Category Archives: Alert

Security alerts

Apple Airtags – A Low Cost Surveillance Tool for Good or Evil

Ever see a scene in the movies where the cops (or the bad guys) plant a tracking device on someone and later catch the person doing something?

Ever hear stories about an ex stalking his or her former partner?

Well Apple just made that ‘affordable’.

Probably too affordable.

And folks have already tested it.

Like putting an airtag in a Fedex envelope and mailing it somewhere. Then tracking it. Apparently, WAY more precise than Fedex’s own tracking system.

In part, that is because of how they work. If they are within a few feet of any iDevice, poof you know where it is. That works great in the city where the number of Apple devices per square inch is high. Go out into the woods and it doesn’t work so well. Unless the person you are tracking has an iDevice.

You want to know where your kids are? Covertly slip a $29 tracking device in their backpack.

Want to know if your spouse is cheating? You can buy 4 tags for less than a hundred bucks.

Want to keep tabs on your ex? Ditto.

You could hide one in a car or any number of places, depending on how devious you are.

Here is the worst part.

In many cases, it may not even be illegal. But it might be. Depends.

Point of information: A tag is tied to an Apple device. If the Apple device can be tied to you or someone you called or an email account you accessed, the cops will be able to find you.

Just in case you were thinking of doing something illegal.

Tracking your kids? That’s not illegal. But kids are usually smarter than parents, so they might be tracking you right now. If they have $29.

Credit: Ars Technica

Supply Chain Attacks -Its the New Thing

The most famous supply chain attack of the last few years was the SolarWinds attack. That attack was a home run for the Russians. Other hackers (or maybe the same ones) thought that was a great attack vector. Now it seems to have become quite popular.

Then came DevOps tool provider Codecov. Hackers compromised Codecov, then they stole the software that was inside their customers’ code repositories. Codecov offers software testing tools. The hackers found a weakness in their code upload process, which gave the hackers access to any code that was uploaded. Sometimes developers are stupid and hard code credentials into their code.

HashiCorp is a client of Codecov. Some of HashiCorp’s clients used the compromised Codecov software. HashiCorp said that their private PGP (GPG) signing key was exposed. That means that the attackers, if they knew what they had, could have signed malware with HashiCorp’s key and presented it to their customers as legit.

Codecov has (or had) 29,000 customers. HashiCorp was one of them. They dodged a bullet by detecting the compromise. What about the other 28,999 clients.

Next comes Australian password manager firm Click Studios, makers of Passwordstate. Their software update process was compromised and a malware loaded update was live for 28 hours. The good news is that they detected it in a day. The bad news is that they are telling their customers to change all of the passwords they had stored in the software. Given that they also had 29,000 customers – unlike the big password manager firms who have millions of customers – it affected a small population and finally many of these password managers offer a feature that allows you to let the software automatically reset all of your passwords, making things a little easier. For those of you who use password managers, two thoughts – first use one of the big products – they have the money to implement better processes and second, even with the rare breaches of password manager software, and they are very rare, it is still better than people doing what they do otherwise – pick password123 as their password for many sites.

These are just the supply chain attacks this month.

You have a lot of suppliers. Those suppliers have suppliers. You use cloud software like HashiCorp. They have suppliers too.

The matrix of all of your suppliers and their suppliers and so on is large. Very large.

That means you need to improve upon your plan because the attackers seem to have figured out a weak spot.

Note that they haven’t stopped doing everything they were doing before. Your attack surface just got larger.

Sorry to be the bearer of bad news.

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

IoT Vulnerabilities Unlimited

I don’t think it is just me. The number of alerts I have been getting over the last few weeks regarding vulnerabilities in very mainstream industrial control system components seems to be out of control.

Here are just a few:

  • April 20th – CISA releases 10 Industrial control system (ICS) advisories. This includes Hitachi/ABB, Rockwell, Delta Industrial, Eaton, Siemens and Mitsubishi. The vulnerabilities are all over the board from out of bounds reads and writes to SQL injections to improper privilege management and other issues.
  • April 15th – CISA releases 2 ICS advisories. These are for Schneider and EIP Stack Group. These vulnerabilities include bad privilege management, incorrect type conversion, stack overflow and other issues.
  • April 13th – CISA releases 12 ICS advisories. This advisory includes a dozen different Siemens products with a laundry list of vulnerabilities including integer overflows, improper authentication and authentication bypass, weak cryptography and other issues.
  • April 13th – This day was a doubleheader. This time 15 advisories. This includes Schneider, Advantect, Jtekt, Siemens Nucleus and other products. The bugs include hard coded encryption keys, out of bounds reads, bad random number generation and other bugs.

