Category Archives: Alert

Security alerts

If Your Data Is Important to you DO NOT Trust Your Cloud Provider

There is a great piece on ZDNet today about a writer who’s phone number was stolen (not the phone, the number) using a SIM swap attack.  In this case, the phone company was T-Mobile and all the hacker had to do is call them, given them a bit of the victim’s information (like secret stuff such as the last 4 of your Social) and T-Mobile was happy to give the hacker this writer’s phone number.  T-Mobile doesn’t want you to be angry with them so they are willing to sacrifice your security and privacy instead.

Once he or she had the number, he was able to reset the writer’s twitter and google passwords.  The writer had set up two factor authentication to be more secure, but once the phone number moved to the hacker’s phone, the text message he was using for the second factor went to the hacker’s new phone:

TIP: Use authenticator apps like Google or Facebook Authenticator instead of text messages because then stealing your phone number won’t give the bad guys the second factor information.

T-Mobile put a message on the writer’s phone saying the phone number had been transferred and to call 611 if he didn’t do it, but since the phone had no service, that wasn’t possible.  Smart thinking T-Mobile.

The writer was able to call T-Mobile from another phone on the account and get the phone number restored, but that didn’t get his online accounts recovered.

TIP: Time is of the essence.  The sooner you detect the problem and the sooner you get your carrier involved in fixing it, the less damage the bad guy can do.

Now the writer had to go through the brain damaging process of recovering access to his accounts.  He used Twitter for work (that’s a problem in itself) and had about 10,000 followers.  The hacker whittled that down to about 3,000.  He also had years of history about stories there, along with collaboration with sources and other writers.

He did get his accounts back eventually, but there was a lot of damage done.  For example, all of the labels on his GMail messages are gone, so he has to reconstruct all of that.  Among other issues.

Oh, yeah, Twitter would only talk to his registered GMail email and since that was hijacked, he could not get them to do anything until he got Google to restore his access to his account.

The hacker compromised his Google Fi account and since he didn’t have access yet to his GMail, they won’t talk to him.  That account, he thinks and all the data in it, may be lost forever.

TIP: Read the rest of his article for more suggestions on protecting yourself.

So if you are a person who uses online accounts and stores “important” stuff there, consider this.  There is no guarantee that you will be able to get to your online account tomorrow or retrieve any of the data that is there.  If that is a concern, you need to take action.

Almost all services offer a way to backup your data.  It is not the cloud provider’s responsibility to protect your data unless it says so in writing in your agreement.

TIP:  Read your agreement with your provider and see what it is liable for.  Also see what damages you can collect.  Often the damages are meaningless (like they will refund your payments made in the last 12 months – for a free service).

TIP: Google, one service a lot of people use, has  a free service called TAKEOUT.  It has nothing to do with home delivery of Asian food.  It is available at Takeout.google.com .  Takeout allows you to select which of the hundreds of Google services you want to download your data from and it will give you different options for each service.   This is great for Google users.  Each service is different.

TIP: Set yourself a reminder to backup any critical personal online data as frequently as is important to you.  For example, if you only backup your data monthly, then you may lose a month’s worth of email, photos or whatever.  Backup at least as frequently as the amount of data you are willing to lose.

TIP:  If you download your data, back it up.  I suggest multiple copies of the data is important and then store it securely.  Flash drives are VERY cheap.  And fail occasionally, hence the reason for multiple copies.  Put it in a safe deposit box;  Give it to your kid who lives in another city. Whatever, but it does you do good if you can’t get to it.

Source: ZDNet

 

Facebooktwitterredditlinkedinmailby feather

FTC Paves New Road

The message this administration has been delivering over the last two-three years is less regulation; less controls.  So what, exactly, is the FTC doing?  Are they going off the reservation or is there a plan here?  My guess is that there is a plan.

Last week the FTC whacked DealerBuilt, a service provider that provides dealership management software service to car dealerships.

Apparently, back in late 2016,  Dealerbuilt had a breach that exposed 12 million customer’s data from over 130 dealerships.  The data included all of the stuff that you would expect for car loans.

The crooks downloaded about 10 gigabytes of that data representing about 70,000 customers before it was discovered.  The problem was a really crappy cybersecurity program including transmitting data in the clear, storing data unencrypted, no penetration testing, etc.

What is new here is that the FTC is holding the vendor and not the dealers responsible.  They are saying that the vendor has direct liability to the FTC, even though it is the car dealership that is considered a financial institution because it makes car loans.

Dealerbuilt tried to make it right with their customers after the breach, but the damage was already done.

DealerBuilt was, according to the terms of the deal, prohibited from handling consumer data at all until they had an approved cybersecurity program in place (meaning zero revenue until then) and they have to have a third party risk assessment every two years.  While it does not say so, these FTC programs typically last for 20 years.

If they screw up again, the FTC could fine them $42,350 (who makes up these numbers) per violation.  $42,350 x 70,000 customers = $2.96 billion.   Probably enough incentive.

Key point is that if you are a vendor to someone, and most people are, then the FTC is saying that they reserve the right to come after you, as well as your customer.

The consent decree also holds company executives responsible for the new cybersecurity program and requires that the company conducts penetration tests.

Interestingly, it seems like the FTC is still going after folks, as is Health and Human Services (HIPAA), while other agencies, such as the EPA are being  told to stand down.  Source: Autonews.

Facebooktwitterredditlinkedinmailby feather

Will Deepfakes Redefine Whether You Can Believe What You See?

“Think of this – one man with total control of billions of people’s stolen data.  All their secrets, their lives, their futures…”  So begins a fake video  using technology and videos of Mark Zuckerberg saying completely different things (see here).

It even has a CBS News logo on it.  CBS asked Facebook to take it down for trademark violation, but since they refused to take down the doctored video that Trump and others on the right used to try to smear Speaker Pelosi, they are now in a box.

But this is not a Facebook problem.  Nowadays, almost anyone with a little bit of skill and not very much money can make a relatively convincing fake video.

Then they can post it.

They don’t have to post it on Facebook, they can post it on some obscure, non-US web site.  One they create for the purpose.  One that is going to ignore takedown requests.  One that can move at will making it hard to block.

Then all they have to do is wait for people to post links to it.

Could be anything.

The video could show someone committing a crime or talking about something illegal or something immoral.  Given the tech, the possibilities are endless.

Abraham Lincoln once said that it must be true if it is on the Internet (no, he didn’t say that! ).   People tend to believe things that reinforce anything that they would like to be real.

That Zuckerberg video looks pretty real.  It should because it is Zuckerberg and he did speak, just not those words in that order.

Since politics is full of dirty tricks and it would be easy to create plausible deniability by getting someone in another country to actually do the posting (after all, Trump just said the other day that he would listen to dirt about an opponent given him by a foreign power – this is not much of a stretch.  After all, it could be real.  How would someone know?  Especially if they want it to be true.

This would be an easy way for an enemy of the U.S. to influence an election.  Create enough of these fake videos – for China it would cost petty cash – say $1 million or even $10 million for a whole bunch of them – and you could cause people not to know what to believe.

While tech could help mainstream media figure out some fakes, web sites that didn’t really care whether something is fake as long as it hurt people they want to hurt, will choose not to use that tech.  This puts the target of the smear in a position of having to react and possibly sue to try and get things taken down.  Good luck with that.  It would be a game of whack-a-mole.

Stay tuned, this will get ugly.  Source: Vice.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending June 14, 2019

SandboxEscaper Releases Yet Another Windows Zero-Day

SandboxEscaper has it in for Microsoft.  He or she has released over a half dozen zero-days including four of them just a couple of weeks ago.  He or she has put Microsoft behind the power curve multiple times and now he or she is doing it again.

This time SandboxEscaper has figured out how to exploit the patched version of one of the previous exploits.  This exploit can be triggered silently with no obvious warning to the user.  There is no patch available for it yet. Source: The Hacker News.

If history is any example, this is probably not the last time we will hear from SandboxEscaper.

 

License Plate Pictures Taken by CBP Cameras Available on the Dark Web

As reported last month but not confirmed by Customs and Border Protection until this week, an unnamed vendor of license plate readers to CBP and others was hacked and hundreds of gigabytes of data stolen.

Included in that data was thousands of photos of license plates captured at the US border and travelers at US Airports and they are available on the dark web.

The government (no surprise) has a poor vendor cyber risk management program.  The vendor, widely believed to be Perceptics, although the government is shielding it for some unknown reason,  copied data from the government’s computers  to their own.  After this, the vendor was hacked and hundreds of gigabytes of data stolen.  Source:  The Register.

 

A Year Later, U.S. Government Websites Are Still Redirecting to Hardcore Porn

Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domain names that redirect visitors to porn sites.

Gizmodo reported this a year ago and it is still not fixed,  Actually a few sites were fixed and a few more added to the broken list.

Users were being redirected from government sites to sites with names like” Two Hot Russians Love Animal Porn”.  One site infected was the Department of Justice’s Amber Alert site.  To be clear, the government is not running porn sites.

And these are folks that we are relying to to protect our cyber universe.  Source: Gizmodo.

 

Philly Courts Still Down After Cyber-Attack Last Month

Another day, another city.  In this case, it was the court system in Philadelphia was hit by a cyber-attack.

After the attack, e-filing, docketing and email systems were taken down and now there are still problems.

So far, the courts have released very little information – not even the name of the firm that they hired to fix their mess.  Likely, that will come out later.

Suffice it to say, with each of these attacks, it becomes more and more important to evaluate YOUR disaster recovery system.  Can you afford to be down for weeks in case you suffer an attack?  Source: Infosecurity Magazine.

Facebooktwitterredditlinkedinmailby feather

What If Local Hospitals Were Hit With Ransomware?

Remember the Wannacry attack that basically took down the UK healthcare system and which CBS says will cost about $4 billion to mitigate?

Well, a few medical experts with a bent towards hacking presented the results of a simulation they conducted regarding what would happen if local hospitals were hit by a coordinated malware attack.

They claim that the average connected device had about 1,000  exploitable CVEs( vulnerabilities).  The speakers said that 85 percent of US hospitals do not have any IT security staff.  Those are scary thoughts.

The speakers, Joshua Corman, founder of I am the Cavalry , Beau Woods, Dr. Christian Dameff and Dr. Jeff Tully, painted a pretty bleak picture.

Along with authorities in Phoenix, they ran a simulation for three days that started with one hospital being infected by destructive malware, followed by digital assaults on other hospitals in the city on day 2 and finally a physical attack like the Boston Marathon attack on day 3.

To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.

By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.

All of the deaths in the simulation were caused by the hacking.

You may remember the case of the St. Jude pacemaker.  A security researcher told the government of the flaw and for a year, the government hemmed and hawed and didn’t do anything.  Eventually the feds blinked and issued a warning and St. Jude patched it.  Most flaws do not get patched at all.

Even if the hospitals have an infinite pot of money, it takes years to get new devices approved.

What needs to happen is for the government and medical device makers to improve their security processes and for hospitals and doctors to fully engage.  We are never going to have bug free software, but right now, many devices are never patched because the approval process to apply the patches (from the government)  is basically unworkable.  The public needs to demand it – minus that, the problem will never get fixed and people will likely die needlessly.

In the case of hospitals affected by Wannacry, the researchers are confident that the result was people dying.

Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bytes for the Week Ending June 7, 2019

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom.  The attackers only wanted $103,000 or less than 1 percent of what they are going to spend.  Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore.   Who’s fault is that?  Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data.  Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop.  Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the  ransomware after an 18 month run.  The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”.  Of course, other malware will replace it, but the sheer magnitude of this one is amazing.  Source:  Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised.  Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency.  Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk.   In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that.  That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA.  Remember, you can outsource the task, but not the liability.  Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong.  Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks.  The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch.  Shodan shows 4.8 million servers running the software and only 588,000 running the fix.  Most of those servers are in the U.S.  Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week.  They are a medical claims collection agency.  As I said above, first it was Quest with 12 million customers affected;  then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised.  Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage.  If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather