Category Archives: Alert

Security alerts

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Sextortion Campaign Adds a New Twist

Sextortion is malware that tries to convince you that the attacker has compromised your computer and has videos of you visiting adult web sites.  The attackers promise not to share the videos with your friends if you pay them money.  The videos do not exist, but scared people sometimes pay.

The new variant of the attack tells you to download a sample video to prove their claims.

In fact, the so called video is really malware.  The first piece of malware steals your account passwords, files and more.  The second piece of malware encrypts your data.

Before downloading the sample video you thought you had a problem.  After the download, you really do have a problem.

So, what should you do?

First of all, if you get a threatening email like the above, slow down, take a deep breath and consider things.

For most people – who don’t visit porn sites – keep your curiosity at bay and DELETE the email.  DO NOT OPEN THE ATTACHMENT!

I always recommend covering your webcam on your laptop.  If you have followed this advice, see the above.

For the very small group of people left, it you think that this video actually may exist, consult an expert.  They can safely deconstruct the attachment and figure out if it really what the attacker claims.

Lastly, as I always say, backup early.  And often.  Preferably multiple copies.  If possibly, at least one copy offline.  I keep at least one version of my backups in a bank vault.  Very hard to hack.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Australia Is On The Fast Path to Ban Encryption Without Backdoors

While this is still a bit like Jello (R) waiting to congeal, the Australian Assistance and Access Bill is designed to require back doors in encrypted communications like Whats App and iMessage.

COMPANIES THAT DEVELOP SOFTWARE THAT USE END TO END ENCRYPTION NEED TO PAY ATTENTION TO WHAT HAPPENS SO THAT THEY CAN MAKE APPROPRIATE BUSINESS PLANS.

The party in power is trying to ram the bill through Parliament in 4 days and the opposition labor party is playing politics – maybe supporting it maybe not.

Continuing the political bull-poop, the prime minister said that the Labor party is “happy” for terrorists to plot attacks using encrypted messages.  I don’t recall ever hearing the Labor party ever say anything remotely close to that.

They are saying that if the bill passes, the Australian software industry will be toast as anyone from another country will assume that any Australian software is riddled with security holes to keep the police happy.  Who would buy that software?

One proposal is to limit the back doors to terrorism and child trafficking, but i have no idea how, technically, you could possibly do that.

It is also possible that such a law would conflict with provisions of other foreign laws such as the U.S. Cloud Act and possibly even GDPR.

The bigger question is whether big software players like Apple and Facebook will buckle and build in back doors to protect a tiny bit of the world market to keep Australia happy.

One possibility is what we had in the U.S. in the 90s, which is two versions of software – one for the Australian market, full of security holes but legal in Australia, and one for the rest of the world.  The disadvantage of this is that vendors would need two sets of software and maybe some amount of separate infrastructure.  It is also not clear how you would stop Australians from downloading the other version.

Another possibility, although less likely, is that companies Apple and Facebook will abandon the Australia market.  After all, in the grand scheme of things, it is not a big part of their revenue.  For the moment, they are lobbying against it and other than that, keeping their collective mouths shut.

The Australian government is saying that they need to ram this legislation through Parliament because of the heightened risk during the Christmas holiday, although it is completely inconceivable that even if the bill passes that companies would do anything in time for Christmas.

The government is trying to scare people into passing the bill without any review by saying if they don’t that lives are in jeopardy, but when asked if there is a specific problem they answer no.  After all, they have not had this capability for the last 10 years, why will waiting 30 days mean the end of life on the planet?

The proposed law would require companies to add back doors unless adding back doors would create systemic weaknesses – whatever that means.

Information for this post came from ZDNet and Sky News.

Of course, since politicians are not, for the most part, technically savvy, they appear to have missed the issue of open source software, which we have seen grow in popularity among terrorists in the Middle East.  With open source there is no company to haul into court and it is likely impossible to stop the distribution of open source source located outside of a country’s borders.

Stay tuned.

 

 

 

Facebooktwitterredditlinkedinmailby feather

What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?

Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet.  But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.

Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.

But, you say, you were hit by a ransomware attack and you need your data back.

Sorry, says the government, you are still a terrorist.

Enough, you say, with this riddle.  Explain what the **bleep** is going on.

OK, here is the story and most of it is not news to anyone who has worked in financial services.

The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control.  Predecessors to the current OFAC department have around at least since the 1940s.

The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists.  In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists.  We had special software to do this since we made tens of thousands of payments a day.

OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them.  As of today, that list is contained in a PDF file that is 1254 pages long.

As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list.  The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list.  If you use a service like Coinbase or one of its competitors, they do that for you.  If you arrange for the Bitcoin transfer yourself, they expect you to do it.

Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet.  Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them.  If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.

Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 .  Big range, although $87,000 is still a large number.

There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.

The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list.  Otherwise, check and see if the person you are paying is on the bad guy list. 

We live in interesting times.  Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.

Facebooktwitterredditlinkedinmailby feather

Losses from Online Payment Fraud Expected to Reach $48 Billion Annually

If you believe this week’s report from Juniper Research, online payment fraud is expected more than double in the next five years going from a mere $22  billion in losses this year to $48 billion in losses by 2023.

The industry recovers that money by raising prices.

This cost is about $150 for every man, woman, child and baby in the United States every single year.

What is interesting is that the crooks are morphing their attacks.  They are stealing the data and using it to build fake identities.  They use those identities to commit fraud,

From a business standpoint, businesses are not prepared to deal with this “synthetic identity” attack and will continue to lose billions of dollars to this type of attack.

From the consumer standpoint, consumers need to demand that businesses improve their security.  The Equifax breach was not the result of some incredibly exotic attack method figured out by cyber geniuses.  It was just that Equifax forgot to install some known patches.

In addition, consumers need to improve their own security – simple things like patching their phones regularly, uninstalling apps that they don’t use any more and not clicking on phishing links.

Likely laws will wind up being passed, whether that will help or not.

To put this in perspective, $48 billion represents every dollar of Apple’s profit in a year or roughly the entire revenue of HP.

Information for this post came from Help Net Security.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Adobe is Being Sued for Bug that Deleted User Files

This could be a very interesting lawsuit and we will watch it and see where it goes.

In 2017 Adobe released Premiere Pro Creative Cloud 2017 version 11.1.0 ,  Apparently, like a lot of software, this product was not bug free.

In fact, a feature called clean cache not only cleaned the cache of Premiere work files, but also cleaned the user’s original files, irretrievably.

The freelancer who filed the lawsuit and is seeking class action status lost over 100,000 video files which he says cost him bigly in his inability to license those videos after Premiere went wild.  He says that the lost files cost him a quarter million dollars to create.

Adobe acknowledged the bug and released version 11.1.1 which, Adobe said, will only delete files within the media cache. Files, they said, that sit next to it will no longer be affected.

Cooper (the freelancer) tried but failed to settle with Adobe.

The thing that is strange about this lawsuit is that most end user license agreements – the ones that almost no one reads – usually state that the vendor does not guarantee the software will work or that it will be free of bugs or that it is suitable for what you are planning to use it for.  Given that, why is Adobe responsible?

He is alleging that Adobe breached a duty of care and failed to disclose what was, at the time, an unknown bug.  They filed this lawsuit in California which has stronger consumer protection laws than many states do, but they are filing it in the U.S. District Court.  They are also saying that Adobe was unjustly enriched as a result of charging a fee for this buggy software.  Part of the suit is claiming negligence under California law.  They say that Adobe should have known that the software bug existed.

If the court holds that to be true then every software vendor that has a bug that impacts a user will be similarly at risk. I do think that a bug that deletes all of your data is more serious than, say, a bug where a particular feature does not work as advertised.

They are also claiming that Adobe has strict liability for a defective design and are claiming that deleting the files is a safety failure, similar to, for example, your iPad catching fire due to the battery overheating.

They are also making a number of other claims.

This suit was filed this month so we have not heard any response from Adobe, but I assume that they will claim, among other things, that the license agreement that every user agreed to even if they chose not to read it, says that we don’t guarantee the software will work.

I have several thoughts here.

First of all, if you sell or even give away open source software, you need to watch this trial (they have asked for a jury trial).  The outcome could impact your company.

You should also check your product liability insurance and make sure that it covers you in situations like this.

But in this case, unfortunately, I put 90% of the blame on the user.

IF YOU HAVE DATA THAT IS IMPORTANT TO YOU, YOU NEED TO HAVE BACKUPS.  I Can’t make it any clearer than that.

Who would he blame if his house was broken into and his computer stolen.  In both the current case and my hypothetical one, absent good backups, he would have lost his data.  Who’s fault would it be in my hypothetical case?

He said that the files cost him a quarter million dollars to create.  If you had a digital asset worth that kind of money, wouldn’t you periodically copy those files to a USB disk – or preferably two – and stick it in a bank vault.  I just bought a 4 terabyte disk for $80. 

Seems like cheap insurance to me.

Without regard to the outcome of this suit, which could be in the courts for years, users, both business and consumer, should know that their data is at risk in any number of ways and make appropriate backups.

When it comes to cloud backup systems like iCloud or OneDrive, those systems will back things up on a best efforts basis.  If those backups fail, you will be in the same boat as these guys.

Bottom line, based on the value to you, you need to create and maintain backups as appropriate to reconstruct your data.

Even if this guy wins, and it seems unlikely to me but who knows, in the end, he still doesn’t have his videos and pictures.

As they sang in the movie Hoodwinked, be prepared, be preparedThat is way less pain than losing your data.

Me, personally, I keep multiple copies of my data in a bank vault and each copy is split across multiple physical devices so that if any one device fails and that same device fails on multiple generations of the backup, I only lose a part of my data.  Bank vaults are controlled for temperature and humidity and are relatively speaking, pretty secure.  However, that is only ONE measure that I take. 

Depends on how important your data is to you.  Source: Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather