Category Archives: Breach

Hackers Want to Own Your Systems Longer

Gee, in one sense, that is not a big surprise.

On the other hand, given all the money and effort, you would think we would be winning.

According to security vendor Carbon Black, in just the last 3 months, they found that the percentage of time hackers used methods to cover their tracks jumped 5 percent.  It jumped 10 percent in the last 6 months.  Up to 56 percent of the time.

They did stuff like deleting logs, disabling anti-virus, hijacking legitimate programs and disabling firewalls.  Among other nasty stuff.

By hiding they get to steal more stuff.  Own the system.  Own the entire network.

Part of the reason is that they are stealing intellectual property.  22 percent of the time.  Up from 5 percent the previous quarter.

Also, the hackers are island hopping – a term meaning that once they own one network, they use that beachhead to compromise another company.   They say that 50 percent of the reports for last quarter used island hopping as a technique to gain access.

Bottom line – the bad guys are evolving.  You need to evolve too.

Unless you are okay with them stealing all of your intellectual property.  And your customers.

Installing anti-virus and a firewall is NOT going to stop them anymore.

Part of what you need to do is get your employees to change their habits.  That, unfortunately, is not easy.  

For the most part, people want to do what is easy.  That is why Google says that less than ten percent of their customers use two factor authentication, for example.  It is not the easiest way to log in.

Then you need to lock down your systems (servers) and your network.  The good news is that this will not impact your users very much but it will mean a lot of work for your IT team.

Since the hackers want to remain inside your network undetected, you need to need to try and detect them.

If they are good, a traditional SIEM won’t find them.  Network Detection and Response tools are the next generation of SIEM.

Sorry for harping on this, but you have to protect yourself.  No one else can.

The hackers are playing to win.   You need to play to win also.

Source: The Register.

Facebooktwitterredditlinkedinmailby feather

More Supply Chain Woes, Courtesy of Asus

Here is an interesting combination of countries.

Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.

Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.

How did it happen?  Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.

Nice!

So is the Russian company outing the Chinese company Asus because they are enemies?

Or is the KGB trying to prove that Kaspersky is not a threat?

Or, is Kaspersky just doing what it’s software it is supposed to be doing.

The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.

The attack was very targeted apparently.  Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.

One VERY IMPORTANT point here.  According to Kaspersky, Asus has been very unresponsive to the issue.

So, what do you do?

First of all, my recommendation would be to remove Asus from your approved vendor list now.  If they come up with a better story you can always add them back in later.  The only way companies will get serious about cybersecurity is if it affects their financials.

That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.

This means that companies need to protect themselves.

Creating and implementing a vendor cyber risk management program is a start.

Make sure that you have adequate CYBER insurance.

Next figure out what you exposure is.  Are you buying parts (soft or hard) and integrating it into your product or software?  You are at a higher risk.

Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)?  That puts you at risk.

While patching is a bit of a band-aid, it is one of the best band-aids that we have today.  This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat.  If it is on your network or talks to your network, it has to be patched fully,  Think about how bad patching habits worked out for Equifax.

As I said, this is not going to end soon — it is something that you should apply some think time to.  The potential impact on your brand could be very high, depending on your business model.

Source: Motherboard.  To see if your computer is infected, check out this Wired article.

 

 

Facebooktwitterredditlinkedinmailby feather

When Will Web Developers Learn

Stanford University is considered is fairly good college.  They have some well known grads such as Sergey Brin and Larry Page (Google founders), Herbert Hoover, Peter Thiel (Paypal founder), John Steinbeck and Sandra Day O’Connor.

But apparently when it comes to software, they, themselves, are not so good.

A little over a year ago they exposed the personal details of thousands of students and non-teaching staff.

Now another bug allowed students to access the data of other students.  This one is neither a hack nor a bug, but rather crappy software design that we see frequently.  Perhaps they should take a class in secure software development practices.

What did they do?

They put parameters on the address line something like

www.standford.edu/GetPrivateData?UserIdNumber=432643

While this is a bit of a simplification, if a user changed the number at the end, they could see other students information.

I remember eliminating this programming practice decades ago as not secure.  But not at Stanford.

They say that this is part of vendor provided software (where is their Vendor Cyber Risk Management Program?), so I hope their contract with the vendor says that the vendor is liable for breaches.  Probably not.  What do your vendor contracts say?

To add insult to it, the vendor is longer selling or supporting the software (kind of like those of you still running Windows XP).

Stanford’s disabled the software and told students to visit the registrar’s office in person if they need the information.  How 1960’s.

Long term, they will replace the software,

Does any of the software that you use pass parameters on the command line?

If so, you could be the next Stanford.

Not necessarily a “rep” that you want.

Information for this post came from Security Info Watch.

 

 

Facebooktwitterredditlinkedinmailby feather

Hacker Selling Almost a Billion Hacked User Records

A Pakistani hacker who last week put up 600 million hacked accounts has added another hundred million records plus to the pie.

The first batch included 617 million records from 16 hacked sites —

  • Dubsmash – 162 million accounts
  • My FitnessPal – 151 million accounts
  • MyHeritage – 92 million
  • ShareThis – 41 million
  • HauteLook – 28 million
  • Animoto – 25 million
  • EyeEm – 22 million
  • 8Fit – 20 million
  • WhitePages – 18 million
  • Fotolog – 16 million
  • 500px – 15 million
  • Armor Games – 11 million
  • Bookmate – 8 million
  • CoffeeMeetsBagel – 6 million
  • Artsy – 1 million
  • DataCamp – 700 thousand

Several of these sites have admitted they were hacked;  none has denied it.

The 600 million record package is selling for about $20,000.

The new batch of 127 million records includes

  • Houzz – 57 million
  • YouNow – 40 million
  • Ixigo – 18 million
  • Stronghold Kingdom – 5 million
  • Roll20.net – 4 milion
  • Ge.tt – 1.83 million
  • Petflow and Bbulletin forum – 1.5 million
  • Coinmama – 420 thousand

Only Houzz on this second has has confirmed they were hacked.

So what does this mean for you?

First of, if you are using the same password on multiple sites, you should stop that practice right away.  It is just too dangerous.

Second, if you are not using two factor authentication, you just need to suck it up and get over it.

The days of passwords alone as a reasonable login authentication means are over and will likely never return.

And, obviously, if you have accounts, even little used accounts, on any of these sites, change your passwords there immediately.  IF YOU USED THE PASSWORD ON ANY OF THESE SITES ELSEWHERE, YOU HAVE TO CHANGE THOSE PASSWORDS TOO.

And, if you are a web site operator and you are storing passwords, consider your security.  If you have not had an expert try to hack your site recently (as in, say, the last 6 months), you probably need to do that.

The brand damage to these sites will be big.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.

 

Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.

 

Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).

 

Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.

 

Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

Facebooktwitterredditlinkedinmailby feather