Category Archives: Breach

Vendor. Cyber. Risk. Management!

I don’t know how to say this any more clearly, but vendors represent a huge risk to every organization.

Lion Air, the Indonesian parent of Malindo Air and other subsidiaries that were breached, confirmed the breach last week.

Why did they confirm it?  Perhaps they were being good corporate citizens.  An alternative explanation is that the Russian security firm Kaspersky (that the United States banned from federal systems, probably for good reason) outed them and warned customers in Malaysia and Thailand.

The breach compromised 46 million people’s data.

Lion Air cheerfully said that no credit cards – which are easily replaced –  were compromised.

What was compromised is passport information (which is difficult and expensive to replace), birth dates (which I have been told are very hard to replace), names, home addresses (I guess you could move) and other personal information.  But no credit cards, so relax.

Oh, yeah, the data was left in an unprotected Amazon S3 bucket – NOT AMAZON’S FAULT!

This is just one of many vendor induced breaches.  In June Upguard reported a terabyte of backup data belonging to Ford, Netflix and TD Bank was found unprotected on several Amazon S3 buckets.

Companies need to to create and implement a comprehensive vendor cyber risk management program.  This differs from the traditional vendor risk  management program which worries about whether a company has insurance and is  licensed and in addition considers how the data that is entrusted to them is being protected – either by the vendor, your company or both.  Many cloud providers, including Amazon, have what they call a “shared security model”, meaning that both parties are responsible.  In Amazon’s case, they provide the tools and the documentation, but you must use that information.  And frequently test. And test again.

Costs, fines and lawsuits as a result of this breach will no doubt cost Lion Air many millions of dollars.

One more consideration if you are wondering if you need a vendor cyber risk management program.

Colorado law (for those of you based here or with customers here) requires you to ensure that vendors are protecting your data before you share data with them, so by not having a vendor cyber risk management program you are actually committing a crime.

Source: ZDNet’s Dark Reading.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 16, 2019

Unencrypted Biometric Data Database Found

A database called Biostar2,  of the fingerprints and face Scans of over a million people that are used by police, defense contractors and banks was found unencrypted and exposed on the Internet.  That was bad enough.

Then the article said that the database included user names, passwords and other personal information.  Can this get worse?

Yes.  The database was writable, so a hacker could add names to it.  How could that possibly be used for bad purposes?

The story goes downhill from there.  Source: UK Computing.

 

Is Your MacBook Allowed to Fly?

15 inch MacBook Pros purchased between September 2015 and February 2 017 are now banned from airliners by the FAA, even in the cabin due to the risk of catching fire.  I am not sure how the airlines plan to deal with this ban as it is basically serial number related.  In any case, if you own one, Apple will repair it for free, so you probably should do that.  Source: PCMag.

 

Capital One Hacker Breached Many Companies

Paige Thompson, the hacker being charged in the Capital One breach, may have hacked as many as 30 companies, although the Justice Department is not saying who.  Media reports say the companies include Vodafone, Ford, Michigan State University and the Ohio Department of Transportation, among others.  I am guessing that at some point these organizations will be forced to disclose that they were breached.  Source: Techcrunch.

 

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Next Generation

Hackers are nothing if not creative.  Combine that with businesses not paying enough attention to security and you get a mess.

Researchers discovered an unprotected database with over 5 million client records belonging to Choice Hotels.

The hotel says there is good news.  Only 700,000 of those records were from real customers.  Doesn’t that make you feel better already?

However, that good news is limited.  The researchers were not the first ones there.  They found a ransom note in the database.  It appears that the bad guys copied the data and tried to delete it but something went wrong.    They wanted 0.4 Bitcoin or about $4,000 for the data.  Given the company and the data, they must have been hoping for an easy payday because that much data should be worth a lot more.

