Category Archives: Hacks

Apple Airtags – A Low Cost Surveillance Tool for Good or Evil

Ever see a scene in the movies where the cops (or the bad guys) plant a tracking device on someone and later catch the person doing something?

Ever hear stories about an ex stalking his or her former partner?

Well Apple just made that ‘affordable’.

Probably too affordable.

And folks have already tested it.

Like putting an airtag in a Fedex envelope and mailing it somewhere. Then tracking it. Apparently, WAY more precise than Fedex’s own tracking system.

In part, that is because of how they work. If they are within a few feet of any iDevice, poof you know where it is. That works great in the city where the number of Apple devices per square inch is high. Go out into the woods and it doesn’t work so well. Unless the person you are tracking has an iDevice.

You want to know where your kids are? Covertly slip a $29 tracking device in their backpack.

Want to know if your spouse is cheating? You can buy 4 tags for less than a hundred bucks.

Want to keep tabs on your ex? Ditto.

You could hide one in a car or any number of places, depending on how devious you are.

Here is the worst part.

In many cases, it may not even be illegal. But it might be. Depends.

Point of information: A tag is tied to an Apple device. If the Apple device can be tied to you or someone you called or an email account you accessed, the cops will be able to find you.

Just in case you were thinking of doing something illegal.

Tracking your kids? That’s not illegal. But kids are usually smarter than parents, so they might be tracking you right now. If they have $29.

Credit: Ars Technica

Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

Supply Chain Attacks -Its the New Thing

The most famous supply chain attack of the last few years was the SolarWinds attack. That attack was a home run for the Russians. Other hackers (or maybe the same ones) thought that was a great attack vector. Now it seems to have become quite popular.

Then came DevOps tool provider Codecov. Hackers compromised Codecov, then they stole the software that was inside their customers’ code repositories. Codecov offers software testing tools. The hackers found a weakness in their code upload process, which gave the hackers access to any code that was uploaded. Sometimes developers are stupid and hard code credentials into their code.

HashiCorp is a client of Codecov. Some of HashiCorp’s clients used the compromised Codecov software. HashiCorp said that their private PGP (GPG) signing key was exposed. That means that the attackers, if they knew what they had, could have signed malware with HashiCorp’s key and presented it to their customers as legit.

Codecov has (or had) 29,000 customers. HashiCorp was one of them. They dodged a bullet by detecting the compromise. What about the other 28,999 clients.

Next comes Australian password manager firm Click Studios, makers of Passwordstate. Their software update process was compromised and a malware loaded update was live for 28 hours. The good news is that they detected it in a day. The bad news is that they are telling their customers to change all of the passwords they had stored in the software. Given that they also had 29,000 customers – unlike the big password manager firms who have millions of customers – it affected a small population and finally many of these password managers offer a feature that allows you to let the software automatically reset all of your passwords, making things a little easier. For those of you who use password managers, two thoughts – first use one of the big products – they have the money to implement better processes and second, even with the rare breaches of password manager software, and they are very rare, it is still better than people doing what they do otherwise – pick password123 as their password for many sites.

These are just the supply chain attacks this month.

You have a lot of suppliers. Those suppliers have suppliers. You use cloud software like HashiCorp. They have suppliers too.

The matrix of all of your suppliers and their suppliers and so on is large. Very large.

That means you need to improve upon your plan because the attackers seem to have figured out a weak spot.

Note that they haven’t stopped doing everything they were doing before. Your attack surface just got larger.

Sorry to be the bearer of bad news.

The Regulators Are Making a Point

Last month New York’s Department of Financial Services (DFS) fined Residential Mortgage Services $1.5 million for not having a compliant cybersecurity program and, even worse, not telling the regulator that they had a breach.

DFS said that RMS did not investigate the breach seriously, did not conduct a comprehensive risk assessment and did not notify the victims.

This month DFS went after National Securities Corp.

DFS says that they had four separate cybersecurity “events” between 2018 and 2020.

DFS noted that during a 2019 incident an employee’s email account was compromised and, oh, yeah, NSC had not implemented multifactor authentication, which is required by law.

