Category Archives: Hacks

Security News for the Week Ending June 14, 2019

SandboxEscaper Releases Yet Another Windows Zero-Day

SandboxEscaper has it in for Microsoft.  He or she has released over a half dozen zero-days including four of them just a couple of weeks ago.  He or she has put Microsoft behind the power curve multiple times and now he or she is doing it again.

This time SandboxEscaper has figured out how to exploit the patched version of one of the previous exploits.  This exploit can be triggered silently with no obvious warning to the user.  There is no patch available for it yet. Source: The Hacker News.

If history is any example, this is probably not the last time we will hear from SandboxEscaper.

 

License Plate Pictures Taken by CBP Cameras Available on the Dark Web

As reported last month but not confirmed by Customs and Border Protection until this week, an unnamed vendor of license plate readers to CBP and others was hacked and hundreds of gigabytes of data stolen.

Included in that data was thousands of photos of license plates captured at the US border and travelers at US Airports and they are available on the dark web.

The government (no surprise) has a poor vendor cyber risk management program.  The vendor, widely believed to be Perceptics, although the government is shielding it for some unknown reason,  copied data from the government’s computers  to their own.  After this, the vendor was hacked and hundreds of gigabytes of data stolen.  Source:  The Register.

 

A Year Later, U.S. Government Websites Are Still Redirecting to Hardcore Porn

Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domain names that redirect visitors to porn sites.

Gizmodo reported this a year ago and it is still not fixed,  Actually a few sites were fixed and a few more added to the broken list.

Users were being redirected from government sites to sites with names like” Two Hot Russians Love Animal Porn”.  One site infected was the Department of Justice’s Amber Alert site.  To be clear, the government is not running porn sites.

And these are folks that we are relying to to protect our cyber universe.  Source: Gizmodo.

 

Philly Courts Still Down After Cyber-Attack Last Month

Another day, another city.  In this case, it was the court system in Philadelphia was hit by a cyber-attack.

After the attack, e-filing, docketing and email systems were taken down and now there are still problems.

So far, the courts have released very little information – not even the name of the firm that they hired to fix their mess.  Likely, that will come out later.

Suffice it to say, with each of these attacks, it becomes more and more important to evaluate YOUR disaster recovery system.  Can you afford to be down for weeks in case you suffer an attack?  Source: Infosecurity Magazine.

Facebooktwitterredditlinkedinmailby feather

Just In Case You Thought Two Factor Authentication Was a Silver Bullet

I will start with the spoiler – it is not.

Pentesters and hackers now have a new tool in their arsenal to defeat two factor authentication.

The tool was just released at the security conference Hack-In-The-Box and is now available on Github.

Hackers had to get creative  in order to attack web sites that were protected by two factor authentication because they need to some how force the target web site to generate a two factor request.  If they are running on a separate web site in a different domain that they control, that is harder.

But of course, there is a way.

If the hacker’s web site acts as a proxy in between the user and the real web site, the web site will generate the needed request and the user will provide the second factor.  Then the hacker needs to steal the cookie that the server sets before it expires.

That has been around for a while but was hard to do.

Muraena and NecroBrowser now automate most of this process so even a script kiddie (well, maybe not a script kiddie) can steal your money or information, even if two factor is operational.

This attack does not work if the company is using hardware tokens such as a Yubikey because the web site needs to interact directly with the key, but the attack does work against either SMS based 2FA or authenticator apps.

While the article does not say so, I think the attack will not work in the case where you are using client side certificates for the same reason as the Yubikey.

All of this means is that users cannot drop their guard.  In the case of these man in the middle attacks, the user is directed to the hacker’s web site instead of the real one, and that site has a different name, even if it is only a little different.

Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

Security News Bytes for the Week Ending June 7, 2019

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom.  The attackers only wanted $103,000 or less than 1 percent of what they are going to spend.  Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore.   Who’s fault is that?  Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data.  Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop.  Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the  ransomware after an 18 month run.  The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”.  Of course, other malware will replace it, but the sheer magnitude of this one is amazing.  Source:  Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised.  Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency.  Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk.   In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that.  That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA.  Remember, you can outsource the task, but not the liability.  Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong.  Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks.  The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch.  Shodan shows 4.8 million servers running the software and only 588,000 running the fix.  Most of those servers are in the U.S.  Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week.  They are a medical claims collection agency.  As I said above, first it was Quest with 12 million customers affected;  then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised.  Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage.  If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Microsoft Has a Recommendation and You’re Not Gonna Like It

System, network and application administrators can do the most damage in case of a malware attack.  The permissions that they have allow them to do many things that the average user can’t do and those things, in the hands of a hacker, can mean a lot of damage inside every company.

So here is what Microsoft is recommending.

Per Microsoft’s Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations.

See, I told you that you weren’t going to like it.  But wait, there is more.

This device should always be kept up to date with all the most recent software and operating system patches.

That, of course, seems like common sense.

“Provide zero rights by default to administration accounts,” the Microsoft Security Team also recommended. “Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.”

JIT permissions is a relatively new concept,  but fundamentally a great one.  Instead of having the administrator be all powerful all the time, have them ask for a specific permission in real time and just for the very short time period that they need it.

Furthermore, administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee’s normal work identity.

In addition, that account should not have access to the administrator’s regular email (this is my addition).

Finally, companies should also prevent administrative tasks from being executed remotely, Microsoft said.

Microsoft also explored multifactor authentication and, although it was very secure, it was somewhat cumbersome.  Instead they are using biometrics.  With Windows 10 and a computer that has a crypto chip (TPM), Windows Hello is very secure and also easy to use.  Partly this is because there is a ONE TIME enrollment process that ties that user’s identity and biometrics to that specific physical device.  If you need to log in from more than one device, you need to enroll in each of them, but after the enrollment is done, you can literally look at the computer and enter a short PIN to log in.

Check out the rest of their recommendations at ZDNet.

These are recommendations that I think will definitely improve security.  But it will be less convenient.  So make a choice.

SECURITY

CONVENIENCE

Pick Just One.

 

Facebooktwitterredditlinkedinmailby feather

Wolters Kluwer “Still Down” From May 6 Cyber Attack

There is never a good time for the information systems of one of the world’s largest hosted services providers to go down, but in this case, at least it wasn’t April 6th.

One of the Dutch firm Wolters Kluwer’s big services is CCH, the online tax software that many accounting firms, large and small, use.

CCH does have a version of their software that you can install on your own servers, but like many software providers, they want the monthly recurring revenue (MRR) that comes from a hosted version, so they push very hard to get users to use the online versions of their software.

So when, on May 6th, the firm, which provides services to clinicians, nurses, accountants, lawyers, audit, risk, compliance and regulatory servers found out that they were having “network and service issues”, that was not something that executive management wanted to hear.  The  media says that the firm started seeing “technical anomalies” and an investigation discovered malware.  Brian Krebs, a former WaPo reporter and now security blogger started hearing reports several days before, on May 3rd and he reported what he heard to Wolters Kluwer at the time.  Some reports said the infection was MegaCortex, a enterprise class ransomware attack.

It is also something that their clients, who often work against deadlines, did not want to hear.

Worse yet, because they had to shut down many of their services, they didn’t have a good way to tell their clients what was happening.

Customers resorted to posting messages on the company’s Facebook page.  Some said that the outage was even affecting the locally installed Taxprep T1 and Taxprep T3 software.  This is not completely unexpected as that software probably gets information – forms and rules perhaps, from an online repository.

Customers also said on Facebook that they were not terribly happy with Wolters Kluwer’s level of communications.  They said “WK needs more professional ways to communicate with corporate clients than through Facebook posts.  We’re running businesses not planning reunions.  I only found out about this thread from a google search.  Facebook isn’t exactly my go-to for reliable information pertaining to business”.

WK said that they restored some services on the 7th but did not have any ETA for when everything was going to be working again.

In a tone-deaf response to the situation, they said “Our process and protocols assure a high degree of confidence in the security of our applications and platforms before they are brought back online.  We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.”

Maybe they should start with “we are sorry”.

When one media outlet reached out for information, WK did not even respond.

Enough about the details of this incident.  Lets look at what they did wrong and what YOU would do in the same circumstances.

NUMBER ONE  – It seems like (I have no inside information) that their cybersecurity incident response program (CSIRP) is inadequate.  While they are not the first  (or last) large company (over 4 billion Euros a year) to fail to have an adequate CSIRP, that doesn’t give them any forgiveness.  Remember the totally botched incident response from Equifax after their breach?

While Wolters Kluwer will survive this – including the inevitable breach of contract and breach of fiduciary responsibility lawsuits that will happen – small companies just literally close their doors.  Between the reputation damages, the breach response mitigation costs and the distraction, your average company is going to be very stressed over an incident like this.

If you use online services or provide online services, is your CSIRP up to the task?  While the needs of service providers and customers are different, both need FREQUENTLY TESTED CSIRPs.

It appears clear that they did not think about how to communicate with their customers (what a crisis communications expert brings to the party) in the event of a major outage.

While we don’t know yet whether they had cyber breach insurance, do you have it?  Not only does it help pay for the cost of responding to an incident, but it gets you a lot of expertise.

If you use online service providers, do you have a business continuity program that allows you to continue conducting business if one of your service providers goes offline like Wolters Kluwer did?  I might add – WITH NO WARNING!  In this case, it looks like at least parts of the operation were offline for several days.  How would you continue to do business?

Notice the communication that came from the lawyers in their statement,  “We have seen no evidence that customer data or systems compromised“.  This is dramatically different than “no customer data or systems were compromised”.  If you were completely clueless, you would have no evidence.  That doesn’t mean that your data wasn’t taken.

If you are using an online service provider, what does your contract say about service level agreements or damages.  Most of the time the damages are limited to the amount of money you paid during the time they were down.  Let’s say that the service costs you $10,000 a month and it was down for 2 days.  That means you might get as much as $10,000/30×2=$667.  Will $667 cover your losses?  Just checking.  That assumes that the fine print doesn’t let them completely off the hook.

It doesn’t even look like they were doing a good job of responding to Facebook posts.  Their Facebook site currently says:

Please visit our website for an update on our progress with restoring our applications and platforms. We have already brought online several of our systems, including CCH SureTax and CCH Axcess. We are fully committed to restoring remaining services as quickly as possible for our customers. Our teams are working hard around the clock to completely restore access, and appreciate your continued patience. https://bit.ly/302ekMF

The post on their web site really doesn’t have a lot of information on it other than they are working hard on fixing things, which I am sure that they are.

Next lets talk about logging.  VERY comprehensive and detailed logs are needed if you are going to be able to figure out if anything was stolen.  That is why in many cases, company are forced to assume data was stolen, even though they really don’t have a clue.

And don’t forget about backups.  Is everything backed up?  Are you sure?  Time and again we hear about companies that thought everything was backed up only to find out that it wasn’t   And while it is okay if it takes a long time to backup your data, if it is going to take a week to restore it, that could be a problem.

Lastly, lets talk about disaster recovery.  Sometimes when you get hit by a ransomware attack, your backups get hit too.  While it is hard to protect your DR site (you DO have a DR site, right?), it is possible.  The challenge is how long it will take you recover.  And that is directly related to cost.  The shorter the recovery window, the more money it is going to cost.  But, you need to think that through and have realistic expectations.  Don’t stick your head in the digital sand and hope.  That is not a great strategy.

Bottom line – pretty much every company will have a bad day – or week at some point in time.  The real question is how you would respond to it.

There is good news, assuming that you are neither Wolters Kluwer or one of their customers.

You have free training on how NOT to handle a breach.  All you need to do is watch what they are doing and ask if that would be how you would like to be treated if you were their customer.

If you are one of their customers – and there are tens of thousands of you out there – I’m sorry that they are not better prepared.

Information for this post came from SC Magazine and Security Week.

Facebooktwitterredditlinkedinmailby feather