Category Archives: Best Practices

Private Facebook Posts May Not Be So Private

This is not Mark Zuckerberg trying to extract a few more cents out of you by pushing more ads to you – in fact, Facebook really doesn’t even have much of a say in this.  It is not even a Google thing.

Still, it is useful to understand.

In the case of a Manhattan woman who was disabled in a horseback riding accident, the courts have ruled back and forth.

The woman is blaming the trainer and horse owner for fitting the horse with a defective stirrup.  The case is unusual because usually equine trainers have no liability for accidents, based on the law.  In this case, the rider, who suffered brain and spinal injuries, is claiming negligence.

The trial court ruled that the woman had to provide both Facebook posts and photos from both before and after the accident during discovery.  The trainer is trying, I assume, to determine if the disabilities prevented her from doing the things that she did before the accident and turned her into a recluse, which is what she is claiming.

The trial court did exclude any nude pictures from having to be disclosed.

But then the appeals court reversed the trial court and said that she did not have to produce that information.

But now the full appeals court, by a vote of 7-0, said that the trial court was correct and that the information did have to be produced.  This court is the state’s highest court, so it is not clear if there is any further appeal avenue available.

The appeals court did acknowledge that the posts were private, but said that did not allow her to avoid discovery.

For users, there is a warning here.  Do not assume that anything that you post online, even if you think it might be private, is really private.  I am sure that this woman did not think about the implications of her Facebook posts during a trial.

But there is a simple answer – if you want it to be private, do not post it.  Don’t even put in on Google photos or Microsoft One Drive.  If you make it accessible to an Internet provider, it is likely disclose-able.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

FBI, NSA, CIA Say Don’t Use Huawei, ZTE Phones

The heads of the intelligence community – NSA, CIA, FBI and the Defense Intelligence Agency, appearing in front of the Senate Intelligence Committee, said that Chinese smartphones posed a threat to national security.

Exactly why they singled out those two Chinese phones, compared to the iPhone, which is likely made in the same factory, is not clear.  It would seem that two phones, made in the same factory by the same people would have a similar security risk, but apparently not.

FBI Director Chris Wray said that it was because Huawei and ZTE are beholden to the Chinese government.  I would think that Foxconn, who, for example, makes TVs for Sony and others, Cisco networking gear, HP and Dell computers and Nintendo games would also be beholden to the Chinese government in a very big way.

I suspect there is classified intelligence that they are not sharing that explains why these two companies are being singled out.

The concern, they say, is that these devices could steal information or conduct undetectable surveillance using the phone’s user.

AT&T was going to going to sell Huawei phones but magically decided not to last month.  No doubt these same agencies explained to AT&T why that was not a good plan.

Ultimately, everyone has to make their own decisions, but there are plenty of phones made in Korea, which seems to be a more friendly locale.  There are no phones made in the United States.

Apple and others do buy some parts in the US, like glass from Corning,  but those parts are then shipped to China to be assembled.  Apple is looking at assembling some phones in the US, likely for the PR value, but doesn’t actually do that.  Even if they do, since iPhones represent less than 15% of smartphone sales, that will still mean that 80% to 90% of smartphones are manufactured in other countries.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

T-Mobile Sued For Lack of Security

I am always skeptical about these lawsuits.  One issue is usually “standing”, but in this case, I don’t think this will be an issue.  Often, if the party being sued thinks they are going to lose, they tend to settle, quietly, with no precedent from a court decision.  In this case, I predict this one may be settled quietly by T-Mobile.  UNLESS, the person filing the lawsuit is more interested in creating a precedent.  We shall see.

OK, here is the story.

Carlos Tapang is suing T-Mobile because someone was able to take over his phone account, transfer it to another carrier and use that new account to compromise his cryptocurrency account to the tune of $20,000 plus.  The good news (not really) is that this occurred when Bitcoin was selling for about $7,000, not the high price of $20,000.

The reason T-Mobile will likely lose if this goes to trial is that T-Mobile said that they would put a PIN on his account, BUT DID NOT.  Ooops.

Also, the hacker socially engineered T-Mobile customer service until one customer service person believed the hacker’s story and allowed him into the account without knowing the proper information.

THIS HAPPENS ALL THE TIME – CUSTOMER SERVICE PEOPLE ARE TRAINED TO KEEP CUSTOMERS HAPPY, NOT SECURE.

If this goes to trial and T-Mobile loses – big if – then it could cause the carrier to improve security.  That is part of what they say they want T-Mobile to do.

Tapang was able to recover his phone number – actually, he is lucky.  Many people lose their number permanently.  But it was too late.

While the article doesn’t say, what probably happened is this.

The attacker somehow figured out that he had a cyptocurrency account.  He either knew or guessed that it was tied to his phone number.  This is the typical “two factor” authentication which uses your phone number and a text message .

Using a text message as the second factor is relatively unsecure because if someone is able to get control of your phone number, they can receive the necessary information for a PASSWORD RESET and the TWO FACTOR text message code.  That is probably exactly what the hacker did.  Then  he emptied Tapang’s cryptocurrency wallet.

And, as we see all the time. the cell phone carriers are horrible when it comes to security.  It is hard to train call center employees, especially with the high employee turnover (for some call centers it is more than 100% turnover per year).  And, if security is good and they won’t hand over information, they wind up with upset customers.  On the other hand, if you do turn over the information without proper authentication, you wind up getting sued.  It is a challenge for the carriers because people want convenience over security.  Until is costs them $20,000.

Well, what can you do?

Number one – do set up a PIN on your cellular account and be a pain in the rear until they actually do it. TEST IT!  With Sprint they seem to be very good about the PIN, but if you don’t know it, they will sometimes let you answer other questions – which is bad security.  More than once I had to go into a Sprint retail store and show them my government issued photo ID to get a PIN reset.  THAT will deter most hackers.  Not all, but most.

Second, DO turn on two factor authentication for any account that that you would be upset about if you lost control of and hackers were able to “empty it out” – such as a bank account, brokerage account or cryptocurrency account.

IF YOU DO NOT CARE WHETHER HACKERS ARE ABLE TO EMPTY YOUR BANK ACCOUNT, SET YOUR PASSWORD TO 123456 AND DON’T WORRY.  IT WILL GET EMPTIED.

Second, if at all possible, do not use a text message as the second factor.  Use an app on your phone such as Microsoft authenticator, Google authenticator or Authy.  These apps are tied to your device once they are set up and NOT tied to your phone number.  If you phone number is stolen it will not help a hacker steal your money.

But this is up to you.  If you figure that it won’t happen to you, choose convenience.  If you think that it might happen to you and you would be upset if your account was emptied out, then use two factor.  Even though it is less convenient.  Google says that less than 10% of GMail users use two factor.

Information for this post came from The Verge.

Facebooktwitterredditlinkedinmailby feather

UK Security Chief: C1 Attack Likely in Next Two Years

The head of the UK’s National Cyber Security Center (NCSC), Ciaran Martin, said that a major cyber-attack on the UK is a matter of when, not if.

Martin said that the UK had been lucky to avoid  a so-called category one (C1)  attack.    Luck?  That’s comforting.

A C1 attack is defined as an attack that might cripple infrastructure such as energy supplies or the financial services sector.

Other countries, such as France and the US have already had C1 attacks.

The US?  Really?  That is because interference with the elections is considered a C1 attack also.

Martin, in an interview with the Guardian, said that he anticipated a C1 attack in the next two years – that he doesn’t expect to make it to 2020 avoiding such an attack.

The NCSC is the public face of GCHQ, the British version of the NSA, so they likely have a pretty good idea of what is happening.

The worst attack the UK has faced so far was WannaCry last year.  The NCSC categorized that as a C2 because there was not imminent threat of loss of life.  It certainly had an impact on healthcare in the UK.

The NCSC has classified 34 attacks at the C2 level since it opened through the end of 2017 – about 15 months.  They cataloged 762 C3 attacks in that same period.

We don’t have similar numbers for the US, but if we did, they would likely be larger.  We are a bigger target than most.

President Trump suggested he might use nuclear weapons in case of a cyber attack.  Hopefully, he was just bluffing, but that would be a good way to start World War III.

Cyber attacks are not going away any time soon.  For nation states, it is pretty easy to “encourage” private hackers in another country to be their attack proxy, which is why using nukes to retaliate is so scary.  What if the Chinese made an attack look like it came from Russia?  Or Germany?  Sometimes attribution is easy, but only if we have already hacked the hacker’s network.  If a nation state is effective at getting hackers in another country to launch an attack, then attribution is hard.  What if Chinese hackers compromise some computers in some place in the US, say Iowa, and launch an attack from those compromised PCs.  If the PCs are consumer owned, it is unlikely that there are any logs to help figure out where the attack was launched from.  At that point, figuring out where the attack came from is very, very difficult.

Information for this post came from The Guardian.

 

Facebooktwitterredditlinkedinmailby feather

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Zyklon Malware can Recover Passwords and License Keys

The Zyklon malware has been around since early 2016 and it is a nasty  bit of business.  It mostly arrives as a zip file (if you are not blocking zip attachments at your inbound mail gateway, you should do that now).  Assuming it gets in and the use opens the zip file, it exploits three different Microsoft Office exploits to gain a foothold in the user’s system.

It is able to steal license keys or serial numbers (I assume to resell on the black market) from 200 popular software programs.  It can also steal passwords from a number of popular browsers (the downside of the convenience of having your browser save your passwords).

It can steal email passwords from popular programs like Thunderbird, Outlook express , GMail Notifier and a bunch of others.

It can also steal FTP passwords from a number of programs such as Filezilla and Dreamweaver.

As a competitive advantage, the malware is sold to hackers at several different license levels, from $75 on up, depending on what features the hacker wants to buy.  Perhaps the hacker buys it at the entry level, uses it to steal passwords, sells the passwords and upgrades his or her license.

Oh, yeah, it can auto-update and download more modules/features if the hacker has bought those features.

This is a full featured pile of dog poop.

The best bet for avoiding this is blocking attachments, a good advanced anti malware solution and, most importantly, an aggressive cyber security education and anti-phishing program.

Information for this post came from SC Magazine and FireEye’s blog.

Facebooktwitterredditlinkedinmailby feather