Category Archives: Alert

Security alerts

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Attorney Client Privilege in Cyber Land

Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.

While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.

Some of examples of doing it wrong.

After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Capital One lost and they had to turn over the report.

Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm.  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  

There are more of these. The wall for attorney-client privilege is filled with holes.

This means that you need prepare for how you are going to respond in case of a breach.

BEFORE the breach.

Some things to figure out:

  • Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
  • Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
  • Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
  • Proceed with caution when using a data breach report outside of litigation purposes.

Now is the time to figure things out. Before you need to use it. Credit: ADCG

What Happens When Hackers Steal ALL of the Code to your System

Just ask Twitch. The livestreaming service for video gamers, esports, music and other content fell to hackers.

It was acquired by Amazon in 2014 for almost a billion dollars.

Hackers broke in and stole 135 gigabytes of data. This includes all of the source code to the platform, transaction data, userids, passwords and other information.

It appears that the passwords were NOT encrypted.

The data has already been posted in multiple places in the hacker underground.

It is not impressive that a company like Amazon would allow a subsidiary to store personal information this way, but apparently, they did.

Among the data stolen was the source code to a gaming platform designed to compete with Steam and information about how much (and who) the highest paid content creators were being paid.

Worse yet, the hacker, who may have had a vendetta against Twitch, said this 125 gigabytes of data was part 1.

How many parts are there? What is going to happen next?

One obvious problem for Twitch is that now that all of their source code is public, hackers will be combing through it to find vulnerabilities and given what we know so far, there are vulnerabilities.

If you are a Twitch user, you should immediately change your password and enable MFA.

Credit: Threatpost

Twitch said: We can confirm a breach has taken place,” and “Our teams are working with urgency to understand the extent of this.”

I bet they are :).

Google searches for how to delete Twitch were up 800%. Kind of like locking the barn after the animals got out.

Users of Twitch, the world’s biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform.

The phenomenon of “hate raids” — torrents of abuse — has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.

Twitch says that they are working on fixing that. Oh, and they are suing some of their customers for organizing the hate raids.

Credit: Security Week

One source is reporting that the following items were among what was stolen:

  • Entirety of Twitch, with its Git commit history going all the way back to early beginnings
  • Payouts for the top Twitch creators
  • Every property that Twitch owns, including IGDB and CurseForge
  • Mobile, desktop, and video game console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • Every other property owned by Amazon Game Studios
  • Twitch internal security tools

We are seeing conflicting reports from different sources about userids and passwords. It is possible that they were or were not stolen and the conflicts may be due to what piece of the data each source saw.

One poster on 4Chan says the leak was done to foster more competition in the online video streaming space because Twitch is a “toxic cesspool”. While competitors won’t use Twitch’s code directly, they certainly might check it out for ideas.

Credit: Cybernews

Some sources said the hackers got in via a misconfigured server, but I would suggest, the problem goes deeper than that. Much deeper. How comfortable are you that hackers could not steal all of your crown jewels?

Company That Routes Billions of Text Messages Says it’s been Hacked for Years

Syniverse is a company that no one has ever heard of. They act as an interconnection between 300 mobile carriers and 95 of the top 100 carriers.

They are the reason you can send a text message to your friend who is not on the same phone carrier as you are.

It also allows you to use your phone when you are not in a place where your carrier has service, known as roaming. That is done using the horribly insecure protocol, developed decades ago with no security, called SS7.

In a filing with the SEC, the company admitted that hackers have been in their network since 2016, possibly on and off. Given that they have access to all of your text messages, and call records and location data and other information, that is a huge privacy nightmare.

One former employee said that since the world has not stopped spinning, clearly it is not a problem. Washington, on the other hand, says this is an espionage goldmine.

If the hack was state sponsored, then they would not “use” your data in the traditional sense. They would use it to build a profile and possibly use it to phish you. If, for example, this is a Russia or China operation, there is no telling what they planned to do with it.

If someone is having an affair or swapping nude pictures or other sensitive topics, it could also be used to blackmail people.

Not to fear, however, Syniverse said that as soon as they discovered the breach after five years, they implemented their security incident response plan.

I bet that regulators from around the world are investigating.

Syniverse is trying to go public using a SPAC merger and that is how this came out. They said that the hackers did not try to disrupt operations or ransom them, so all is good, right? If this was state sponsored, you would not expect them to do either of these things. In fairness, they know they are going to get sued, so they are trying to put the best spin on this that they can.

None of their customers were willing to comment for the article. Credit: Motherboard-Vice

Major Software & Hardware Vendors Cause Self-Inflicted Downtime

Let’s Encrypt is the free HTTPS encryption service that is used by millions of web sites. Since it started out as a good idea of two Mozilla employees in 2012, it has issued about 2 billion free TLS certificates.

The history behind this organization is long and convoluted. The industry has a high bar for entery for a new player and in 2012, they had to get someone that the industry trusted to, kind of, co-sign their HTTPS certificates.

They knew that co-sign process was a short term solution and about 4 years ago they convinced the “Internet authorities” that they were the real deal and replaced that co-signed certificate with a new one.

Browsers and other software vendors have been incorporating this new software since 2017.

Let’s Encrypt, itself, has been warning people for about a year that the old certificate was going to expire today and software vendors needed to upgrade.

We expected that old, unsupported software like Windows XP and old hardware like Android phones running Android 7, would have a problem today.

That turned out to be true.

What we did not expect is that mainstream websites like Shopify, mainstream tech vendors like Palo Alto and Cisco and mainstream service vendors like Monday.com, Google Cloud monitoring and Quickbooks would be caught, napping or completely asleep at the switch.

Unfortunately, we were wrong.

These vendors and many others went dark about about 8 AM Mountain Time this morning.

Some of them fixed the issue. Shopify, for example, recovered at about 3:30 PM.

Others, like Fortinet, seem to continue to be asleep at the switch and have told their customers to turn off the security feature that warns you when you have a security issue. That is not a great solution, but for some Fortinet customers, that is their only option.

Many more likely have not been detected yet – like IoT devices that just stopped working but that no one has either noticed or figure out why.

And, importantly, if these software or hardware products are no longer supported, you are probably out of luck and will have to replace it.

In some cases, you have the ability to tell the system to ignore the error and move forward, but most of the time, that is not an option.

I am writing this because, I think, this is day one of an extended discovery process. Likely there are things that are down and people don’t know they are down or don’t know why they are down. This will take a while to discover and to fix. In some cases, the fix will be expensive and extended.

I wrote about this a few months ago. This should not have happened as the industry knew exactly what day it was going to be a problem 9 years ago. Still we, as an industry, create self inflicted wounds.

For more details, check out this article at ZDNet.