Category Archives: Best Practices

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Self Inflicted Cyber Breaches Still Huge Problem Along with Third Party Risk

And it continues to be a major issue for some reason.

This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.

The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.

The sever has been connected to the Pyramid Hotel Group.  Their web site says they provide superior operations, owner relations and support services to hotels and their investors.  IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.

The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.

IN THE U.S., THERE MAY BE NO LEGAL REQUIREMENT TO DISCLOSE BREACHES OF THIS TYPE BECAUSE THEY MAY NOT CONTAIN AND NON-PUBLIC PERSONAL INFORMATION.

It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.

Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.

What’s in the data?

  • Information on hotel room locks and room safes .
  • Physical security management equipment.
  • Server access API keys
  • Passwords
  • Device names
  • Firewall and open port data
  • Malware alerts
  • Login attempt information
  • Application errors
  • Hotel employee names and usernames
  • Local PC names and OS details
  • Server names and OS details
  • security policy details
  • and a bunch of other information.

In other words, a veritable road map for the bad-peops.

Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.

Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.

Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.

And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.

Information for this post came from ZDNet.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

$67 Million Jury Verdict for Violating People’s Privacy

This is not directly a security issue.  Or a privacy issue. Because the County did not get hacked.

BUT it still is important to businesses.  And governments.

Juries are no longer sitting back and allowing organizations to ignore basic privacy law without consequences.

In this case it is Bucks County, Pennsylvania (population about 650,000), and this is going to cost them some bucks.

The federal jury awarded $1,000 for each of the 67,000 people who were booked into jail in the county since 1938.

The Bucks County budget is about $400 million, so this verdict, if it stands, represents about 16% of the total county budget for a year.

These people, whether they were convicted of a crime or not, were added to a publicly available web site  called the Inmate Lookup Tool.

The suit started in 2013 – six years ago – when Daryoush Taha was arrested and charged with harassment, disorderly conduct and resisting arrest.  He was released the next day.  He completed a one year probationary program for first time offenders and the judge ordered that his arrest record be expunged.

For whatever reason, the folks that ran the Inmate Lookup Tool didn’t get the message and his name, photo, personal details and charges were available online.  Apparently, posting that information online is against the law in Pennsylvania.

The federal judge granted class action status and the plaintiff’s attorney said, in closing arguments, that residents have the right to expect that local governments follow the law.

The county said that they did not know that posting all of this personal information on people who were arrested was illegal.

Basically, their defense was “we’re dumb.  We didn’t know the law.”

I wonder how that defense would work for someone they arrested?

Likely the County does not have insurance for this and, for the most part, you cannot get insurance to cover the penalty for being convicted of a crime.

This is only one of a number of cases we have seen lately where juries have said (to steal a line from a movie) “I’m as mad as hell and I am not going to put up with it any more“.

For businesses, this means that a defense of ignorance or gee, I’m sorry, is not a sure fire defense anymore.  We just saw Equifax’s Moody’s rating downgraded to NEGATIVE as a result of their breach as an example.

Information for this post came from the Philly Inquirer.

I don’t have a crystal ball, but I don’t see this getting better for companies that violate privacy or security laws in the future.

Facebooktwitterredditlinkedinmailby feather

Security news for the Week Ending May 24, 2019

SalesForce Gives Users Access To All of Your Company’s Data

In what can only be called an Oops, SalesForce deployed a script last Friday that gave users of certain parts of SalesForce access to all of the data that a company had on the system.  The good news is that it didn’t show you anyone else’s data,  but it did give users both read and write access to all of their company’s data.

In order to fix it, Salesforce took down large parts of its environment, causing some companies that depend on SalesForce to shut their company down and send employees home.

This brings up the issue of disaster recovery and business continuity.  Just because it is in the cloud does not mean that you won’t have a disaster.  It is not clear if replicating your SalesForce app to another data center would have kept these companies working.  Source: ZDNet.

Google Tracks Your Online Purchases Through GMail

While this is probably not going to show up as a surprise, Google scans your emails to find receipts from online purchases and stores them in your Google purchase history at https://myaccount.google.com/purchases .  This is true whether you use Google Pay or not.  One user reported that Google tracked their Dominos Pizza and 1-800-Flowers purchases, as well as Amazon, among other stores.

You can delete this history if have masochistic tendencies, but I doubt anyone is going to do that because it requires you to delete the underlying email that caused it to populate the purchase, one by one.  There is also no way to turn this “Feature” off.

It appears that it keeps this data forever.

Google said they are not using this data to serve ads, but they did not respond to the question about if they use it for other purposes.  Source: Bleeping Computer.

President Trump Building An Email List to Bypass Social Media

Welcome to the world of big data.  The Prez has created a survey for people to submit information about how they have been wronged by social media.  And get you subscribed to his email list.  Nothing illegal.  Nothing nefarious.  Just a big data grab.

