Category Archives: Hacks

Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Inexpensive is not always Good

Apparently Walmart has been selling an affordable Jetstream router. Affordable, apparently, because it has a back door in it that would allow hackers to not only control the router, but also all of the computers on your network.

But Walmart is not alone.

Wavlink routers sold on Amazon also have back doors. In this case it attempts to connect to nearby WiFi connections so that it has a covert way to steal that data.

Similar routers are available on eBay.

Researchers say there is evidence that this is not a theoretical problem, but rather is being used in real attacks.

Also, these back doors are being used to allow your network to attack other networks via the Mirai bot network. Guess who the FBI is going to come visit if YOUR router is found to attacking other networks?

When the researchers talked to Walmart, to their credit, they said (a) it is currently out of stock and (b) they have no plans to replenish it. I will give them credit for dumping this trash even though they felt necessary to spin it. I guess they just couldn’t say “oh, crap, we got duped. Handled!”

Likely these two routers are really made by the same company.

The researchers apparently were bored during the pandemic, so they started buying cheap routers online to see if they could hack them.

The back doors even have a user friendly interface – a different one than the paying users see, of course.

These back doors, according to the researchers, are active and probably enabled on millions of devices. Credit: Cybernews

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Default Passwords on Gov Websites – What Could Go Wrong?

You would think that in 2020 we wouldn’t have to tell people not to use default passwords.

You would certainly think that we wouldn’t have to tell government IT folks not to do that.

But if you thought that, apparently, you would have thought wrong.

We are still telling end users to change the password on their WiFi router. And on their Internet modem or firewall. But those are consumers.

We recently did a penetration test for a client. The client has a lot of locations.

For the most part, their Cisco ASA firewalls were secure.

Except for a couple of them.

Which still had the default password. At that point, we owned their entire network.

Fast forward to last month. The FBI said, privately, that foreign actors had successfully penetrated some government networks and stole source code.

Now we are getting at least some of the rest of the story. We still don’t know which agencies were hacked and what was stolen, but we do know how.

SonarQube is an open source application to help companies or agencies improve code quality through continuous static code analysis.

But if you put that on a public facing web site and you don’t change the default password – which is a really hard to guess “admin/admin”, you kind of have a problem.

I don’t understand enough about how SonarQube works, but it seems to me that it SHOULD NOT be exposed publicly and it probably should not be on production servers.

Here it is, at the tail end of 2020 and we are still telling people – IT people – to change the freaking password.

And security folks have been talking about this specific problem with SonarQube for a couple of years now and not just inside the gov.

Come on folks – get with the program. Hopefully what was stolen was not too sensitive but the fact that they are not telling us who was hacked and what was stolen probably means that it was sensitive. Credit: ZDNet

Security News for the Week Ending Nov 13, 2020

The “S” in Coworking Stands for Security

While the WSJ says that coworking companies are closing money losing spaces as a result of Covid, don’t forget that coworking spaces are about as secure as airport WiFi, meaning not at all. The local news just said that some coworking companies are actually expanding as people want to get out of their house. For most coworking companies, the users are on a shared WiFi connection with no security and often, no encryption. Your remote working policy and procedures need to address this subject, based on the level of risk you are willing to accept and whether you are part of a regulated industry that might frown on you sharing your trade secrets, PII or customer data with the world. Also remember, that if malware gets into shared WiFi, it will certainly try to attack you. Here are a few tips for coworking company security.

Travelers are Faking Covid-19 Test Results

Apparently some travelers don’t want to go through the hassle of getting tested for Covid but still want to travel to countries that require those tests to enter the country. First there were paper documents, which, with Photoshop, were easy to forge. The cops in Paris’ Charles de Gaulle Airport just arrested some of those forgers. They were charging $180-$360 for fake documents. Apparently the French do not cotton to counterfeiters. The penalty for counterfeiting Covid documents is 5 years in a French prison and a half million dollar fine. Brazil arrested some tourists last month for presenting fake documents, so it sounds like you can get in trouble whether you are the buyer or the seller. Some locales are now only accepting electronic versions of the documents from the labs, making it harder to fake. Credit: USAToday

Google Finds At Least 7 Critical Bugs in Chrome, Android, iOS and Windows

Google says the bugs were being actively exploited int the wild, but are not saying by whom or against whom. The iOS 12 patch released patches back to iPhone 5S and 6, typically indicating that it is a big problem. The bugs were “found” by Google’s Project Zero, but apparently were being used by someone(s) prior to them being found. Does this smell like some spies were caught? Probably. We just don’t know which side they were on. Credit: Vice

Vietnam’s OceanLotus Hacking Group Joins Other Countries in Hacks

While countries like China get all the credit for hacking, Russia, North Korea and others are just as active. Add Vietnam to the list. Right now they are attacking their Asian neighbors. As is typical for these government run attacks, they are applying a great deal of effort to compromise their victims. Credit: The Record

White House May Fire Krebs for Securing the Election

Chris Krebs, the head of DHS’s Cybersecurity agency CISA, says he expects to be fired by the White House for securing the election from hackers. All reports indicate that while there is a lot more work to do to secure elections, the 2020 elections were, by far, the most secure ever. The agency also created an election rumor control web site (www.cisa.gov/rumorcontrol). This website debunked many of the myths being spread people who are trying to discredit the election results. General Nakasone, head of NSA and Cyber Command, who also said that there was no significant election fraud, could also be in trouble. Credit: Darkreading

Is The NSA Still Putting Back Doors in Tech Products?

This is a bit like the old question “are you still beating your spouse?” In order to answer that you would have to admit that you had been doing it previously.

The NSA, as far as I know, hasn’t admitted to placing back doors in tech products but there is a lot of information that has leaked out over the years that seems to indicate that they did and possibly still do.

One example. The CIA and NSA, in partnership with German intelligence, actually OWNED the Swiss crypto hardware company Crypto AG. They sold backdoored crypo hardware (back when hardware was the only way to do that) to both our friends and our foes. Of course, no one knew that the intelligence community owned the company or that the crypto was defective. The company was shut down or sold in around 2015 when all encryption was done in software and the CIA and NSA no longer had the monopoly that Crypto AG once was, but the NSA and CIA had access to the supposedly secure communications of both our friends and enemies for decades.

Second example. Juniper has admitted that in 2015 someone inserted a back door – what they refer to as unauthorized code – into the Juniper operating system ScreenOS. Some sources say that the code goes back to 2008. Call unauthorized code a code word for back door.

Third example. The NSA paid RSA millions of dollars to use a particular pseudo random number generator called dual EC. The algorithm has a weakness making the numbers not so random and the NSA knew that and was able to leverage that to make crypto easily crackable. By them. Because they knew about this flaw. They even managed to get NIST, for whom the NSA was a technical advisor, to adopt Dual EC as a standard.

When Snowden released the documents that he did release, it became clear that the algorithm was fatally flawed. NIST says that they were duped – which is both possible and possibly a lie – and revoked the standard.

But in the meantime some government other than ours figured out that there was a flaw in the Juniper software and kind of used the flaw against us. And others.

All that is background.

Senator Ron Wyden, a member of the Intelligence Committee has asked the NSA for a copy of a report they created after it became public that the NSA’s back door was being used against us. Wyden is opposed to back doors because it is hard even for the NSA to keep a secret a secret. For one thing, someone else might discover it accidentally.

Mysteriously, the NSA says that they cannot find that report.

Supposedly after the NSA’s hack got hacked the NSA changed its policy on inserting back doors into commercial products.

But, hmmm, they can’t seem to find that information. Maybe we should ask Snowden to look for it like Trump asked Russia to look for Clinton’s emails.

Rumor has it that for years the NSA intercepted equipment from vendors like Cisco while it was in transit and inserted “gifts”. They then put it back in the delivery stream and used the access they had to steal information.

Bottom line, we don’t really know what the NSA’s policy is about adding back doors to commercial products.

And the NSA is not saying.

You would think that if they were NOT doing it any more, they might be willing to say so, which leads me to assume that the new policy is “don’t get caught”.

You are going to have to figure this one out yourself.