Category Archives: Alert

Security alerts

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Cell Phone Providers Face GDPR

British celebrity food writer Jack Monroe had her cell phone number hijacked and, after that, the hackers were able to receive her two factor authentication and access her bank and payment accounts.

She was already doing more than a lot of people do security wise – she was using two factor authentication.  BUT, the two factor authentication method was for the bank to send her a text message.

The attack is called SIM Jacking and it works like this.  The attacker calls the cell company and convinces an employee that the attacker is the phone owner. Then the attacker says that he or she bought a new phone and needs to move her number to a new phone.  The cell phone company employee asks a couple of simple security questions and when the hacker uses either publicly available information sources or data from previous breaches, answers the questions and poof, the hacker now owns the victim’s phone number.

Alternatively, as we recently saw with AT&T, the attacker can just pay off the employees to knowingly break the law and move the number to a phone controlled by the hacker.

In Jack’s case, once this was done, the hacker could now ask the bank to do a password reset and since the attacker now owns Jack’s phone number, the attacker gets the two factor code and the bank gives the attacker access to Jack’s bank account.

In Jack’s case, that cost her 5,000 British Pounds.

The phone company has given her back her phone number but the bank says that it will take a while to get her money back.  I’m not sure what they think she should do in the mean time.

In terms of recommendations, if you can use a two factor authenticator app on your phone such as Microsoft authenticator, Google authenticator, Facebook authenticator or Authy instead of a text message, that will defeat this attack because it is not dependent on your phone number.

If you are not using any two factor authentication on your online banking and other financial services accounts, turn that on now.

And, if you have not registered for online accounts for your banking or brokerage accounts because you think it is too risky – it is more risky to not do it, because then there is nothing to stop a hacker from registering for an online account in your name.

The more interesting part is this.  Some folks in England are slightly upset and are suggesting that the Information Commissioner’s Office needs to investigate whether the phone companies violated GDPR by not protecting consumer’s information.  Assuming the ICO does investigate and it does not like what it finds, it can fine the phone provider up to 4% of their annual global revenue.  While these investigations take time, it would definitely be interesting.

The only reason why these SIM Jacking attacks work is because the phone companies do not want to make it difficult for the customers by making the security effective.  When I forgot my Sprint login, I had to go into a Sprint store and show them a government issued ID.  While this is not perfect, it is probably harder and riskier than most hackers want to deal with.  But also less convenient.

It might also be inconvenient to be fined a few hundred million dollars as Marriott and British Airways recently learned when the same British ICO fined them for violating GDPR and in their case, it wasn’t even willful as it is here.  This may be the only way to get carriers to get serious about security.

But stay tuned;  this is far from over.  Source: BBC

Facebooktwitterredditlinkedinmailby feather

Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 4, 2019

Just a Wee Bit Over the Top

There is a nut job who bought an old cold war era bunker in Germany and turned it into a “bullet-proof” hosting center similar to what we see in Russia and elsewhere – where they let you host anything, legal or otherwise.

Apparently the Germans got tired of this guy, who calls himself HRH Prince Sven Olaf of CyberBunker-Kamphuis and thinks he runs his own country.

The overkill part is that they sent in 600 paramilitary troops to arrest him and a dozen of his employees who were this bunker.  I wonder how much that cost them.  Source: The Register

Hacker GnosticPlayers Steals User Info From Zynga – 218 million people

This guys seems to be on a mission.  After stealing about a BILLION (yup, that’s right) userids already, he just added 200+ million Zynga gamers to the mix.  While the information isn’t super sensitive, this points to how weak security is in many places.  Source: The Hacker News

Demant Hearing Aids Expects to Spend $95 Million Due to Ransomware Attack

In case you tend to dismiss ransomware attacks, Demant, the Danish hearing aid manufacturer, says that an unidentified cyber incident will cost them between $80 million and $95 million, due to lost sales as the outage (likely ransomware) impacting shipping, receiving and production.  Source: ZDNet

TEN More Hospitals Hit By Ransomware Attacks

Three hospitals in Alabama and seven more hospitals in Australia have been hit by ransomware.  In the Alabama attacks, ambulances are being redirected to other hospitals and if someone walks into the ER, they will stabilize the patient and transfer him or her elsewhere.

The hospitals in Australia also say that patient services are being affected.  Source: ARS Technica

 

Baltimore Did Not Have Backups For Key Files

Baltimore lost a lot of key data because it did not have effective backup policies.  Users were storing the only copy of data on their local hard drives.

While it is fun to criticize Baltimore, when is the last time that your company actually tested that you have readable backups for **ALL** of your key data, including and especially, data stored in the cloud.

Baltimore is going to spend about $10 million and lose an additional $8 million in revenue due to the attack.  Source: Dark Reading

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Facebooktwitterredditlinkedinmailby feather

FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC

 

 

 

Facebooktwitterredditlinkedinmailby feather