Category Archives: Breach

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Cybersecurity and Work from Home

Reports are that reported breaches are down. This is likely not due to the fact that there are less breaches, just less reports.

Wait six months and see what the breach reports look like.

Security firm Tessian released their State of Data Loss report and here are some of the things they found.

  • 52 percent of employees feel they can get away with riskier behavior at home like sharing confidential files by email.
  • Part of the reason for not following safe practices is that many employees are using their own computers rather than a company issued one.
  • Another reason is that security and IT are not watching them.
  • Employees have more distractions at home, making it difficult to concentrate. Distractions include kids, roommates and not being in their normal office environment.
  • Some employees say they are being forced to cut security corners because they are under pressure to get the job done.
  • Half of the people said that they had to find workarounds to the rules in order to work efficiently.

None of this is news.

Employers are the ones that will get to pay for this in the long run. If an employee causes a breach by cutting corners you may fire them (and you may also get sued by them because they may say that you forced them to cut corners – whether true or not), but even if you do, you will get to write that check for thousands or millions of dollars. And suffer the reputation damage.

Many companies do not have good (or any) real time security monitoring and alerting systems in place. The effect of this is that even if you are breached, you won’t know about it.

Do you know the most common way companies find out about a breach?

YUP, it is when some third party like the POLICE, FBI or CREDIT CARD COMPANIES tell them they have been breached.

So while no one really wants to spend the time and money right now, now is the time that you have to spend time and money.

Alternatively, you can spend that money in breach response.

At least 10 times more money.

Assuming you don’t get sued.

or you don’t lose customers.

Credit: ZDNet

Security News for the Week Ending April 17, 2020

Covid-19 Driven Online Shopping Encouraging More Skimming Attacks

Since crooks go where the money is and since we are all doing a lot online shopping during the shelter in place directives, the crooks put two and two together to come up with an attack strategy.

Malwarebytes says that they are seeing a 26% increase in skimming attacks between February and March.  Also, apparently, Monday is the least safe day to shop.   Credit: SC Magazine

Ransomware Attacker Stops Accepting Bitcoin Due to Traceability

The operators of the Sodinokibi Ransomware want to stop accepting Bitcoin because the cops have figured out how to trace Bitcoin transfers.  While some people have said for a long time that Bitcoin is not traceable, the opposite is actually true.  Monero cryptocurrency combined with TOR has features designed to thwart that sort of tracking.  Credit: Bleeping Computer

Friendly Hackers Find 460 Bugs in “Hack the Air Force 4.0”

The hack, run by the U.K. Ministry of Defence, allowed good guy hackers to attack a particular but unidentified Air Force “platform”.  The hackers found over 450 security flaws in this one platform.  Remember the military runs thousands of systems and not all bugs allow a hacker to initiate a total meltdown, but still if this is a representative sample, this is indicative that with a modest amount of effort (this entire hackathon lasted less than a month), you might be able to identify hundreds of thousands of security flaws in systems where the system buyer understands that these systems need to be secure.    What then, could hackers find in normal commercial and home-grown systems, where price, time to market and features are way more important than security?  Credit: Fifth Domain

Small Business is Big Target for Ransomware

According to a new survey of senior execs, 46% of all small business have been the target of ransomware attacks.  Of those that have been hit, 73% say that they paid the ransom. 43% paid between $10k and $50k;  13% paid more than $100k.  Of those who paid, 15% did not get all of their data back.  Not great statistics.   Credit: Dark Reading

New Security Metrics to Consider – 24/72 and 1/10/60

Once a new bug is publicly announced, it takes, on average, seven days for bad guys to figure out how to weaponize it.

Experts say that this means that you need to harden your systems against that new attack within 72 hours.  That is not very long, even for the best of operations.

How long does it take the average organization to close holes?

On average – 102 days or 15 times the amount of time it takes to weaponize it.

Once a vulnerability is disclosed, it is a race between the good guys and the bad guys to either  fix it or abuse it.

Some examples:

Microsoft patched Bluekeep, a bug that was very well publicized in May 2019.   It was also explained why it was critical to patch.  In December 2019, there were at least 700,000 machines publicly exposed and still vulnerable.

Remember Wannacry?  Sophos says that there are still a large number of machines not patched against it – two years later.

Zero day attacks are even worse – best practice says that they should be patched in 24 hours.

To add to the complexity of the problem for IT, these fixes need to be tested.

So if the benchmark for MEAN TIME TO HARDENING is 24 HOURS FOR ZERO DAYS AND 72 HOURS FOR OTHER FIXES, IT has got a lot of work to do.

The cousin of this is incident response.  Crowdstrike sets the benchmark at 1/10/60.

For those of you not familiar with this benchmark, it means:

  • ONE MINUTE TO DETECT
  • TEN MINUTES TO UNDERSTAND
  • SIXTY MINUTES TO CONTAIN

These two goals really important and also really hard.  Almost no organizations can currently do this.

These two goals interact with each other.  If we can close off enough holes then we make it harder for the bad guys.  This allows IT to focus on the remaining attacks.

For IT, the battle is basically the need for speed.

So here are the recommendations:

24/72 (hours) for patching

1/10/60 (minutes) for incident response

For almost all organizations, this is a big project.  Everybody ready?

Source: Threatpost

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer