Category Archives: Alert

Security alerts

Attacks Against Office 365 Continue

Since Office 365 is the dominant office productivity suite, knocking Google on it’s butt, it is not a surprise that hackers are going after it hard.  To compare, I didn’t find great numbers and Google probably does not want me to do this comparison, but Office has 120 million paid users as of 2017 and Google has about 3 million paid users.  It is obvious why hackers go after Office.  To be fair, Google has a boatload of free users, but since those are predominantly consumers and really small businesses, the amount and quality of data to steal makes those free users a much less compelling target.

About a month ago, scammers were using emails with text in zero point type to bypass Microsoft’s security tools.  Apparently, Microsoft must of thought, if you can’t see it (after all zero is small), it can’t be a problem.  Not so.

Then hackers figured out a way to split URLs into pieces to fool Microsoft.

Now that Microsoft has closed those loopholes (the sheer beauty of cloud software – make a fix and in a few seconds, 120 million users are protected), the hackers have moved on.

So what are the hackers doing now?

In this attack, the victim receives an email with a link to collaborate on a Sharepoint document.  Of course, this email is a scam.  When the user clicks on the link in the invitation, the browser opens a Sharepoint file.

Inside the Sharepoint file is a button to open a linked One Drive file.  That link is malicious and at that point the game is over.  The hacker has the user’s Office credentials, since that is required to open the One Drive file and has installed malware on the victim’s computer.

Unfortunately, for a number of reasons, there is no easy way to block this attack.

So what should you do?

First, if you have two factor authentication turned on (everyone should!), then stealing your password is a much less effective attack.

Next, be suspicious.  Check the address link, ask why you are getting this collaboration request.  Check OUT OF BAND if the person who you think sent the request actually did send it (like talk to the person on the telephone using that antique VOICE feature).

Third, hover over links first and look at the underlying address.  If you can’t see the address or it doesn’t look right, stop and talk to your security team.

User training is key here and there are some very cost effective solutions out there.

And, of course, if you have questions, contact us.

Information for this post came form The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

The Hidden Landmine When Buying (or Even Renting) a Home

All of us are used to using the Internet, right?

What if you moved into your new home and after you paid for it and moved in you found out there was no Internet service available?

One business in New York was told that Charter Communications, the local cable provider, would be happy to connect them.  Only problem was that the business needed to pay Charter $138,000 first.  Charter being a nice company, offered to pay $5,000 towards that, so the company would only owe them $133,000 and change.

This story is repeated over and over across the country.

People are often told by the local Internet Service Provider that they can get service only to find out when they actually try that it is not available.

I am going to use my personal situation to illustrate the case.

I live about 30 minutes from downtown Denver, Colorado.

Where I live there is no cable at all, so cable Internet is not an option.

The phone company offers DSL at the WHOPPING speed of one and a half megabits per second.  Not 1.5 gigabits, 1.5 megabits.  Under FCC rules, that doesn’t even qualify as broadband Internet.

Only problem is that there is no available capacity and the phone company has no plans to add capacity.

Worse yet, if you are one of the super lucky folks to have this speedy service and you sell your house, the person who buys it doesn’t get your connection.  The connection goes back into inventory and you, the new buyer, go to the end of the list.  You may get Internet in a few years; hope you can wait.

There is also no cell service where I live, so no cell calls, no text messages, no cellular Internet.  The cell companies all offer a little box called a femto cell that simulates a cell tower to give you service.  Works great, actually, as long as you have some other form of Internet connection to carry the signal from your house back to the cell carrier.

Granted I live in a sort of rural area about 25 miles from downtown Denver, but the guy who was presented with the $133,000 bill  – he was in New York City.

And sometimes, if you CAN get service, the wait time for a connection can be 6 months to a year.

That leaves you (or me) with two options:

  1. Satellite Internet.

Satellite Internet is a horrible last resort.  You basically pay by the bit and if you go over your limit, they slow down your service to a crawl or shut you down.  Worse yet, many things like Internet telephones (VoIP), VPNs for connecting to your business and those cell extenders do not work on satellite Internet.

So, while they are horribly expensive, slow and don’t work for many things, they are pretty much universally available as long as you have a clear view of the sky.

2. Point to Point Microwave.

That is what I have.  It used to be horrible, but over the last few years, it has gotten much better.  All my software works and the particular plan that I have has a cap, but it is large and there are other plans that don’t have a cap.  It is however, pretty expensive ($70 a month for only 20 megabits/second – way faster than I had with Qwest, but 1/10 the speed of cable and that includes voice and long distance).

The only problem with P2P microwave is that you have to be within the range of a receiving tower and you have to have a clear line of sight to that tower.

My provider has two towers in the area.  The only one that I have line of sight to will not run faster than 20 mb/second.  The other tower, that one of my neighbors can see (he is higher up that me) supports 50 mb/second.  The provider says that it is not likely that I will ever see 50 mb/second on my tower.

What this means is that Netflix crashes regularly.  I don’t have any little kids who gobble up bandwidth like no one’s business.  If you wind up with service like this, plan on rationing Internet.  Your kids will be thrilled.

So what do you do, especially if the Internet providers are, apparently, bold face liars?

Unfortunately, you are not in the driver’s seat.

One thing that you can do is place the order as opposed to just asking and see if the order goes through.  Just make sure you can cancel it before the install in case you don’t actually get the house.  The problem with this is that you may not find out that they cannot provide service until the day of installation.  That happened when my son bought his house.  They came out and said.  Ooops. Sorry.

Another thing to do is to research options.  In many places there are not a lot of options:

  • Cable
  • Phone company
  • Independent Internet providers
  • Point to point microwave
  • Satellite
  • Cell (really bad idea – slow, unreliable and expensive)

See HOW MANY of these options are available and what each one costs, what the limits are and what things that you want to do won’t work.

Make sure that at least 2 or 3 acceptable options, while distasteful, are available.  That way, at least, if you have to resort to option 2 or even option 3, you at least know that you can get something.

Assume that you will not have Internet for a while when you move in.  Maybe a few days; maybe a few weeks; maybe even a few months.  I managed the IT of a business that was much closer to downtown Denver and it took us 6 months to get Internet.  Try running a business for 6 months without Internet.  If that is a problem, plan an alternate.  Unfortunately, the alternate may not be attractive.  Maybe you can work at your office, if one is available.  Whatever.

JUST REMEMBER THAT THE UNITED STATES IS A THIRD WORLD COUNTRY WHEN IT COMES TO INTERNET.  ASSUME THAT.  UNDERSTAND THAT.  PLAN FOR THAT.  Then you will not be disappointed.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 28, 2017

Zip Slip Vulnerability Affects Thousands of Projects

Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.

The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.

The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.

And, likely, most of those developers are completely blind to the fact their their software  is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.

Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it.  (Source: Bleeping Computer)

NSA Forms Group to Counter Russian Threat in Cyberspace

In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace.  The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did.  The President has called the threat fake news many times.  It would appear that General Nakasone has a difference of opinion with his boss.  Source: Bloomberg

Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected

Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online.  The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.

The data was found by Chris Vickery of Upgard.  Chris has found dozens of unprotected data sets just in recent months, usually on Amazon.  Chris DOES NO HACKING.  All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked.  In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating.  That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies.  Source: NY Times

Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid

The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights.  DHS says there were likely  hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management).  Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?).  Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall.  For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time.  Source: CNET

Russian Hackers Attack Senator Claire McCaskill

Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri.  The Senator says that the attack was not successful.  McCaskill is a vocal opponent of Russia.  This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up.  Source: The Daily Beast

Facebooktwitterredditlinkedinmailby feather