In another event, a broker of the company discovered an potentially unauthorized transfer of $200,000. As the investigation continued, they discovered more unauthorized transfers. Ultimately, the company wrote a check to the client for $400,000. Even then, they did not have multifactor authentication enabled.

They did finally implement multifactor authentication in August of last year.

Out of curiosity – have you implemented multifactor authentication on all systems?

In the consent order, the regulator pointed out the obvious. You have to have MFA enabled, even for third party applications.

As the regulator dug into things, they discovered two more incidents that were not reported as promptly as possible and specifically, not within the 72 hours as required by law.

Regulated entities that do business in New York are required file an annual report with the regulator, signed by the CEO or CoB or similar person. The company claimed they were in compliance in that report, but according to DFS, because of all of these issues, they were not in compliance.

They fined National Securities $3 million and, as is typical in these cases, they said that they could not be reimbursed by insurance. They want them to feel the pain.

A summary of what happened can be found here.

Reading the consent order, one thing that the regulators seem to have focused in on is the fact that this company, like many companies, uses dozens of third party applications and many of these applications did not have multifactor authentication turned on.

In some cases, third party apps do not support multifactor authentication. In that case, you have to follow a process to assess the risk and implement alternate security measures. This process needs to be reassessed every single year. Companies have to follow this process for each application for which they cannot implement multifactor authentication.

The consent requires the company to file a comprehensive incident response plan with the department within 120 days.

They also, according to the consent order, need to submit a comprehensive cybersecurity risk assessment.

For both of these items, the consent order lists specific items these documents need to include.

They also have to provide a copy of compliant policies and procedures and documentation of all cybersecurity awareness training in the same time frame.

I am not sure if this will be a monthly event with the regulators or not, but I do think they are getting tired of businesses ignoring the laws.

While this only affects companies that do business in New York (wherever they may be located), we are also seeing noise from other states, such as California, which has just created a whole new regulatory agency. Funded, I might point out, by the fines that they issue.

Add to that the fact that Virginia’s governor just signed a bill into law that is even more comprehensive than California’s and that there are a number of other states (Florida, Texas, Washington, for example) that are likely to enact similar laws this year.

Consider what the New York regulator is doing as a “shot across the bow”. Do not expect this to go away. Also understand that the condition of not getting reimbursed by insurance is a pretty standard requirement.

To quote Dirty Harry: “Do you feel lucky”?

If not, now is the time to get busy.

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week

NSA/FBI/CISA Issue Alert – Russia SVR

While China is a serious threat and the last administration pushed on that hard, that administration ignored Russia.

Today the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agencies issued a joint alert titled Russian SVR Targets U.S. and Allied Networks.

The NSA, FBI and CISA said that the Russian Foreign Intelligence Service or SVR is behind the exploitation of 5 publicly known vulnerabilities.

The Feds also announced that Russia and the SVR were the ones behind the SolarWinds attack and all the other attacks surrounding SolarWinds.

In addition to the SolarWinds attack, they are crediting/blaming Russia for:

  • Fortinet Fortigate VPN
  • Synacor Zimbra Collaboration Suite
  • Pulse VPN
  • Citrix Application Delivery Gateway
  • VMWare Workspace ONE Access

The advisory is available here.

The FBI and their cousins also provided some very specific actions to take, here.

Here is the problem. These actors are pros. These are not random attacks.

In the SolarWinds attack they went after heavily defended federal agencies as well as a lot of big companies.

The Feds are saying that you should assume a breach will happen. Note that they did not say assume a breach might happen.

They said to implement network segmentation.

Enable robust logging

Prepare for incident response.

It seems like they are saying that we are fighting a war.

The feds will do their part to try and identify them and slow them down, but this is more of an art than a science.

One bit of good news is that the NSA is sufficiently embarrassed for missing SolarWinds that they are on high alert. That should help. HELP, but not prevent.

Historically, the NSA spent 90% of their budget on offense and 10% on defense. While we don’t know what those numbers are today, the pendulum has definitely moved.

And this is good for every business in America.

Be prepared. Credit: NSA