Category Archives: Alert

Security alerts

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Default Passwords on Gov Websites – What Could Go Wrong?

You would think that in 2020 we wouldn’t have to tell people not to use default passwords.

You would certainly think that we wouldn’t have to tell government IT folks not to do that.

But if you thought that, apparently, you would have thought wrong.

We are still telling end users to change the password on their WiFi router. And on their Internet modem or firewall. But those are consumers.

We recently did a penetration test for a client. The client has a lot of locations.

For the most part, their Cisco ASA firewalls were secure.

Except for a couple of them.

Which still had the default password. At that point, we owned their entire network.

Fast forward to last month. The FBI said, privately, that foreign actors had successfully penetrated some government networks and stole source code.

Now we are getting at least some of the rest of the story. We still don’t know which agencies were hacked and what was stolen, but we do know how.

SonarQube is an open source application to help companies or agencies improve code quality through continuous static code analysis.

But if you put that on a public facing web site and you don’t change the default password – which is a really hard to guess “admin/admin”, you kind of have a problem.

I don’t understand enough about how SonarQube works, but it seems to me that it SHOULD NOT be exposed publicly and it probably should not be on production servers.

Here it is, at the tail end of 2020 and we are still telling people – IT people – to change the freaking password.

And security folks have been talking about this specific problem with SonarQube for a couple of years now and not just inside the gov.

Come on folks – get with the program. Hopefully what was stolen was not too sensitive but the fact that they are not telling us who was hacked and what was stolen probably means that it was sensitive. Credit: ZDNet

Microsoft Says Switch Away from SMS-Based Two Factor

This falls into the “well, it is about time” category.

While text message based two factor authentication is, by far, the most popular method of two factor authentication, Microsoft said it should be avoided, along with voice based two factor authentication.

Why? Is two factor authentication bad? Or useless? No, none of the above. It is just that there more secure methods. They say that ANY form of two factor authentication significantly improves security.

They provide a list of reasons why you should move to other forms of MFA and we know that this will take time to adopt, so this is a good message to deliver now.

The way we have seen the most compromises of two factor authentication go down is by what is called SIM-Jacking, where the hacker gets the phone provider to transfer your number to the hacker’s phone. At this point, any text messages meant for you go to the hacker. This is still a targeted attack, but the target may be any high value situation. Banking, for example.

Migration to app-based authentication, which would require the hacker to physically steal your phone, is considered far more secure. One risk of it is what happens if you lose your phone. For that, many of the apps support sending an encrypted backup to the cloud, protected by a strong password.

Examples of (all free) app based authentication software is Microsoft Authenticator, Google Authenticator, Facebook Authenticator and Authy. Most websites that support app based MFA will work with any of these apps, even when they say to use one of them.

One strategy is to move what you consider high value target accounts to app based MFA first. For example, if it would be a problem if a hacker stole all of the money out of your retirement account, that might be a good first account to protect using this new method.

Credit: Helpnet Security

Security News for the Week Ending Nov 13, 2020

The “S” in Coworking Stands for Security

While the WSJ says that coworking companies are closing money losing spaces as a result of Covid, don’t forget that coworking spaces are about as secure as airport WiFi, meaning not at all. The local news just said that some coworking companies are actually expanding as people want to get out of their house. For most coworking companies, the users are on a shared WiFi connection with no security and often, no encryption. Your remote working policy and procedures need to address this subject, based on the level of risk you are willing to accept and whether you are part of a regulated industry that might frown on you sharing your trade secrets, PII or customer data with the world. Also remember, that if malware gets into shared WiFi, it will certainly try to attack you. Here are a few tips for coworking company security.

Travelers are Faking Covid-19 Test Results

Apparently some travelers don’t want to go through the hassle of getting tested for Covid but still want to travel to countries that require those tests to enter the country. First there were paper documents, which, with Photoshop, were easy to forge. The cops in Paris’ Charles de Gaulle Airport just arrested some of those forgers. They were charging $180-$360 for fake documents. Apparently the French do not cotton to counterfeiters. The penalty for counterfeiting Covid documents is 5 years in a French prison and a half million dollar fine. Brazil arrested some tourists last month for presenting fake documents, so it sounds like you can get in trouble whether you are the buyer or the seller. Some locales are now only accepting electronic versions of the documents from the labs, making it harder to fake. Credit: USAToday

Google Finds At Least 7 Critical Bugs in Chrome, Android, iOS and Windows

Google says the bugs were being actively exploited int the wild, but are not saying by whom or against whom. The iOS 12 patch released patches back to iPhone 5S and 6, typically indicating that it is a big problem. The bugs were “found” by Google’s Project Zero, but apparently were being used by someone(s) prior to them being found. Does this smell like some spies were caught? Probably. We just don’t know which side they were on. Credit: Vice

Vietnam’s OceanLotus Hacking Group Joins Other Countries in Hacks

While countries like China get all the credit for hacking, Russia, North Korea and others are just as active. Add Vietnam to the list. Right now they are attacking their Asian neighbors. As is typical for these government run attacks, they are applying a great deal of effort to compromise their victims. Credit: The Record

White House May Fire Krebs for Securing the Election

Chris Krebs, the head of DHS’s Cybersecurity agency CISA, says he expects to be fired by the White House for securing the election from hackers. All reports indicate that while there is a lot more work to do to secure elections, the 2020 elections were, by far, the most secure ever. The agency also created an election rumor control web site (www.cisa.gov/rumorcontrol). This website debunked many of the myths being spread people who are trying to discredit the election results. General Nakasone, head of NSA and Cyber Command, who also said that there was no significant election fraud, could also be in trouble. Credit: Darkreading

Is The NSA Still Putting Back Doors in Tech Products?

This is a bit like the old question “are you still beating your spouse?” In order to answer that you would have to admit that you had been doing it previously.

The NSA, as far as I know, hasn’t admitted to placing back doors in tech products but there is a lot of information that has leaked out over the years that seems to indicate that they did and possibly still do.

One example. The CIA and NSA, in partnership with German intelligence, actually OWNED the Swiss crypto hardware company Crypto AG. They sold backdoored crypo hardware (back when hardware was the only way to do that) to both our friends and our foes. Of course, no one knew that the intelligence community owned the company or that the crypto was defective. The company was shut down or sold in around 2015 when all encryption was done in software and the CIA and NSA no longer had the monopoly that Crypto AG once was, but the NSA and CIA had access to the supposedly secure communications of both our friends and enemies for decades.

Second example. Juniper has admitted that in 2015 someone inserted a back door – what they refer to as unauthorized code – into the Juniper operating system ScreenOS. Some sources say that the code goes back to 2008. Call unauthorized code a code word for back door.

Third example. The NSA paid RSA millions of dollars to use a particular pseudo random number generator called dual EC. The algorithm has a weakness making the numbers not so random and the NSA knew that and was able to leverage that to make crypto easily crackable. By them. Because they knew about this flaw. They even managed to get NIST, for whom the NSA was a technical advisor, to adopt Dual EC as a standard.

When Snowden released the documents that he did release, it became clear that the algorithm was fatally flawed. NIST says that they were duped – which is both possible and possibly a lie – and revoked the standard.

But in the meantime some government other than ours figured out that there was a flaw in the Juniper software and kind of used the flaw against us. And others.

All that is background.

Senator Ron Wyden, a member of the Intelligence Committee has asked the NSA for a copy of a report they created after it became public that the NSA’s back door was being used against us. Wyden is opposed to back doors because it is hard even for the NSA to keep a secret a secret. For one thing, someone else might discover it accidentally.

Mysteriously, the NSA says that they cannot find that report.

Supposedly after the NSA’s hack got hacked the NSA changed its policy on inserting back doors into commercial products.

But, hmmm, they can’t seem to find that information. Maybe we should ask Snowden to look for it like Trump asked Russia to look for Clinton’s emails.

Rumor has it that for years the NSA intercepted equipment from vendors like Cisco while it was in transit and inserted “gifts”. They then put it back in the delivery stream and used the access they had to steal information.

Bottom line, we don’t really know what the NSA’s policy is about adding back doors to commercial products.

And the NSA is not saying.

You would think that if they were NOT doing it any more, they might be willing to say so, which leads me to assume that the new policy is “don’t get caught”.

You are going to have to figure this one out yourself.

Is Your IRA Safe?

OK, don’t everyone run and close your IRA and put the money under your mattress. First of all, it would probably make your mattress lumpy and sleep difficult. It is important to understand this issue and you need to ask your IRA administrator some tough questions.

Here is this story.

In June 2018 a con man posed as Michael Eckenwiler, an Oppenheimer Funds customer, and withdrew $176,262.77 from his IRA. Oppenheimer is now part of Invesco.

According to a lawsuit, the hacker posed as Michael using an ID with an incorrect middle name, a fake driver’s license with no hologram and a forged signature.

The IRA custodian, Pensco, did not detect this. In fact, it facilitated the transfer of the money to American Estate and Trust where it was converted to Bitcoin and vanished.

When it comes to consumers and say, their personal checking accounts or their personal credit cards, the rules for who is liable for fraud are very clear. The rules for debit cards are also clear, but less favorable to the consumer.

When comes to businesses, the rules are different and are usually driven by the Uniform Commercial Code (UCC) and contracts between the business and the financial institution.

But apparently, when it comes to your IRA, your only option is to sue your IRA provider and their custodian.

I say only option, but that is not fair. We have clients in this line of business and when they have run into situations like this, they have chosen to make their clients whole.

John Reed Stark, attorney and former head of the Securities and Exchange Commission’s Office of Internet Enforcement said “This kind of compliance, with someone standing up and holding a driver’s license … I’ve always felt
that it doesn’t pass a straight face test.”

Pensco (now Pacific Premier Trust) and American Estate issued Medallion Guarantees that assured that the signatures were genuine and verified.

Michael did not discover that his account was almost $200,000 lighter for almost two months (note to self: make sure that you turn on all of the notifications of deposits and withdrawals that your financial institution allows).

Everyone is declining comment as this litigation plays out. The litigation says that these companies violated the above mentioned UCC as well as breaching their duties as a fiduciary.

In July a fraudster was indicted for trying the same tactic At Boeing’s 401(k) program and in 2019 a participant in Estee Lauder’s 401 (k) program sued them after she lost more than $100,000. That suit has been settled.

Okay, so now what.

To be clear, for certain types of accounts like IRA deposit accounts there may be federal insurance if the company goes broke. Likewise, for investment firms – non-banks – that are members of the SIPC, there may be similar insurance. But that insurance is different that what happens if a hacker steals your money.

Financial institutions need to better train their employees and, more importantly, customers of these institutions need to ask questions, read documents and, longer term, get laws changed.

If you don’t get answers that you are comfortable with, consider changing IRA providers. Vote with your money; that often gets people’s attention. Credit: John Reed Stark