Category Archives: Hacks

Walmart Customer Data Leaked from Amazon Storage Bucket

It seems like we are seeing this again and again – a vendor sets up some Amazon storage and sticks some data in it.  Sometimes the  vendor forgets about it or the employee responsible for it leaves and the data is basically orphaned.

In this case the data was new, so it was not orphaned.  The company, MBM,  is a vendor to Walmart and sells jewelry on Walmart’s web site and probably in stores also.

The data was a database (SQL) in a bucket named WalmartSQL and named MBMWEB_backup_2018_01_13_003008_2864410.bak .

In the names we see the strings Walmart, MBM and the date, Jan 13, 2018.

The backup is not encrypted, although the credit card data inside the backup, but only that data, is encrypted.

One of the reasons these breaches are so disappointing is that they could be easily avoided.

Here are some things that you should do to mitigate this risk:

  • Inventory your data.  Whether the data lives on a server in your office, a removable hard drive in someone’s briefcase, a cloud storage vendor like Dropbox or Amazon or a Software as a Service vendor such as Salesforce.com .  You MUST know where your data lives.
  • Assign a person to be responsible for this spreadsheet or database.  This is far from a full time activity, but it is an activity that will never end.
  • Create a policy that requires employees to notify the data manager any time a new vendor is added, a new data repository is created or data is moved from one location to another (like from a local server to an Amazon server).
  • Ensure that data is encrypted if at all possible, especially if the data is stored on portable media or in the cloud. If this data had been encrypted, no one would be talking about MBM or Walmart.
  • Create a policy and associated procedures that documents the rules for who has access to the data, how the access is granted AND REMOVED, and how access to the data is logged.
  • Create a process to alert when these data access rules seem to be violated – whether by a hacker or an insider.
  • Periodically audit the access rules.
  • Run periodic tests to ensure that the system is enforcing the rules.   If you  automate the testing, the tests could be run every day or every hour.
  • Finally, if there is a vendor involved, make sure the contract specifies who is responsible for implementing security, testing security, auditing security and liable in case of failure.

Information for this post came from SC Magazine.

Facebooktwitterredditlinkedinmailby feather

Can The Ruskies REALLY Hack Our Elections?

With all the news lately about the Russians trying to change the outcome of the elections (like, I might add, the U.S. has been trying to do around the world for decades – think of the Shah in Iran, the Congo elections, Chile and many others – see here), the real question is can the election really be hacked.

The Pew Charitable Trust published a great piece on the subject which should make you think about the subject.

Here are my thoughts on the subject.  Feel free to comment.

#1 – As a concept, there is no “single point of failure” in the American election system.  That is both its strength and its weakness.  According to Pew, there are 10,000 election entities, mostly (by sheer numbers) counties and cities.  These organizations are, at best, loosely affiliated with each other.  The Clerk in Wichita, KS likely doesn’t even know the Clerk in Fort Smith, Arkansas, except maybe by chance and, for sure the systems used by the two cities are not, in any way, connected.

#2 – Your local voting machine is NOT connected to the Internet.  In fact it is not connected to much of anything.  It is likely loaded with it’s ballot by a flash drive, created at the Clerk’s office.  At the end of the election day, the results are read out on each machine and probably called into each individual election office, manually.  The machines are then locked up and driven to a warehouse, where they are stored, more or less securely until the next election.  Could you compromise that flash drive at creation time?  Likely.  Probably without a huge amount of effort.  But even if you do, that would only be used within a single election PRECINCT.  Not exactly an easy way to change the outcome of a Presidential election.

#3 – While we are on the subject of Presidential elections, the easiest way to change the outcome of that election is by way of fake news, promoted by influencers.  Not the fake news that the current office holder talks about, but rather real fake news.  The average voter assumes, for the most part,that whatever they read, if it supports what they believe, is likely true – it just reinforces their existing beliefs, without regard to whether those beliefs are correct. Or not. That is certainly what Russia did in 2016.  Those efforts can effect a change in the election results.

#4 – it doesn’t require flipping very many votes to change the outcome of a single election.  In this week’s PA-18 House election, the difference between winning and losing was around 627 votes.  Out of 250,000 or so votes.  So, if, via fake news, you can flip the minds of less than a thousand voters, you have just changed the outcome of an election.  That is probably a  lot easier and a lot cheaper than trying to hack voting machines.

“That keeps me awake at night,” said Nancy Blankenship, the clerk for Deschutes County, Oregon.

That quote gives me some hope regarding fending off the bad guys.

On the other hand, this quote worries me.  This clerk either is so clueless about technology that she should not have the job or is sticking her head in the sand.  In either case, it is a problem.

Sara May-Silfee, the director of elections for Monroe County, a community of 170,000 in eastern Pennsylvania, said she knows her county is secure, even if her state was one of 21 states targeted by Russian hackers in 2016.

“I can’t even begin to tell you how they’d hack us,” she said. “Nothing is hooked up to anything. How could anybody hack us? I’m not worried about anything. Sometimes it seems like a lot of hullabaloo.”

I wonder how she KNOWS her county is secure?  Perhaps the same way Target knew?  Or Home Depot knew?  Part of the problem is that County clerks are political animals.  Usually elected.  Highly unlikely from a technical background.

I saw an article earlier today that the Air Force was lamenting that they could not find good cyber security folks.  After all, they pay $37,000 a year plus allowances and benefits.  Someone who is competent could likely make 50% to 100% more in the private sector and not have to worry about having to listen to the whims of politicians who have no idea about tech, even though they feel the need to flap their gums about the subject.

#5 – in many locations, the vast majority (if not all) of the ballots are done via mail.  ON PAPER.  The old fashioned way.  Could you steal the ballots out of the mail?  Maybe?  But if you do, are you helping the candidate you favor?  Or hurting that candidate?  Could you hack that voting process?  Unlikely.

#6 -Could you compromise the central ballot counting process in any given city or county?  Maybe, but likely not easily.

#7 – Hackers could break into central state voter databases and add names, delete names or make changes.  This is one of the things that the Russians were reported to have been trying to do during the 2016 elections.  Is this possible?  Apparently, at least to a degree.  What backups, cross checks and security  measures any given voter database has, is, of course, unknown.  Reports have it that the Russians were successful at doing this, at least to some extent, in several states.

#8 – Many electronic voting machines still do not have a paper confirmation printout.  What this means is that there is NO way for the voter to know what the voting machine actually registered and no way for voting officials to verify the vote count.  THIS IS A BIG PROBLEM.  Without some independent means to verify the vote count, it is all a big guess.

At the hacking conference Defcon, there has been a contest for the last few years for hacking voting machines.  Every year, every single machine gets hacked.  Sometimes in just a few minutes.  In fact, it has been so embarrassing to voting machine manufacturers that they have resorted to threatening people who sell voting machines on the used market.  If the organizers of Defcon can’t get machines, they can’t embarrass the voting machine manufacturers.  If I was a manufacturer, I wouldn’t count Defcon’s organizers out yet.

Suffice it to say, this system is far from perfect.  However, hacking the tech is not only hard but will also have limited effect.  There is no central place to attack; no website to compromise.  Still, that doesn’t mean you can’t do anything.  Think back to PA-18 this week.  Only 600+ votes separated the winner from the loser.

Information for this post came from The Pew Charitable Trust.

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Gift That Keeps On Giving

Just a few years ago most people had not even heard about ransomware.  Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack.  Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to  hospitals to little mom and pop stores, ransomware is the scourge of our technical world.

There really is one major reason for ransomware attacks – money.  If you pay the ransom, even what you perceive to be a small  one, it sustains the attacker’s morale and encourages more attacks.

Although no one really knows the statistics, people do  make educated guesses.  According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful).  By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.

In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.

And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in.  That includes a billion dollars for WannaCry alone.

People are paying millions in ransom as well.

See this article for more stats.

So why are we seeing the increase in ransomware?

#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards.  Hackers are turning to other ways to make money.

#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.

#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.

So here are some thoughts about dealing with ransomware.

In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly.  In these cases several thousand devices were compromised in an hour.  That doesn’t give you much time to detect the attack, never mind respond to it.

In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised.  The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.

Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two.  Weeks later, many of their computers are still only useful as doorstops.

Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.

First, you don’t pay the ransom.  Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.

Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.

But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread?  PROBABLY NOT!

The best technique for preventing successful ransomware attacks is training your users.  Clicking on links and opening attachments are likely the two most common ways to get infected.

There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.

The next thing that you have to have is a very robust incident response program.

When I speak at seminars I talk about the Sony attack disaster.  A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions.  The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network.  They had people running through the casinos pulling cables.  The result was a greatly diminished attack.

On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet,  it took them hours to figure exactly how to do that.    A lot of damage can be done in hours.  You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.

Two different organizations, two different outcomes.

Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack.  How devastating that attack is will be based on how prepared you are.

How prepared are you?

Information for this post came from SecurityInfoWatch.

Facebooktwitterredditlinkedinmailby feather

2018 Hasn’t Started Out So Great

In January researchers disclosed a pair of twenty year plus old flaws, Spectre and Meltdown.  While Meltdown seems to mainly affect Intel chips and is relatively each to fix, Spectre affects everything from Intel chips to smart light bulbs and is extremely difficult to fix (see here).

Fast forward to this month …..

This week, in a pretty sketchy announcement, researchers claim that they have found 4 different related flaws that only affect AMD chips.  The flaws were found by a team of Israeli researchers who only gave AMD 24 hours to review their findings.  Compare this to the six months that Intel had to review the Meltdown and Spectre research.  They have not provided any details, publicly, of the flaws.

The researchers call the flaws Ryzenfall, Masterkey, Fallout and Chimera.  And they gave them cute logos.

The concept of responsible disclosure says that researchers are supposed to tell vendors about flaws in advance of the public disclosure so they have the possibility of fixing it before it becomes public and the hackers get to start figuring how to create an attack around it.

In this case they gave AMD 24 hours.  That is not enough time to understand the problem, never mind fix it.

On their web site, the researchers disclosed that they may have “an economic interest in the performance of” (AMD).  I guess that means that they shorted the stock before the dropped the bombshell.

There is some good news however, which may indicate this is being overhyped by the researchers.  The attack cannot be done remotely.  It cannot be done locally if the user does not have access to the system.  It cannot be done locally, even with access to the system, unless you are an administrator on the system.  That greatly reduces the ability to exploit the flaws.

But there is also some bad news.  It is possible that at least one of the flaws is not fixable.

Only time will tell.

What this does mean, at least for now, is that users of AMD based systems should be extra careful about doing things (like opening strange emails or attachments or clicking on sketchy links) that would increase the odds of them falling victim to an attack because if they do, the consequences might not be pretty.

Information for this post came from Techcrunch.

 

Facebooktwitterredditlinkedinmailby feather

Hey Cortana! Install Malware. Infect this Computer.

There are some possible downsides to personal virtual assistants.

What if an attacker could use Cortana or Alexa to infect your computer?

As these assistants become more widespread, the likelihood of an attack goes up.

Screen locks do work.  Sort of.  They tend to stop nosy cube-mates and possibly evil maids, but beyond that, they are marginal.

Two Israeli researchers have figured out a way to get Microsoft’s Cortana to do their dirty work.

But the fact that they did it with Cortana is, I think, only a matter of opportunity.

They used Cortana to exploit a well known Windows “feature”.

Could they use Google Assistant to exploit an Android feature or Siri to exploit an Apple feature.  This just proves it can be done.

We saw this last year when a neighbor used Siri to unlock the house next door.  Siri was listening and more than happy to trigger the smart lock to open the door.

In this case they used the Windows “Feature” that when Windows sees a new network adapter, whether the system is locked or not, it installs the drivers.  The researchers plugged in a device that was designed to look like a USB network adapter.  After the system installed the network drivers (which, in reality, was enough to compromise the PC), they told Cortana to open a web browser and go to a malicious web site where it downloaded and installed malware.

Apparently, you can tell Cortana to only respond to your voice, but you have to train it to do that, so most people don’t do that.

Absent that, for some strange reason, the assistant will respond to voice commands, even if the computer is locked.  That makes absolutely no sense to me.  Locked SHOULD mean locked.

Microsoft changed that feature after the researchers explained what they did.

You say that the attack is not very subtle because someone nearby would hear the attacker issue the commands.

All of the assistants respond to high frequency sounds – high enough that the people nearby couldn’t hear, but the computer microphone would pick up the sound.  This is also a known feature called a Dolphin Attack and has been known for years.

The attack also works by playing an audio file over the computer’s speakers.

Microsoft’s so called fix was to direct all browsing requests through Bing, but they still process commands on locked computers, meaning that the computers are still susceptible to a different attack.  As I said – my opinion – locked should be locked.  Period.

This is likely to get worse before it gets better.

Information for this post came from Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

Is the Apple Losing its Shine?

Last week there were multiple reports that Petah Tekvah, Israel based Cellebrite could unlock any iPhone up to and including the iPhone X running the most current version of the Apple OS, but you had to send the phone to them along with a check for $1,500, per phone.

This week there is a report that Grayshift, an American startup, is reporting that it too can unlock your iPhone for the cops.

Wait, I just got a phone call.  My grandmother says that she can unlock any iPhone and she will do it for free.  Just kidding about that one, but two different companies, one week apart are saying they can hack any iPhone.  This seems really strange.

Grayshift was apparently founded by some U.S. intelligence community contractors and a former Apple security engineer.

They are privately circulating a data sheet that says that if you buy their software you can unlock 300 phones for $15,000 or an unlimited number of phones for $30,000.  The cheap version (a relative term) must be used online (so, I assume, that you cannot cheat them);  the expensive version can be used offline since it doesn’t need to keep track of how many phones you have unlocked.

The software itself is called GrayKey.

Apparently, right now, GrayKey will only unlock phones running iOS 10 and 11 – which is likely the majority of iPhones, but a version that will unlock iOS 9 is coming soon.

One guess is that these firms have figured out how to hack into Apple’s Secure Enclave, the heart of the security of the iPhone.  *IF* that is true, that is a real problem.  Of course Apple could figure out what both of these firms are doing and make them start over.  In the case of GrayKey, since the system is delivered to a paying customer, if Apple engineers can, somehow, get access to the system they can probably figure out what the software exploits.

It is also speculated that the attack might be a brute force attack, meaning that it starts with “A” and goes to “B” and then “C” and so on until it unlocks the phone.  Again, *IF* this is true, the longer the password is, the harder it is to use this technique.  For example, if the password is 8 characters and only uses letters and numbers, then there are ONLY 218,340,105,584,896 or 218 trillion possible guesses.  On the other hand, a 12 character password raises that number to 3,226,266,762,397,899,821,056 or 3 sextillion possibilities.  Passwords longer than 12 characters would require even more guesses.

The moral of this story is that long passwords, even with just upper and lower case letters plus numbers and no special characters will take a long time to crack.  One article said that a 12 character password would take 200 years to crack at a billion guesses per second.  If it does take that long, even if they do succeed, you won’t care.  Using that same billion guesses a second, an 8 character password would only take 60 hours.

I think this story is not over;  stay tuned for updates.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather