Category Archives: Alert

Security alerts

This IoT Hack Could Kill You Literally

Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.

The researchers took real CT lung scans and let their malware modify the scans.  In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.

After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.

In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.

This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,

The researchers said that this technique could also be used to fake clinical trials one way or the other.

This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).

These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.

Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off.  Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial?  After all, if a competitor can get a trial derailed, it could  mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.

This, of course, is just one example of how an IoT device could be hacked.  In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?

Source: the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.

Facebooktwitterredditlinkedinmailby feather

Hacker Well On His Way to Publishing ONE BILLION User Records

While some people say that you can’t prove that people have been harmed by lax cybersecurity practices, the laws are making it more expensive for companies to believe this.  Fines in the hundreds of thousands, millions and even billions of dollars are happening.  So whether companies believe cybersecurity is an issue or not, their wallets are suggesting that they need to make improvements.

To encourage that, one hacker who goes by the handle GnosticPlayer is making it a one man mission to make life miserable for businesses with weak security.

Until this week he has made 4 dumps of data –

  • round one contained 620 million records
  • round two contained 127 million records
  • round three contained 93 million records and
  • round four contained 26.5 million records.

This brought the total to over 850 million records,

Until this week.

Round five contains 65 million records from 6 companies, bringing the total to over 900 million records.

In case you are questioning whether this is a business, apparently the data is available, sorted by category.  For a “fee”.  In Bitcoin.

Stolen email addresses are sold to spam networks,

Financial details are sold to groups that specialize in tax fraud and online fraud.

Usernames and passwords are sold to groups that specialize in credential stuffing (the technique of taking a million userids and passwords, throwing them at a web site and seeing which ones work).

The hacker is selling his data on Dream Market, a pretty public dark web marketplace.  He does not appear to be very shy about publicity, so my guess is that he is not in a country friendly to the U.S.

For businesses and consumers, this means that your information is being used against you.  

Credential stuffing allows hackers to attempt to hack your bank account and empty it.  Is that important to you?

Tax fraud means that your tax return will be rejected by the IRS and you will not get the refund that you are owed.

Other attacks might mean that you will lose access to your email account or other accounts.

So unless you think that the issues above are not important to you or your customers, you need to work hard to improve your business’ and personal cybersecurity hygiene.   

Source: ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Hackers Target Industrial Control Networks

For many years hackers have been content destroy companys’ office networks and demand ransom if those companies wanted control of their systems back in order to do business.

But that is not enough for the hackers.  They want to shut down factories and due damage.

There have been a couple of barriers to hackers being successful in this venture, which is a good thing.

Unlike office computers which are built around a handful of chips (Intel, AMD, Arm, etc.), the computers that run factories are built around a much wide range of computers.  In addition, every manufacturer runs its own operating system and sometimes different products from the same manufacturer run different operating systems, although some of the new hardware runs a version of Linux.  Lastly, these so-called OT or operational-technology are often isolated from the corporate networks, at least in theory.

One of the first public OT attacks was done by a US/CIA and Israel joint venture – the Stuxnet attack against Irans’s uranium enrichment program (although neither country formally admitted to doing it, it is widely believed that it was them).  Then there was an attack that Russia did against Ukraine, turning off the power in the middle of the Winter.  Twice.

These attacks legitimized this form of attack in many people’s mind, particularly the hackers.

In 2017 the Triton family of malware was discovered by researchers.

Designed to be very low key in order to not set off any alarms, it attacks Triconex controllers made by Schneider Electric.  These controllers are designed to be a “kill switch” to shut down the factory or refinery or whatever in case of a critical failure that causes the refinery to operate outside of its safety limits.  This is only one family of malware that affects these networks;  there are likely more.

Unless that is, you can fool the controllers into thinking they are operating within limits while at the same time making the devices operate unsafely.  This is how Stuxnet destroyed the Iranian centrifuges and also how someone damaged a German steel plant.

FireEye released a report on how the early generations of Triton operated and remained under the radar.  To date, Triton has only been deployed at a handful of facilities to make it more immune to detection and protection.

Since they were not trying to steal data from the IT network, they didn’t make copies of files or steal large amounts of data.

Mostly, they wandered through the network for years undetected, looking for the right workstation to attack and to better understand how the network operates.

They also worked hard to install multiple backdoors so that if they got detected and were kicked out, they could come back in again.

FireEye says that the attack lifecycle of a sophisticated attack is often measured in years

All of this means that owners of control networks like factories need to step up their security game and not hope obscurity will protect them.  Even the government admits that it is likely that many of our critical infrastructure systems have already been compromised.

We also need to understand that OT-style controls are used more and more in the office environment.  Things like controlling TVs, projectors, heating and cooling, electronic signs, video conferencing systems, security cameras, etc.

Proper design would say that these devices need to be isolated, but often it is more convenient to connect them to the IT network.  Since almost no one patches their TV, refrigerator or light bulbs and even fewer people know what normal behavior of these devices is in order to monitor these devices’ actions, these devices put the IT network at greater risk.

FireEye says:

“We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.”

AS WE BELIEVE THAT THERE IS A GOOD CHANCE THE TREAT ACTOR WAS OR IS PRESENT IN OTHER TARGET NETWORKS!!!

Well that is comforting.

Bottom line is that we need to up our game in securing these OT networks and devices.

As if we didn’t have enough work already.

Source: CSO Online.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.

 

 

Facebooktwitterredditlinkedinmailby feather