But this is just the last week or so. Here are some more this month:

That is just this month so far.

I also have at least 10 advisories from March.

What does that tell you?

Consider what these systems are used for. Some examples –

Electric power plants

Water treatment plants

Sewage plants

Oil refineries

Chemical plants

and a lot more.

Consider the impact of one (or more) of these industries getting hacked.

We are already seeing customers asking more security questions and I predict customers will only get more concerned.

If you are a buyer of industrial control equipment, you should up your vendor due diligence, assuming you have not already done that.

If you are a vendor of industrial control systems, you should anticipate getting more questions from your prospects and existing customers, if that has not already started.

And, if you are a manufacturer, assume the bad news will continue. CISA seems to be receiving new vulnerabilities every day.

The challenge for buyers is how to we make these systems secure. Many are no longer supported and many more are so critical that you are scared to patch them. Not to mention the down time that patching probably entails.

Here is the bad news. Hackers do not care about your problem. If they can cause you pain, if they can cause you downtime, they can ransom you to make the pain go away. And that it what they want. MONEY!

So everyone in the food chain needs to understand that this is not the ICS world from just a few years ago and it will likely get worse before it gets better. Sorry to be the messenger.

The Regulators Are Making a Point

Last month New York’s Department of Financial Services (DFS) fined Residential Mortgage Services $1.5 million for not having a compliant cybersecurity program and, even worse, not telling the regulator that they had a breach.

DFS said that RMS did not investigate the breach seriously, did not conduct a comprehensive risk assessment and did not notify the victims.

This month DFS went after National Securities Corp.

DFS says that they had four separate cybersecurity “events” between 2018 and 2020.

DFS noted that during a 2019 incident an employee’s email account was compromised and, oh, yeah, NSC had not implemented multifactor authentication, which is required by law.

In another event, a broker of the company discovered an potentially unauthorized transfer of $200,000. As the investigation continued, they discovered more unauthorized transfers. Ultimately, the company wrote a check to the client for $400,000. Even then, they did not have multifactor authentication enabled.

They did finally implement multifactor authentication in August of last year.

Out of curiosity – have you implemented multifactor authentication on all systems?

In the consent order, the regulator pointed out the obvious. You have to have MFA enabled, even for third party applications.

As the regulator dug into things, they discovered two more incidents that were not reported as promptly as possible and specifically, not within the 72 hours as required by law.

Regulated entities that do business in New York are required file an annual report with the regulator, signed by the CEO or CoB or similar person. The company claimed they were in compliance in that report, but according to DFS, because of all of these issues, they were not in compliance.

They fined National Securities $3 million and, as is typical in these cases, they said that they could not be reimbursed by insurance. They want them to feel the pain.

A summary of what happened can be found here.

Reading the consent order, one thing that the regulators seem to have focused in on is the fact that this company, like many companies, uses dozens of third party applications and many of these applications did not have multifactor authentication turned on.

In some cases, third party apps do not support multifactor authentication. In that case, you have to follow a process to assess the risk and implement alternate security measures. This process needs to be reassessed every single year. Companies have to follow this process for each application for which they cannot implement multifactor authentication.

The consent requires the company to file a comprehensive incident response plan with the department within 120 days.

They also, according to the consent order, need to submit a comprehensive cybersecurity risk assessment.

For both of these items, the consent order lists specific items these documents need to include.

They also have to provide a copy of compliant policies and procedures and documentation of all cybersecurity awareness training in the same time frame.

I am not sure if this will be a monthly event with the regulators or not, but I do think they are getting tired of businesses ignoring the laws.

While this only affects companies that do business in New York (wherever they may be located), we are also seeing noise from other states, such as California, which has just created a whole new regulatory agency. Funded, I might point out, by the fines that they issue.

Add to that the fact that Virginia’s governor just signed a bill into law that is even more comprehensive than California’s and that there are a number of other states (Florida, Texas, Washington, for example) that are likely to enact similar laws this year.

Consider what the New York regulator is doing as a “shot across the bow”. Do not expect this to go away. Also understand that the condition of not getting reimbursed by insurance is a pretty standard requirement.

To quote Dirty Harry: “Do you feel lucky”?

If not, now is the time to get busy.

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week