That is the next generation of ransomware.  COPY the data, then encrypt it or DELETE IT.  Then demand a ransom to get it back.  If you don’t pay the ransom, they RELEASE the data.  Or SELL it.  For this generation of ransomware, backups do not help.  The only thing that helps is keeping the bad guys out.  Call it ransomware 2.0 .  Luckily in the case, the bad guys were incompetent.  Maybe not the next time.

The database was set up for or buy a vendor.  The hotel says as a result of breach, they won’t be working with that vendor any more.

The hotel did not initially launch an investigation, but eventually did.

So what is the message here?

Just because you are working with a vendor does not let you off the hook.

What was the hotel thinking giving a vendor live data to test with?  What might the consequences be if the data was released publicly?

How much due diligence did the hotel do on the vendor’s cybersecurity program before they gave them the data.  Under some state laws (like Colorado), the hotel would be responsible for ensuring that the vendor had the ability to protect the data BEFORE they handed the data over.

Now the hotel chain will have to face the regulators and the lawsuits and the fines. 

All of this should be part of a company’s vendor cyber risk management program.  Maybe Choice Hotels needs to rethink it’s vendor cyber risk management program.  I can think of about 700,000 reasons why.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 26, 2019

Equifax Agrees to Pay UP TO $700 Million to Settle Breach Lawsuits

First – the settlement hasn’t been agreed to by the court yet, so this is all speculation.

Of the $700 million pot, at least $300 million is set aside to pay damages to consumers.  Another $100 million plus is to pay for credit monitoring.

There are lots of details.  For the most part, unless you can prove damages and prove that those damages were caused by the Equifax breach and not some other breach, you probably will not get paid much.  You can get paid up to $250 if you file a claim and without proof.  Everything past that requires proof.   With 150 million victims and a $300 million pot, that averages to $2 a person.

BUT there is one thing you should do and that is get the free credit monitoring.    Go to EQUIFAXBREACHSETTLEMENT.COM and wait until it says that the court has approved it.  Note this is not a site owned by Equifax and given what a mess they are, this is good.  Read more details here.

The Next NSA Hacker Gets 9 Years

Harold Martin, the NSA contractor (employed by Booz, like Edward Snowden) was sentenced to 9 years for stealing 50 terabytes of data over the course of his 22 year NSA career.  The leak is something like 5 times the size of the Snowden leak.  He didn’t sell it;  he just liked data.  He had so much he had to store in in sheds in his back yard.  Many of the documents were clearly marked SECRET AND TOP SECRET.

The fact that he was able to steal hundreds of thousands of documentss doesn’t say much for NSA security, which is sad.  Source: Nextgov.

Huawei – Bad – Not Bad – Bad?!

President Trump said that Huawei is a national security threat and needs to be banned and then he said that maybe we can trade that threat for a better deal with China on trade.

Now it is coming out that Huawei helped North Korea build out their current wireless network.  The equipment was shipped into North Korea by Chinese state owned Panda International.  This has been going on since 2006 at least.  Huawei is likely continuing to provide technical support to North Korea.

This seems like a national security threat and not a bargaining chip for the President to toss in to get a trade deal that he wants, but what do I know.  Source: Fox News.

 

AG  Barr Says He Wants Encryption Back Door And Why do You Need Privacy – Just Suck it Up.

Attorney General William Barr said this week that if tech companies don’t provide a back door into consumer encryption,  they will pass a law forcing it.  And while this will allow hackers and Chinese spies to compromise US systems, it is worthwhile.

He said that they might wait for some terrorist event that kills lots of people and blame it on encryption (whether that is true or not).

He did seem to exclude “custom” encryption used by large business enterprises, whoever that might include.

Barr said that bad guys are using crypto to commit crimes what the police can’t investigate.  If that were true we would expect that crime would be going up.  If it is a really bad problem, it would be going way up.

Only problem is that the statistics say crime is going down.

You may remember that Juniper added such a back door, likely at the request of the NSA and it worked great until word got out about it and hackers had a field day.

This conversation is not over.  Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.

 

Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.

 

Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.

 

AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.

 

Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

Facebooktwitterredditlinkedinmailby feather