Category Archives: Alert

Security alerts

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

Lawsuits Often Follow Ransomware

Last October Wilmington Surgical Associates was dealing with a ransomware attack.

Allegedly, the Netwalker ransomware group stole 13 gigabytes of data, which in today’s world easily fits on a flash drive, and leaked that data online.

The patients of the North Carolina clinic whose data was stolen and leaked are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…” 

Hackers often post “proof” that they have really stolen the data. In this case, the initial post leaked 3,702 files and 201 folders, which included both patient and employee data. Given the nature of the business, most of the data stolen was likely sensitive.

The clinic notified 114,00 people just before Christmas, likely within the legal notification timeline.

The lawsuit says that Wilmington Surgical inadequately protected the PHI and PII in their possession and maintained data in a reckless and negligent manner.

They also claim that the clinic failed to properly monitor its network, system and servers.

The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical  to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.

While some of these suits are settled quietly, others come with multi-million dollar settlements. There have been a number of these lawsuits filed recently.

So here is my question for you. If you had a breach and the claim was similar to the one above in red, how would you or could you defend yourselves? Just asking.

Credit: Health IT Security

Supply Chain Risk in the Software Process

I have been talking a lot about supply chain risk lately and there is a good reason. From open source products with backdoors like Webmin or Rubygems to NotPetya a few years ago which shut down many companies around the world to the recent attacks against SolarWinds or Centreon, supply chain attacks are running rampant.

There is a good reason for this – we have not, historically, paid enough attention to them, so they work very well.

Here is a new attack that works against the software development process.

Security researcher Alex Birsan posted a blog on February 9th that detailed how he used dependency, or namespace confusion to push malicious proof of concept code to organizations like Microsoft, Apple, Tesla, Uber and others. It is not because these companies are stupid. They are not. It is because we are not paying enough attention to the problem.

The good news is that he is a good guy and wasn’t trying to take down the world.

I am not going into total-geek with details of why this attack works, but right after the vulnerability was announced, hundreds of copycats were released into the wild. And still are being released – knowing that some companies will ignore or not understand the problem and remain vulnerable, potentially forever.

Not surprisingly, the root of the problem is the tradeoff between security and convenience.

The problem is that if the bad guys are sophisticated, developers will not detect the problem because their malicious code won’t activate until a trigger event happens and all of the normal functionality works correctly.

The researcher who launched the test attack called the results simply astonishing. I don’t think the copycats were launching mock attacks.

For more details on how this attack works, read the article here.

Bloomberg Says China Adds Spy chips to Computers

In 2018 Bloomberg ran a story that claimed that China had embedded tiny microchips on Supermicro computer server processor boards in 2015. Everyone denied it – Supermicro, the intelligence community (IC), China.

Supply chain attacks seem to be everywhere these days and this is another one.

I don’t know if it is true, but why would Supermicro or China admit what what going on. The IC might know but might not want China to know how much they know and when they knew it.

While Bloomberg took a lot of heat for the story at the time, they never gave up on it and continued to investigate.

Well this week Bloomberg wrote chapter two of the story.

They are saying that China targeted Supermicro products for over a decade, that the IC was aware of it and that they kept it quiet because they were studying it and trying to figure out how to counter it.

14 former law enforcement and IC sources confirmed the story to Bloomberg.

According to Bloomberg, the Pentagon detected the chip implant back in 2010. Intel detected that China had hacked it in 2014 and the FBI issued a private warning to multiple companies in 2015 telling them that China had planted a surprise inside their computers.

Bloomberg also says that the Feds got a FISA warrant in 2012 to surveil several Supermicro employees.

And of course, Supermicro issued a new denial.

Would you expect anything else?

Remember also that it is well documented that the NSA did hardware implants for years.

You get to figure it out.

However, I do recommend you dust off that vendor cyber risk management program and see if you are doing all that you can do. Credit: The Register

Security News for the Week Ending February 12, 2021

Law Firm Goodwin Procter Hacked

Goodwin Procter managing parnter Mark Bettencourt confirmed that some of their clients’ data was compromised. But not to worry; it only affected a small percentage of their clients. One more time, we have a “supply chain attack”. While the vendor was unnamed, I suspect it was Accellion. They suffered a breach that is all over the news due to the high profile targets that suffered a loss. So now a very high profile law firm has to explain to its clients why its security was not good enough to protect their most sensitive data. If you are a client of a law firm, how confident are you that they can protect your data? Credit: ABA Journal

What Does This Mean for Cities?

Salesforce is joining other big tech companies in changing the work-life equation. This week they announced that most staff, after Covid, will only be in the office 1-3 days a week, many workers will never return to the office and a few workers will be in the office 4-5 days a week. This means that work from home security is now permanent, but it also questions the implications for downtown big cities. Salesforce has 9,000 workers in San Francisco. If half of them never come to the office and another 30% come to the office 1-2 days a week, what does this mean for downtown retail and office space? Credit: MSN

State Department Declassifies Report on Cuba’s Sonic Weapon

You may remember reports of Cuba having a secret sonic weapon back in 2017-2018. A newly declassified report by the State Department’s own Accountability Review Board lambasted the department’s response to the attack as lacking leadership, having ineffective communication and being systemically disorganized. There are 104 pages of detail, but none of them paint the previous administration favorably. As a result of the botched investigation we will probably never understand what the weapon was that Cuba attacked us with. Credit: Vice

Ex-Students Plead Guilty to Stealing and Trading Nude Pics and Vids

Two former SUNY Plattsburgh (NY) students pleaded guilty to hacking coeds’ MyPlattsurgh portal accounts and stealing nude pictures and videos. The portal contains full access to the students’ email, cloud storage, college billing, financial aid, coursework, grades and other personal information. They either guessed passwords or guessed security question answers. When the found nude photos and videos, they traded them with others, in some cases identifying the students by name. They even posted some photos online. Credit: The Register

IRS Warns Tax Pros of Identity Thieves Targeting Them

The IRS is warning tax professionals hackers are trying to steal their electronic tax filing credentials so that they can file fake returns and those returns will be tied to those same tax pros. If you are a tax pro and need help, please contact us. Credit: Bleeping Computer

Is $100 Million Enough of a Reason to Improve Security?

SIM swap attacks is a hacking technique where hackers socially engineer cell phone providers to steal a victim’s phone number. That means that hackers get the victim’s text messages and phone calls.

While two factor authentication is not used by the majority of people, when it is used, the most common form of two factor is text messages. That means that if a hacker can hijack your phone number, he or she will get those text messages and, in combination with a stolen password, can compromise your your bank account.

In this case, law enforcement in England, Scotland, Malta and Belgium, assisted by Europol, The US, and Canada, arrested ten kids (ages 18 to 26) for hijacking US celebrities phones in order to compromise their Bitcoin accounts.

Celebrities often have bad security because, well, they are celebrities and they don’t have to ….

Of course, now that their net worth is $100,000,000 lighter they might want to reconsider that theory.

For you and me, $100 is about my limit; maybe less.

There plenty of alternatives to text messaging for your second factor from the fancy end with RSA hardware tokens, to the plain version of software tokens. With any of them, unless the hacker physically steals your phone while it is unlocked, any of these alternatives are better than text messages.

Now the next thing is to get providers to stop allowing you to do a password reset by sending you an email or a text message for the same reason.

Security or convenience, pick one. Credit: The Record