Category Archives: Alert

Security alerts

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Facebooktwitterredditlinkedinmailby feather

GoDaddy Users Beware

GoDaddy has an interesting feature.  If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.

If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.

Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.

Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.

Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.

This attack method apparently also works at other registrars.

Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails.  Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.

Thousands of domains were compromised.  Soon after the story of the attack method was published GoDaddy said that they put a fix in place.

They also said that they fixed 4,000 hijacked domains.

The only problem is that there are many thousands of more domains that they didn’t detect or fix.

GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.

GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method.  Other methods – not so sure.  Existing domains compromised?  You’re on your own.

Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.

One of the attacks using this scheme distributed the Gand Crab ransomware.  One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware.  The ransom was initially $2,000 but went to $4,000 while they decided what to do.

Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“.  “We  have accepted the fact, for now, that we are just locked out of our company’ information.  We known nothing about this type of issue other than we have to pay it or just start again.

While she is absolutely correct, the crooks don’t really care.  The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.

So what do you need to be doing?

First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current.  I keep mine in a bank vault.  The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.

Second, beef up employee training.  The A.S. Price attack happened when an employee clicked on a malicious link.

Third, add robust anti-malware protections.  There are lots of them out there.  It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data).  While it is a lot of money, what if they asked for $100,000 instead.  It has happened.  And the hackers have been paid.

Next, have a strong, tested incident response program.  A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas).  Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack.  Visualize this.  Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected.  Unplugging the entire Sands empire from the Internet.  WITHOUT A SINGLE MEETING.  That is training, trust and empowerment.  And it worked!

Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.

Information for this post came from Brian Krebs.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather

Ballistic Missiles Headed to Los Angeles, Chicago and Ohio

Imagine watching TV one day and hearing an alert that says that ballistic missiles were headed from North Korea to Los Angeles, Chicago and Ohio.  The alert said that people had three hours to evacuate.

Ignore for the moment the fact that Russian TOPOL ballistic missiles can travel at up to 15,000 MPH, so it would cover the 6,000 miles from Korea to the U.S. in much less than 3 hours.

In this case, the bigger issue was that the football game on TV was not interrupted and there was nothing on CNN.  That’s when the family that heard the message freaked and eventually figured out that the so called alert was coming from their NEST surveillance camera on top of the TV.

Google, which owns NEST, said that it was the family’s fault – probably not changing the default password.

So what should you be doing?

This is part of a bigger problem with Internet of Things security, which currently is a disaster.  IoT security in general is really poor and people are buying IoT devices and not securing them.

First thing, I would reconsider placing a surveillance camera in your living room on top of your TV or in your kid’s bedroom.  I have heard horror stories of people doing that and pervs watching their kids doing who knows what while wearing …  After all, people are not always fully dressed inside the house.

Google laid the blame for this on the owner.  Said they should use two factor authentication.  How many people understand that?  I looked at the NEST camera installation page on their web site (here) and do not see anything obvious about turning on two factor authentication.  Why?  Because it complicates things which means more support calls which means lower profits, so I think NEST is being disingenuous here.  Gee, that is a surprise.

All IoT vendors need to step up to the plate when it comes to security, making it as easy as possible and understanding that they might get more support calls.  California just passed an IoT security law that will require vendors to improve security if they want to sell their devices in California.

On the other  hand, consumers who buy IoT devices need to understand that they are responsible as well and take appropriate steps, even if that means a little more work for them.

In this case, this one family had 30 minutes of freak-out time.  It could have been a lot worse.  Source:  CSO Online ,

Facebooktwitterredditlinkedinmailby feather

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.

 

Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Facebooktwitterredditlinkedinmailby feather