Category Archives: Best Practices

Credit Cards in the Cloud, Oh My!

Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud.  It was 52 pages.

This month the PCI SSC released a new version of that same document.  It is now 83 pages.

This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.

Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”.  For a copy of the new standard, click here.

Information for this post came from The Register.

What does this mean for you?

Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.

Some companies have outsourced payment cards to companies like Paypal or Square.  That used to mean that you weren’t accountable for security, but that changed a couple of years ago.  The requirements are simpler, but you still are responsible.

But lets say you are a company that does e-commerce and the servers run in the cloud.  You may collect the credit card info and hand it off to a gateway.  This applies to you.

In general, all companies that accept credit cards are required to complete an assessment at least once a year.  The PCI Council has created over a dozen different assessments, depending your configuration.

For everyone but the largest players, you can do the assessment yourself.  You can also get an outside provider to help you complete the assessment.  We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.

Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.

Also, the assessment is pass-fail.  Either you answer all the questions correctly, or your fail.  One NO is a fail.

If you have questions, please give us a call.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

GrayKey iPhone Cracking Software Can Unlock Phones in a Few Hours

it wasn’t so long ago that 4 digit passcodes were the norm.

Now 6 digit passcodes are obsolete.

GrayKey, the new kid on the block offering low cost cracking of iPhones up to and including the iPhone X requires users who are concerned about that to change their password habits.

Pricing on Graykey, supposedly, is $15,000 to unlock 300 phones ($50 a phone) or $30,000 to unlock an unlimited number of phones.

At that price, the cops are falling over themselves to buy these things.  DHS is interested, along with the FBI.  The Maryland State Police has bought some as has Cincinnati.  My guess is that, at that price, there are lots of other agencies that have bought them.  This likely means that the conversation about “going dark” is a bit overblown.

In fact, Congress asked the FBI to ‘splain itself.  As the FBI is saying that they need to weaken device and app security by adding back doors that are unlikely to stay secret for long (you may remember that the master keys that DHS has for those travel locks on your luggage were ALL compromised when some genius at DHS allowed reporters to take pictures of the keys for an article), Congress is asking if they have used products like GrayKey to try unlocking those devices.

Since, for the most part, people choose short, obvious PINs (1234 or maybe 123456), those tools likely work pretty well.

6 digit passcodes (I gather this means 6 numbers) can be cracked in 11 hours on average (double that, worst case) using the software.

According to noted Johns Hopkins Cryptographer Matthew Green, an 8 digit passcode would take 92 days worst case (46 days on average) and a 10 digit passcode would take 9,259 days.

Information for this post came from Motherboard.

 

What this  means for the user is that, if you care about privacy, longer passcodes are better.  Alphanumeric passwords are better.  Words not in the dictionary are better.  Combining upper case, lower case and numbers is a somewhat random way (Monkey123 doesn’t count as a strong even though it technically meets most of the criteria) is the best strategy.

It’s really pretty simple.  Longer is better.  The Graykey software cracked some passwords in 30 seconds.

Facebooktwitterredditlinkedinmailby feather

Email Breach at Oxygen Equipment Maker Affects 30,000

Oxygen equipment maker Inogen announced that information on 30,000 customers was hacked as an attacker compromised the credentials of an employee.

In the grand scheme of breaches, this one barely registers.  Yes, HIPAA protected information was taken (and Health and Human Services may come after them in say 2021, but it is another example of totally preventable self inflicted wounds.

OK, now that I have sufficiently beaten them up, lets look at what they did wrong.

The company is publicly traded so they need to be SOX compliant.  They should have a Board advising them on issues like cybersecurity, but likely not.  Totally silent on the issue.

The breach went from January 2 to March 14 – certainly not the longest breach, but certainly not the shortest.  I know of an incident recently where a company received indicators of a breach at 6:30 AM one day and had contained and mitigated the breach before 9:00 AM the same day and they are looking to shorten that window.  What kind of monitoring and alerting did Inogen have?  Over two months for the hacker to do the dastardly deed?  Obviously, not good enough.

The stolen emails contained name, address, phone number, email address, date of birth, date of death, Medicare ID number, insurance information and type of equipment.  What is that doing in email?  That belongs inside a secure application or web portal.  Not only is this a HIPAA violation before the breach, it is a privacy breach after the event.  The company is based in California, so the Attorney General may be rattling their cage as well.

The worker’s credentials were compromised and then the attacker logged in. From another country.  Two factor authentication would have neutered the attack and, failing that, conditional access geo-fencing would have stopped the attacker cold.  Where was their CISO?  Do they even have one?

One thing they did right – they disclosed the breach in their latest SEC filings. In light of the SEC’s new cybersecurity transparency rules, that is probably a very smart move (to disclose).  One less party out to sue them.

In the SEC filing the company said they hired a forensics firm and made users change their passwords.  Definitely impressive (not).

They have also turned on two factor authentication.  A little late, but better late than never.

Oh, yeah, they have started training.  Nice.  Would have been nicer years ago.

One challenge is the founders are a few young kids who did not, until this, have many battle scars.

I am guessing they are getting those scars now.

Finally, they say in the SEC filing that they have insurance but it may not cover the costs.  Cyber insurance is good, but you better have enough and the right options.  Depending on what lawsuits happen and what regulators (such as Cali and HHS) go after them, this could cost them a couple of million or more.  Depending on what coverage they have, they could be writing all or part of that check themselves.

As a side note, Airway Oxygen, likely a competitor, told HHS last June that they had a breach affecting 500,000 customers.

Cardionet paid a fine to HHS last year of $2.5 million.  That is just the fine and doesn’t cover any other costs.  With a fine like that, Inogen’s total costs could be in the $3-$5 million range.  If they have a $1 million cyber policy, they will be writing a large check.

Other companies could learn from their lessons.  The learning part is free.  OR, they can wait until their story is in the news.  That can be a tad more expensive!

Information for this post came from Careers Info Security.

Facebooktwitterredditlinkedinmailby feather

President Signs SESTA/FOSTA; Web Sites Start Shutting Down Services

SESTA/FOSTA was a bill that was supposedly designed to shut down sex trafficking sites on the Internet by effectively repealing the protections provided by Section 230 of the Communications Decency Act which protects online service providers like Facebook and Google from being prosecuted for the postings of their users.

The bills, which have been around in different forms for a couple of years, was snuck into the budget bill in the dark of night.  There was no debate, no committee hearing and no markup of the bill.  Likely, knowing DC, it was a Quid Pro Quo to get someone to vote for the budget bill.

Section 230 of the Communications Decency Act protects online service providers from being held accountable for what their customers post.  While the “claim” is that this bill is designed to punish web sites that post prostitution ads, it is so poorly written that it could be used as a club against any web site that a federal prosecutor chooses to.  The main target of the bill was Backpage, which did post, in my opinion, prostitution ads, but that site was shut down and the people responsible for it arrested days before the President signed this bill, so, apparently, the feds did not need this law to shut down what was proclaimed to be the target of the bill.

Fringe dating sites, sex trade advertising sites, parts of Craigslist and other sites have already shut down.  Google has started wielding a meat axe on their site to ensure they are not charged.  All this before the law likely is implemented, some time next year (Source: Motherboard Vice).

Given this, what should you do?

First, this really only affects you if you run a website and you allow users to post content on that site.

For the moment, lets assume that you do run a website that allows users to post content such as comments or reviews.  Up until now, the rule was that if you did not impose editorial control over that content, then you were not liable for it.

Now, apparently, you are.

This means that you need to do one of two things:

1. Shut down the part of the web site that allows users to post content.  If this destroys your business model, tough.  Write a letter to Congress.  What Congress giveth, Congress can taketh away.

2.  If that is not an attractive option, then you have to create a process to review every post to make sure that it cannot be misconstrued by some over eager federal prosecutor to charge you.

Remember, you do not have to be guilty to be charged and proving yourself innocent can be very expensive.

I am not sure if cyber insurance will start covering this.  Prior to the effective repeal of Section 230, they did.  Now, it is not clear at all.

Fundamentally, you have to exercise full editorial control over the content.

Don’t be surprised if people start figuring out which sites do not monitor posts and start using those sites as a replacement for the ones that shut down.

As we get closer to 2019, there could be some clarity and, possibly although unlikely, Congress could amend the legislation.

In the meantime, stay tuned and start setting up those processes.

 

 

Facebooktwitterredditlinkedinmailby feather

The Darker Side of Drones

Over a million drones have been sold to the hobby market in the U.S. alone.  Some have been sold with more nefarious purposes intended.

To make matters worse, the FAA expects that number to triple – to over 4 million drones – by 2021.

Drones are used by farmers to manage their fields, to inspect infrastructure such as pipelines, and even, on a trial basis, by Amazon to deliver your package.

In Iraq and Syria, they are used to drop grenades and small explosives, in prisons to deliver contraband and take pictures of you while sunbathing in your birthday suit in your back yard.

In addition to these stories, there are hundreds of new stories every day.

The challenge is how to separate the good from the bad and that is not easy.

Information for this post came from World Wide Technologies.

The first answer is that today, for consumers, there is no good answer.  The military is probably in a little better position, but not much.

It is important to understand that shooting down your neighbor’s drone or even interfering with its radio or GPS signal is a crime and will get you arrested (and has gotten people arrested) if you are caught at it. Under U.S. law, a drone is considered an airplane and shooting down your neighbor’s $500 DJI drone will get you the same treatment as if you shot down a commercial airplane – so don’t even think about it.

Here is what the experts are looking at.  Some drones stay in radio contact with their controllers.  It that is true, you may be able, with the right equipment, to track back the radio signals back to the controller, if you are lucky.

Some drones can be programmed to travel on a flight path without any communication back to its owner.  In order to track these guys you need way more sophisticated technology – Infrared signal trackers for example.  Very expensive today.

The drone maker DJI has released AeroScope, a system to track only DJI drones by the signals that they emit.  Owners can, however, encrypt those signals and the system won’t track competitor’s drones, so it is of limited use.

For drones used for surveillance, such as, possibly, the one that crashed into the 40th floor of the Empire State Building last year, standard security measures work – close the blinds to keep out cameras, encrypt WiFi to discourage eavesdropping and if you think you are a target like banks and law firms, up the ante on those – strong encryption and light/radio blocking window blinds.

Right now the bad guys are winning, but stay tuned, people are working on the problem.

Facebooktwitterredditlinkedinmailby feather

Fake DC Cell Tower Story Has New Legs

Last week I wrote about the problem of fake cell towers in DC.

Well, the story has some interesting twists and turns.

First, the largest maker of these devices (at least as best we know) is Harris Corp., maker of the Stingray family.  Harris has been so closed mouthed about them that they have made the FBI drop cases against crooks instead of disclosing that these things even exist.

Well, the cat is out of the proverbial bag regarding the fact that there are probably gobs of these things on the loose, made by who knows whom – probably some are home brew – and they are listening in on – maybe Congress critters.

You have probably heard that there is nothing worse than a Congress critter scared that his or her cover is blown – whether it is a mistress or payoff or leak or whatever – and now susceptible to blackmail.  That’s why when you are getting approved for a security clearance, they want to  know about all of your skeletons.  Not because they care very much, but they don’t want to bad guys to use them against you.

It sounds like there may be Stingrays and Stingray-lookalikes all over the country, likely near sensitive facilities, and the FCC and DHS are playing stupid about it.

Why would they do that?

NOTE TO HARRIS CORP:  JUST PICKING ON YOU BECAUSE YOU ARE THE MOST WELL  KNOWN CELL INTERCEPTER.  I SUSPECT THAT AT LEAST SOME OF THESE BOGUS INTERCEPTORS DON’T COME FROM YOU.

Who do you think is the largest (legal) user of Stingrays?  U.S. law enforcement and spies – and since they don’t want people to know anything about what they are doing, there are no records kept, so no one really knows if a Stingray belongs to the FBI or the KGB or whatever China”s version of those two are.

You can count on all of those having deployed some of them.

But, we don’t really know, actually.

Some of those Congress critters now want to skewer Ajit Pai, head of the FCC.  This could get entertaining, at a minimum.

Information for this post came from The Register.

So what can you do?  Unfortunately, not a huge amount, but there are some things,

Number one is don’t use your cell phone.

Well, not like that.

If you make calls from the data side of your phone, these devices cannot intercept the calls in the same way.

Say you make a call using Signal or Whatapp.  The call is just more data.  Even the number you are calling is just data.  And it is encrypted.  Can spies, given the right motivation, crack the crypto?  Probably, even likely.  Even if it means hacking into your phone.  But you would need to be a very specific target for that to be worthwhile.

Power off your phone when you are not using it.  Truly a pain, but they can’t pick up a signal if the phone is off.  If you want to be off the grid for some reason, you have to be off the grid.

If you are Edward Snowden, you put the phone in the oven (preferably OFF) or the freezer (Likely ON).  Both are sealed metal boxes that don’t transmit radio waves.

If you are paranoid, Amazon sells RF shielding pouches, the portable version of Snowden’s oven or freezer for as little as $6.99.  For an example of one, click here.

So, while there is likely some risk, unless you are at high risk for some other reason, I probably wouldn’t worry much about it.  But, if you are concerned or just want to ‘stick it to the man’, there are some things that you can do if you are willing to be a little inconvenienced.

Facebooktwitterredditlinkedinmailby feather