Category Archives: Best Practices

Developers Using Unprotected Databases Exposing Millions of Passwords

Thousands of Android and iPhone mobile apps use the Firebase database.  The database runs in the cloud and, apparently, by default has no security.

The net effect of this is that 100 million records, or more, are exposed for anyone to capture.

Firebase, a database run by Google, is very popular with Apple and Android developers.  It is popular because it allows for synchronizing data automatically across devices.

The data stored includes userids and passwords and even banking records, all unencrypted unless the developers protected the data themselves.

Researchers discovered 3,000 apps leaking 2,300 databases with over 100 million records or 113 gigabytes.

The vulnerable Android apps, which are the majority of the 3,000 apps, were downloaded 620 million times, so this is a mainstream problem.

Developers are responsible for protecting the data that they collect and users count on them to do that.

So what are you to do?

First, if you are a developer, you need to consider security when you design applications.  If you can’t figure out whether the data you are storing is secure, you should not be in the development business.

Unfortunately, as an end user, you don’t really know whether the people who developed the app that you downloaded is secure. 

You can do research on the apps, but until this security flaw was announced, research would not have told you there was a problem.

The only other alternative is to be very selective about what apps you download.  That certainly is not a great answer either.

You also can be selective about what data you give the apps, but if, as some of these are, health data apps, and you don’t give the app your health data, what good is it?

Ultimately, the responsibility for this particular mess falls, for the most part, on the development community, so folks, you need to up your game.  Just my two cents.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Cryptocurrencies Under Attack

A story that seems to be repeated with way too much frequency is cryptocurrency attacks.  This is because most users don’t understand how easy these attacks are.

I am aware of *NO* attacks that compromised the cryptography of cryptocurrencies.  Always it is the software.  Sometimes on the user’s side.  Other times on the exchange’s side.

The cryptocurrency exchange called Coinrail lost $40 million to an attack.  Coinrail has taken its service offline and has moved what is left of its currency into cold storage to make it harder for the hackers and to help investigators figure out how the attackers got in (source: Techcrunch).

The Japanese exchange Coincheck lost $400 million to hackers.  They say they do not know how the attackers stole the money. They are considering compensating users who lost money – whatever that means. (Source: Techcrunch)

Tether, a cryptocurrency startup lost $31 million to attackers.  (Source: Techcrunch)

Bitcoin lost $500 of value in an hour after the most recent attack.  The industry as a whole lost $42 billion in value. (Source: Bloomberg)

As a coin speculator, what should you be doing?

First, you need to understand that you are a speculator in a wildly volatile commodity and that commodity has zero inherent value, unlike hog bellies or gold.

Second, understand that there is no insurance, very limited government regulation and no government protection from losses suffered.  This is about as risky as loaning money to your cousin Vinny.

Third, like all investments, diversify.  Whether that means stocks, bonds and Crypto or just different crypto exchanges (and not different currencies at the same exchange), diversify.  I recommend the first;  you do the second at your own peril.

Keep your wallet offline.  Hackers stole $20 million in Ethereum because users had opened a port on their local machines which allowed hackers to empty their wallets.  Offline is not a silver bullet, but it will stop that particular attack as long as the wallet stays offline.

Only run cryptocurrency transactions on a machine that you know to be secure.  One recent attack used DNS compromises on user’s machines to make their software think they were connecting to their exchange when, in fact, they were connecting to their attacker’s computers.

Bottom line – it is your money.  Treat it like it is important.

 

 

Facebooktwitterredditlinkedinmailby feather

Baby Monitor Takes Compromising Pictures of Mom

A 24 year old South Carolina mom, Jamie Summitt, got a rather rude lesson in cyber security.  She purchased a “smart” baby monitor that she could watch from her equally smart phone, only to wake up one day to find the baby monitor pointed at her.

She didn’t think much about that until she watched the camera move on its own to the spot where she breast feeds her 3 month old.

The camera, a very low end $34 camera from FREDI claims that it has NO RISK of PERSONAL INFORMATION and lifetime technical support.

When she and her husband were eating dinner together while the baby slept, her phone alerted her that the camera was moving.  That prompted an Oh (fill in the blank) moment.  Clearly they were not moving the camera.

Remember that consumers are not security experts and expecting to be so is doomed to failure.

To those of us in the security industry, this is not news, the hacking of baby monitors being a well worn road.  Since manufacturers are not liable for the security of their products, they choose not to spend money on something that doesn’t generate revenue.

She unplugged the camera and called the police, but when the police arrived and plugged the camera in again, the peeping Tom had actually locked them out of their own camera – likely having heard the conversation with the police.

She contacted Amazon, who pointed her to the manufacturer.  The lifetime tech support number was disconnected and they did not respond to email.  No surprise here.

I wrote a long time about about the tests that Rapid 7 did on baby monitor security and almost all of them got an F.

So what should you do?

The first thing to do is your own research on the security of whatever baby monitor you are considering purchasing.

See if your chosen vendor offers security patches to their monitors in the past.  No patches likely does not mean a secure product – just one that the vendor doesn’t care about after the sale.

Next, change the default password and make the new password something that is complex.  And hard to guess.

But another simple and low tech thing to do is…

Get an old ski cap and drop it over the camera when you are home. Or at least when you are in the room.  Take it off when you leave and put it back on when you come back.

At least that way the only thing the peeping Tom will see is your (hopefully) sleeping baby.

And not you in a compromising state of undress.

 

Information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Security or Convenience – Manafort May Have Picked the Wrong Option

Paul Manafoft, President Trump’s former campaign manager, is in trouble with the Feds.  Again.

Federal prosecutors say that Manafort attempted to tamper with witnesses to make sure that their testimony coordinated with his.

How the feds found out is that they got a warrant for his iCloud account.  Whatsapp and Telegram messages backed up to iCloud are not encrypted.

Poof, his cover was blown.

Manafort has been charged with money laundering, tax evasion and failing to register as a foreign agent.  Now the feds may add witness tampering to that.

Since he is currently out on bond and possible witness tampering probably was not on the court’s approved list of things to do while you are out on bond, they could, possible, revoke his bond and send him to jail.  My guess is they will more likely use these new allegations to squeeze him some more.

So what should you do to avoid this situation?

Number one is don’t commit crimes.

Number two is if you are being prosecuted for possibly committing crimes, don’t commit even more crimes.

Number three is to remember that even if your end is secure, there is nothing to stop the recipients from giving you up.  The feds, for example, could say that they are going to charge the other person with a crime unless they cooperate.  Even if the charges are flimsy and don’t eventually hold up, they will still spend a lot of money and have their life turned upside down, so someone might decide to cooperate.

If you are creating records for yourself and you encrypt them, that makes it much harder for anyone to read them.  But you have to make sure that the software is well written and the keys are securely managed.  This is true whether you are planning a crime spree or just trying to protect your business.  Leaving the key in the locked door is not very secure. Happens to businesses all the time.  They think they are protecting their data by encrypting  it, but in reality, the keys are stored with the data. If you do it right, they (meaning the feds or hackers from China) might be able to get the data, but the data will still be encrypted.  Could they crack the encryption?  Maybe.  All that takes is time and money. Possibly a lot of both.  OR, they could hack your phone/computer and steal the encryption keys.

Bottom line – encryption is not a silver bullet;  even if you are not a crook.  It is hard to do right and easy to do wrong.

Information for this post came from Gizmodo.

 

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather