Category Archives: Hacks

Crypto Backdoors and Huawei

Note: If you didn’t know that I am against crypto backdoors before, let me just tell you up front, because that fact will be clear by the end.

The world works in the most mysterious ways.

The FBI has been trying to get phone makers (Apple especially) to install crypto backdoors into iPhones for them for years. What they call lawful access.

The scientists say that there is no way to do this in a way that would be secure. A way where only the good guys can access your stuff and the bad guys cannot.

Sometimes the universe demonstrates things in a way that scientists can’t.

The U.S. has been saying for a long time that the Chinese company Huawei – the world leader in 5G cellular technology – is bad and that they are closely connected to the Chinese military. All of this is likely true.

What they haven’t said is why and they are not really telling the whole truth now – likely because the whole truth is classified. They probably don’t want the Chinese to know what our spies know.

Huawei cell hardware has a crypto backdoor. Not necessarily because they wanted to put it in but more likely because cell providers in many countries are required to provide a backdoor. If Huawei didn’t build one in, they couldn’t sell their hardware.

What has come out now is that there is a concern that Huawei – AKA the Chinese government or Chinese military – may be able to use – or ABUSE that backdoor.

Of course they claim that they would NEVER do that. You believe them, don’t you?

While the U.S. isn’t publicly saying this, likely because some CIA source told them or something like that and as a result, it is considered highly classified. If the Chinese know what we know, they can probably figure out how we got it and from there, figure out who told us. At that point, the next step is a bullet in the head.

So it appears that this backdoor that the FBI so desperately wants is the reason while Huawei is such a threat. Bottom line, if we insert a backdoor into crypto, even for the best reasons, the bad guys will learn about it and figure out how to exploit it. Then we have the Huawei situation all over again.

Since the U.S. is pushing really, really hard to stop carriers from using Huawei hardware, probably with good reason – and we now know why – what is the impact on 5G rollout in the US?

For the large carriers in the core of major metropolitan cities – not much.

For smaller carriers and for the big carriers outside the high profile “gee, we better have 5G coverage here” locations, it means that the rollout of 5G in the U.S. will probably be much slower than would have been otherwise.

Given that almost no one has a 5G capable phone right now, that probably doesn’t matter much – right now.

But there is another use that seems to be garnering some attention and that is Internet of Things. If some IoT devices are dependent on 5G (like your self-driving car) and if the buyer or maker of the device ASSUMES that 5G coverage will be available, well, that is a problem (like the self-driving feature doesn’t work). Hopefully, manufacturers who assume people will have 5G will design their systems to fail safely (like shutting their device off if it can’t get 5G), but even that won’t make people happy.

Looking at 5G coverage today, here is a map from Verizon’s website for Denver. Notice it says AVAILABLE OUTDOORS. Likely, this is because the signal won’t penetrate walls, which means, that we all need to move into tents outside. The tan highlight says that 5G is available in PARTS of these neighborhoods. Granted they will build out more and likely in the next few years, more of downtown Denver will have coverage, but that doesn’t include anything outside downtown and it doesn’t cover indoors. For that you will need to buy a 5G cell simulator and have enough extra Internet bandwidth on your Internet connection to give you 5G speeds. You want gigabit 5G – you better have an extra gigabit of Internet bandwidth on your service that you are not using. And, you better hope that you carrier doesn’t have bandwidth caps.

Source: Ars Technica

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

FBI Warns About Software Supply Chain Attacks Going On Now

While I have reported about software supply chain attacks in the past, they have all been one-off and in some cases highly targeted attacks.

The FBI has issued a warning about ongoing, large scale, software supply chain attacks.  The attackers are using the Kwampirs malware to install a Remote Access Trojan or RAT.

The FBI says that the attacks are targeting the victim’s strategic partners and customers (AKA you).

But since just attacking your suppliers is not enough, they are also directly attacking companies in the healthcare, energy and financial sectors directly.

Symantec reported attacks using Kwampirs in 2018 by a group they called Orangeworm.

Symantec also said that Orangeworm had been around since 2015 targeting mostly healthcare, but they said the group had secondary targets including IT, manufacturing, logistics and agriculture.

Lab52 confirmed Symantec’s finding last year.

The FBI issued this alert after all this time because the malware seems to have evolved and is now attacking industrial control systems, especially in the energy sector. That would likely include electric, natural gas, water and wastewater.

While Kwampirs does not, at the moment, seem to wipe systems it invades, it shares a lot of similarities with the Shamoon malware which did wipe infected systems.

Indicators of compromise are available for organizations that detection systems that can use them.

Source: ZDNet

 

 

 

 Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending February 7, 2020

Iran Expands Oil & Gas Attacks to Electric as Well

According to researchers, Iran linked APT33 has expanded its attack surface.  Initially they were going after the global oil and gas industry but now they have added the electric grid to the mix.  Right now, they say, the goal is reconnaissance – gathering information to use later.  They also are trying to establish a foothold inside the infrastructure to use at a time of their choosing.  Source: Threat Post

 

In the Wake of the Iowa Caucus Voting Mess – Are We More Secure Now Than 2016?

Clearly the Iowa voting software issue does not instill confidence in the election process.  Was that a Russian hack?  No, I don’t think so.  Just software quickly thrown together with not much planning.  Apparently, they only paid $63,000 for it.  Given how important it was, it seems like a LOT more testing was needed.  That did not happen.

But more concerning this this week’s McAfee report.  They say that 84% of county websites did not have a .Gov domain name.  This is important because there is more verification done on those domains.

In addition, 46% of county web sites were not encrypted – with Texas being the worst with less than 25% of their county web sites being encrypted.

If we are not taking basic security measures like these, why would anyone think that they are doing a better job at protecting your vote.  Source: Help Net Security

 

GAO Says That CISA is Behind on Election Security Plans

The GAO says that DHS’s CISA is behind on its plans for election security.  CISA became responsible for election security when elections were declared critical infrastructure in 2017.

Unfortunately, CISA’s budget is less than JP Morgan Chase’s security budget.  Given the lack of funding, this is not a surprise.

Given the challenges with tech (non-hacking related) at the Iowas Caucuses, this is not a good sign.

The House has passed a number of bills to fund election security but the Senate has not taken up any of them and none of them have been submitted to the White House.  More than likely, this is due to partisan politics.  However, if there are problems during this election, voters are likely not going to be happy.

The GAO listed three recommendations for the CISA:

  • Urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure for the upcoming elections.
  • Ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections.
  • Document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency’s 2020 planning.

Source: CNBC

 

Experts Say the Software Used at Iowa Caucuses Looks Like a Student’s Class Project

Multiple Android app development experts and cybersecurity pros who took about the app that the IDP tried to use to report the Caucus results had the quality similar to what a college student might turn in for a programming class.

The software was based on React Native, a cross platform app development framework released as open source by Facebook.  That in itself is not a problem.

One expert said that the developers took an off the shelf skeleton project and added some stuff to it.  One expert said that it was clearly done by someone who had just read a tutorial on how to do it.  Another expert said the app looks like it was “hastily thrown together”.

It also appears that user training was inadequate.  The development team only started gathering requirements 6 months ago.  Homeland Security had offered to test the security of the app, but the Iowa party officials declined.

The IDP says that this app was not supposed to be the final arbiter of results but only a way to get quick, unofficial numbers.  The caucuses all collected their data on paper and were supposed to transfer the results to the app.  Source: Motherboard

Sources also say that the version of the app planned to be used in Nevada (plans which have been cancelled) also had errors.  Source: Motherboard

 

 Facebooktwitterredditlinkedinmailby feather

Ransomware 2.0 Attacks 3 Law Firms in the Last 24 Hours

I know I keep beating the Ransonware 2.0 drum, but there is a reason for it.  There is not a good response to it other than to stop it from happening.

According to media reports, Maze ransomware hackers have attacked 5 law firms in the last 30 days and 3 law firms in the last 24 hours from when the report was written.

More importantly, the hackers posted some of the data on the web – and not the dark web but rather the normal web for everyone to see – to prove that they exfiltrated data before they encrypted it.

The hackers are demanding $1 million for the decryption  keys and another $1 million to not sell the data.  From some of the attacks we have seen the data posted with a note asking other hackers to do as much damage as possible with the data.

So far, the media is not naming these law firms, but that will only last so long.

Source: Lawfareblog

Hmmm.  So long is not very long at all.

Doing another Google search, the firms are:

  • Bangs McCullen
  • Lynn, Jackson, Shultz & Lebrun
  • Costello Porter

Source: law.com

Obviously, the objective here is the embarrass the firms and hopefully get them to pay up.  And act as a warning to other firms.

With ransomware 2.0, having backups is not sufficient.

If the hackers threaten to publish, for example, your client’s confidential information in your care, what is your plan?

A couple of thoughts from the client’s side.  Many of you engage law firms.  If you look at the engagement agreement, it probably says that they are not liable if they are hacked.  I would suggest that you get out your marker and cross that out and sign it.  If the law firm won’t agree to removing that, find a different firm.  There are lots of them.

Larger clients are asking prospective law firms for a copy of their most recent cyber risk assessment, or at least a summary version of it.

They are also asking about what kind of training the firms do and what policies they have in place.  What kind of threat detection solutions are being used. 

These are all legitimate questions.

Of course, you need someone knowledgeable on your side to evaluate the answers, too.

One reason they are going after law firms is that if you attack a single firm, they get information hundreds of companies or more.

On your Vendor Cyber Risk Management program (VCRM), law firms should be considered high risk vendors. 

In the agreement with the firm is there an arbitration requirement?  Typically arbitration works in favor of the firm and not you.

Also note that there is no law that requires your law firm to tell you if your company confidential information is breached (unless there is personal information in there too).  Make sure that your agreement requires that they notify you if they are hacked.  Quickly.

Do they have cyber risk insurance?  Do you have to hope that the firm has enough cash to repair the damage?

If you have any questions about this, please contact us.

 

 Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. TimesFacebooktwitterredditlinkedinmailby feather