Category Archives: Alert

Security alerts

Fake DC Cell Tower Story Has New Legs

Last week I wrote about the problem of fake cell towers in DC.

Well, the story has some interesting twists and turns.

First, the largest maker of these devices (at least as best we know) is Harris Corp., maker of the Stingray family.  Harris has been so closed mouthed about them that they have made the FBI drop cases against crooks instead of disclosing that these things even exist.

Well, the cat is out of the proverbial bag regarding the fact that there are probably gobs of these things on the loose, made by who knows whom – probably some are home brew – and they are listening in on – maybe Congress critters.

You have probably heard that there is nothing worse than a Congress critter scared that his or her cover is blown – whether it is a mistress or payoff or leak or whatever – and now susceptible to blackmail.  That’s why when you are getting approved for a security clearance, they want to  know about all of your skeletons.  Not because they care very much, but they don’t want to bad guys to use them against you.

It sounds like there may be Stingrays and Stingray-lookalikes all over the country, likely near sensitive facilities, and the FCC and DHS are playing stupid about it.

Why would they do that?

NOTE TO HARRIS CORP:  JUST PICKING ON YOU BECAUSE YOU ARE THE MOST WELL  KNOWN CELL INTERCEPTER.  I SUSPECT THAT AT LEAST SOME OF THESE BOGUS INTERCEPTORS DON’T COME FROM YOU.

Who do you think is the largest (legal) user of Stingrays?  U.S. law enforcement and spies – and since they don’t want people to know anything about what they are doing, there are no records kept, so no one really knows if a Stingray belongs to the FBI or the KGB or whatever China”s version of those two are.

You can count on all of those having deployed some of them.

But, we don’t really know, actually.

Some of those Congress critters now want to skewer Ajit Pai, head of the FCC.  This could get entertaining, at a minimum.

Information for this post came from The Register.

So what can you do?  Unfortunately, not a huge amount, but there are some things,

Number one is don’t use your cell phone.

Well, not like that.

If you make calls from the data side of your phone, these devices cannot intercept the calls in the same way.

Say you make a call using Signal or Whatapp.  The call is just more data.  Even the number you are calling is just data.  And it is encrypted.  Can spies, given the right motivation, crack the crypto?  Probably, even likely.  Even if it means hacking into your phone.  But you would need to be a very specific target for that to be worthwhile.

Power off your phone when you are not using it.  Truly a pain, but they can’t pick up a signal if the phone is off.  If you want to be off the grid for some reason, you have to be off the grid.

If you are Edward Snowden, you put the phone in the oven (preferably OFF) or the freezer (Likely ON).  Both are sealed metal boxes that don’t transmit radio waves.

If you are paranoid, Amazon sells RF shielding pouches, the portable version of Snowden’s oven or freezer for as little as $6.99.  For an example of one, click here.

So, while there is likely some risk, unless you are at high risk for some other reason, I probably wouldn’t worry much about it.  But, if you are concerned or just want to ‘stick it to the man’, there are some things that you can do if you are willing to be a little inconvenienced.

Facebooktwitterredditlinkedinmailby feather

Drupalgeddon 2

The Drupal team has released a patch that they call highly critical that allows an attacker to run arbitrary code on a Drupal web site with no authentication required. All they need to do is know the URL of the web site.

Drupal rates the severity of the flaw a 21 on a 1 to 25 scale.

They said they expect exploits to be developed within hours or days.

From a risk standpoint, for an unauthenticated user to be able to run any arbitrary code on your website, that is about as bad as it gets.

All recent Drupal versions are affected – 6, 7 and 8 and Drupal has created patches for old, unsupported versions.

Details are available here.

 

Facebooktwitterredditlinkedinmailby feather

Saks, Lord and Taylor Demonstrate How Not to Respond to Being Hacked

The New York Times is reporting that The Hudson’s Bay Company that owns Saks Fifth Avenue and Lord & Taylor confirmed that some number of stores run under these names and also Saks Off 5th were hacked and 5 million credit cards are available to be sold on the black market.

The breach is one of the larger retail credit card breaches – Target and Home Depot were each about ten times the size.  The Times says this is an indication of how difficult it is to secure credit card transaction systems.  While there is some truth to the statement, the more likely reality is that companies do not want to spend the money to fix horrible, decades old, security designs.  If you are unwilling to make changes then you should not be surprised at what you get.

Information for this post came from the New York Times.

So what can you do?

First, if you are a merchant, you need to secure your credit card system.  Hudson’s Bay said this only affected in store systems, not online shopping.

If you only allow those systems to connect to your inventory system, your loyalty card system and the credit card processor’s systems – by specific IP addresses, you have made the game geometrically harder for the hacker.  What you cannot see is difficult to hack.  For every exception you make to this rule, you make the hacker’s job easier.

You should be monitoring web traffic for unusual addresses.  While they have not given us any details, my guess it there were unusual traffic patterns.  Of course, you have to be watching for those patterns.

As a consumer, you should be watching your credit card transactions in real time.  I have had cards stolen numerous times.  The hackers get one transaction from me.  Recently, it happened to me and by the time the hackers were trying to use the card a second time, I was on the phone with the bank, they were watching the traffic stream and they killed the transaction in real time.  If hackers can’t use stolen cards, they won’t steal them.  It is no fun at that point.

How the public found out about the attack was from a security firm, Gemini Advisors, not from Hudson’s Bay.  How did they let that happen?  Did Hudson’s Bay think they could keep the breach secret?

Given the size of Hudson’s Bay, they should have had a crisis communications plan in place to be ready to deal with this.  If they did, it didn’t work.

Gemini (not Hudson’s Bay) said the hackers were in the system since last May.  They were active in the system for almost a year and they didn’t know it?  That doesn’t inspire confidence.

Hudson’s Bay said that they wanted to assure their customers that they weren’t liable for fraudulent transactions.  Note that they didn’t say that under federal law credit card companies are responsible for all fraudulent charges after the  first $50 or debit card charges after the first $500, subject to certain rules.  This is not Hudson’s being nice, this is federal law.  If you are going to hire spin doctors, do a better job of spinning.

Regarding Social Security numbers, driver’s license numbers and PINs – bottom line, they don’t think they were compromised.  That data should be tokenized so that there is no question that it can’t be compromised.  Bad system design.

If you need help with solving problems like this, give us a call.

Facebooktwitterredditlinkedinmailby feather

Is the Apple Losing its Shine?

Last week there were multiple reports that Petah Tekvah, Israel based Cellebrite could unlock any iPhone up to and including the iPhone X running the most current version of the Apple OS, but you had to send the phone to them along with a check for $1,500, per phone.

This week there is a report that Grayshift, an American startup, is reporting that it too can unlock your iPhone for the cops.

Wait, I just got a phone call.  My grandmother says that she can unlock any iPhone and she will do it for free.  Just kidding about that one, but two different companies, one week apart are saying they can hack any iPhone.  This seems really strange.

Grayshift was apparently founded by some U.S. intelligence community contractors and a former Apple security engineer.

They are privately circulating a data sheet that says that if you buy their software you can unlock 300 phones for $15,000 or an unlimited number of phones for $30,000.  The cheap version (a relative term) must be used online (so, I assume, that you cannot cheat them);  the expensive version can be used offline since it doesn’t need to keep track of how many phones you have unlocked.

The software itself is called GrayKey.

Apparently, right now, GrayKey will only unlock phones running iOS 10 and 11 – which is likely the majority of iPhones, but a version that will unlock iOS 9 is coming soon.

One guess is that these firms have figured out how to hack into Apple’s Secure Enclave, the heart of the security of the iPhone.  *IF* that is true, that is a real problem.  Of course Apple could figure out what both of these firms are doing and make them start over.  In the case of GrayKey, since the system is delivered to a paying customer, if Apple engineers can, somehow, get access to the system they can probably figure out what the software exploits.

It is also speculated that the attack might be a brute force attack, meaning that it starts with “A” and goes to “B” and then “C” and so on until it unlocks the phone.  Again, *IF* this is true, the longer the password is, the harder it is to use this technique.  For example, if the password is 8 characters and only uses letters and numbers, then there are ONLY 218,340,105,584,896 or 218 trillion possible guesses.  On the other hand, a 12 character password raises that number to 3,226,266,762,397,899,821,056 or 3 sextillion possibilities.  Passwords longer than 12 characters would require even more guesses.

The moral of this story is that long passwords, even with just upper and lower case letters plus numbers and no special characters will take a long time to crack.  One article said that a 12 character password would take 200 years to crack at a billion guesses per second.  If it does take that long, even if they do succeed, you won’t care.  Using that same billion guesses a second, an 8 character password would only take 60 hours.

I think this story is not over;  stay tuned for updates.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

T-Mobile Sued For Lack of Security

I am always skeptical about these lawsuits.  One issue is usually “standing”, but in this case, I don’t think this will be an issue.  Often, if the party being sued thinks they are going to lose, they tend to settle, quietly, with no precedent from a court decision.  In this case, I predict this one may be settled quietly by T-Mobile.  UNLESS, the person filing the lawsuit is more interested in creating a precedent.  We shall see.

OK, here is the story.

Carlos Tapang is suing T-Mobile because someone was able to take over his phone account, transfer it to another carrier and use that new account to compromise his cryptocurrency account to the tune of $20,000 plus.  The good news (not really) is that this occurred when Bitcoin was selling for about $7,000, not the high price of $20,000.

The reason T-Mobile will likely lose if this goes to trial is that T-Mobile said that they would put a PIN on his account, BUT DID NOT.  Ooops.

Also, the hacker socially engineered T-Mobile customer service until one customer service person believed the hacker’s story and allowed him into the account without knowing the proper information.

THIS HAPPENS ALL THE TIME – CUSTOMER SERVICE PEOPLE ARE TRAINED TO KEEP CUSTOMERS HAPPY, NOT SECURE.

If this goes to trial and T-Mobile loses – big if – then it could cause the carrier to improve security.  That is part of what they say they want T-Mobile to do.

Tapang was able to recover his phone number – actually, he is lucky.  Many people lose their number permanently.  But it was too late.

While the article doesn’t say, what probably happened is this.

The attacker somehow figured out that he had a cyptocurrency account.  He either knew or guessed that it was tied to his phone number.  This is the typical “two factor” authentication which uses your phone number and a text message .

Using a text message as the second factor is relatively unsecure because if someone is able to get control of your phone number, they can receive the necessary information for a PASSWORD RESET and the TWO FACTOR text message code.  That is probably exactly what the hacker did.  Then  he emptied Tapang’s cryptocurrency wallet.

And, as we see all the time. the cell phone carriers are horrible when it comes to security.  It is hard to train call center employees, especially with the high employee turnover (for some call centers it is more than 100% turnover per year).  And, if security is good and they won’t hand over information, they wind up with upset customers.  On the other hand, if you do turn over the information without proper authentication, you wind up getting sued.  It is a challenge for the carriers because people want convenience over security.  Until is costs them $20,000.

Well, what can you do?

Number one – do set up a PIN on your cellular account and be a pain in the rear until they actually do it. TEST IT!  With Sprint they seem to be very good about the PIN, but if you don’t know it, they will sometimes let you answer other questions – which is bad security.  More than once I had to go into a Sprint retail store and show them my government issued photo ID to get a PIN reset.  THAT will deter most hackers.  Not all, but most.

Second, DO turn on two factor authentication for any account that that you would be upset about if you lost control of and hackers were able to “empty it out” – such as a bank account, brokerage account or cryptocurrency account.

IF YOU DO NOT CARE WHETHER HACKERS ARE ABLE TO EMPTY YOUR BANK ACCOUNT, SET YOUR PASSWORD TO 123456 AND DON’T WORRY.  IT WILL GET EMPTIED.

Second, if at all possible, do not use a text message as the second factor.  Use an app on your phone such as Microsoft authenticator, Google authenticator or Authy.  These apps are tied to your device once they are set up and NOT tied to your phone number.  If you phone number is stolen it will not help a hacker steal your money.

But this is up to you.  If you figure that it won’t happen to you, choose convenience.  If you think that it might happen to you and you would be upset if your account was emptied out, then use two factor.  Even though it is less convenient.  Google says that less than 10% of GMail users use two factor.

Information for this post came from The Verge.

Facebooktwitterredditlinkedinmailby feather

Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.

 

Facebooktwitterredditlinkedinmailby feather