If you read the user agreement, it says you “grant the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content.  (NOTE: That “content” includes your email address and phone number).  The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media.” 

This seems to be hosted on the Whitehouse.Gov servers.  It is not clear who will have access to this data or for what purpose.  Source: Vice.

Colorado Governor Declares Statewide Emergency After Ransomware Attack

Last year the Colorado Department of Transportation suffered a ransomware attack.  Initially the state thought it was getting a handle on the attack, but ten days later it came back.

It was the first time any state had issued a Statewide Emergency for a cyberattack.  Ever!  Anywhere!

It had the affect that the state was able to mobilize the National Guard, call in resources from other departments, activate the state Department of Homeland Security and Emergency Management and get help from the FBI and the US Department of Homeland Security.  It also allowed them to call for “Mutual Aid”, the process where neighboring jurisdictions  – in this case neighboring states – provided assistance.

It worked and since then, other states have begun to do this.

When you have a disaster, even a cyber disaster, you need a lot of resources and an emergency declaration is one way to do it. Source: StateScoop.

 

Latest Breach – 885 Million Records

First American Financial, one of the largest title insurance companies, exposed 885 million records going back to 2003 due to a software design flaw.  The records include all kinds of sensitive records that are associated with real estate closings.  Source:  Krebs on Security.

Facebooktwitterredditlinkedinmailby feather

Over 90 Percent of IoT Data Transactions Are Not Encrypted

According to a report released by  cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.

This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.

The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.

These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.

Given that, what should you do?

First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.

Next you need to create a policy regarding what devices you are going to allow.  There is no right or wrong answer, but it should be a conscious decision.

Finally, you should isolate all of those devices onto the anything-but network.  Meaning, anything but your trusted internal company networks.  You probably want to group these into multiple anything-but networks.  For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..

While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for.  Then you have to figure out how the heck you can patch them.

And, if you CAN turn on encryption, you should probably do so.

Doesn’t this sound like fun?  Source: Zscaler.

 

 

Facebooktwitterredditlinkedinmailby feather

Baltimore Ransomware Recovery Continues

May 7, 2019 is the day things changed in the City and County of Baltimore.  That is the day that hackers encrypted computers used by 10,000 people in the offices of Baltimore City and County.

While 911 services continued to work. unfortunately the same could not be said for their phones and email.

The hackers want about $100,000 in Bitcoin to decrypt all the computers but the mayor says that the city is not going to pay.  The hacker also said that if the city didn’t pay the ransom in 10 days, the hacker would destroy the key.  That deadline has passed.

In  the meantime the city can’t create utility bills, residents can’t pay their bills, people cannot buy or sell houses because they can’t check or record liens and time could not be entered so that employees could be paid.

Consider that this is YOUR company and not some city 2,000 miles away (from Denver, at least).

We are now more than two weeks into this and city and county systems are, for the most part, still down.

The attack came just days after Mayor Jack Young took over from former Mayor Catherine Pugh, who resigned facing an ever expanding corruption investigation.

Baltimore has no insurance to help pay for the costs, which are likely very substantial.  The city says they and outside consultants are working 24×7 to repair the damage.  This will cost millions.

And the Mayor says that they really don’t know when things will be back to normal – saying it will likely take months.

Baltimore knew this was a  problem  – they were attacked last year as well – and Baltimore’s information security manager said there were big problems during budget hearings last year.  But the budget did not include any money for strategic investments in IT.  It didn’t include money for security training of employees.

The City has had five Chief Information Officers in five years – not great for making progress.

The library, which is not part of the affected systems, is opening early and closing late so that city supervisors can enter employee’s time so that they will get paid.

This week the city came up with a plan to restart home sales.  The title companies are going to go down to the city and the city will print out a piece of paper with whatever lien information they have.  Buyers/sellers will have to sign a piece of paper that says that they will pay back any liens that they didn’t find.  Title companies will probably spend months (and lots of money) to clean up the mess after the systems come back online.

And if history is any indication, the city will discover that they don’t have backups of everything, so some data will be lost forever.  In other city attacks, the police lost electronic evidence of crimes and had to dismiss criminal cases.

Does any of this remind you of your organization?

Most of the City’s systems were hosted internally. The City’s website was almost a goner – not because it was infected.  It is hosted at Amazon.  But it is managed by a contractor, the contract had expired and the city was delinquent in its payments.

Bottom line is that companies should not hope that it won’t happen on their watch.  You don’t know.  Security is not optional.  Companies usually spend ten times or more to respond to a crisis than they would have spent if they planned for security.

Are you prepared?  Have you done everything you can to avoid being the next organization in the news?  Are you ready to recover if the worst happens?  One thing going in favor of the city of Baltimore?  There is no competition.  Unless you just plan to leave the city, you don’t have an option for an alternate provider.  That is likely not true for your customers.

Information for this post came from Vox and Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather