phone manufacturer.  Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world.  The mobile carrier then needs to integrate its changes into the code and test it.  Again, completely voluntary.  There will be a new option for brand new phones released with Android 10 this fall, but nothing now.

One more thing.  Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it.  So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best.  This means that for most of the time that you are using the phone, it will be vulnerable to be hacked.  If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.

This is why understanding this and being vigilant about patching is so important.  And why many Android phones are already compromised.

So why today?

Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.

Check out the link below for the details and CVE numbers.

Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.

Some of the Qualcomm chipsets affected are:

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Point is – a lot of them, affecting a lot of phones – most of which will never be patched.

While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.

If you use an Android phone, check to see if it is receiving patches.  if you store anything sensitive on the phone, disable WiFi if you can. 

IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.

It will not be long before attackers figure out the details and start using this in the wild.

Source:  The Hacker News.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Are You Ready for California’s New Privacy Law?

Security vendor ESet interviewed 625 business owners and executives to understand their readiness for California’s new privacy law that goes into effect on January 1, 2020.  What most businesses are missing is that Nevada’s version of the law goes into effect on October 1, 2019.  Most of the respondents were from small businesses, some of whom are exempt from the requirements of the law.  Here are the results:

  • 44% had never heard of the law
  • 11% know whether the law applies to them or not
  • 34% say that they don’t know if the law will require them to change the way they collect and store data (it likely does)
  • 22% say they don’t care if they break the law (great if you can get away with that)
  • 35% say they don’t need to change anything to be in compliance (very unlikely)
  • 37% say that they are very confident that they will have the required security in place by January 1.  Another third say that they do not know if they will have security in place
  • Half said that they did not modify their behavior or processes to bring their businesses into compliance with GDPR (most likely because they don’t know what GDPR requires)

40% of the businesses said that they did not have anyone responsible for security or privacy in their company and another 18% said they didn’t know if they had someone.

9% said they are moving to avoid having to comply with CCPA, the new California law.  Those people need to understand that they will also need to block Californians from going to their web site and refuse to ship products or deliver services in California.  None of that is realistic for most businesses.

Given the law goes into effect in less than 6 months and Nevada’s version goes into effect in two months, this lack of knowledge is concerning.  However, attorneys, especially those that specialize in class action lawsuits, are thrilled.

There is one aspect of the law that should be a cause for concern for these businesses who think they understand the law – and likely do not.

Any California resident can sue any California business that has a breach that compromises their personal information.

They do not have to show that they have been damaged to sue.

The maximum you can sue for is $750 per person.  A breach of say 10,000 records – a tiny breach by today’s standards (the Capital One breach last week compromised 106 million people) – would generate a potential lawsuit asking for $7,500,000.

Are you prepared for that?

A one million record breach – still small by today’s standards – translates to a $750 million lawsuit.

My suggestion to small businesses – think again about whether you are prepared.  If you need help, contact us.  Source: HelpNet Security.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.

Facebooktwitterredditlinkedinmailby feather