Category Archives: Hacks

Bluetooth Vulnerability Does Not Require Any User Interaction

Similar to the WiFi bug we reported about in July (see post), this Bluetooth bug does not require the user to interact with the hacker, does not require the user to connect to an infected Bluetooth device or anything like that.  All it requires is that Bluetooth is turned on in the device.

The good news, if there is any, is that this is not a hardware problem and it is not a protocol problem, it is a software implementation error.  A plain old bug.  Which means that it can be patched.

Of course, every COOL bug has to have a name;  this one is called BlueBorne.

ASSUMING that the manufacturer of your phone is still releasing patches for the model of phone that you have.  For example, most Android 4 and earlier users are not getting any patches and many Android 5 users are not getting patches.  iPhone 4 users are not going to get patched and this newest version of iOS will be the last patches for the iPhone 5 and 5c.

And, this is not limited to phones.

While Apple has patched this bug in iOS 10 (so most recently purchased iPhone users are good), Microsoft just released a Windows patch in July.  This means that Windows users are safe IF they are running on a supported version of Windows and have installed the July patch release.  Google says that the September patch release fixes the bug, but that has to wind its way through the manufacturer’s release process and then your carrier’s release process UNLESS you are using a Google Pixel phone, in which case, you should already have the patch.  Linux teams are working on a patch, but that has not been released yet.

The bigger issue is all of those Internet of Things appliances from light bulbs to TVs that will likely NEVER be patched and will, therefore, always be an opportunity for a hacker.

Of course, as with all Bluetooth connections, the attacker has to be within 30-100 feet or so, depending on the equipment that the hacker is using.  That makes Starbucks a perfect place to launch an attack on unsuspecting users.

For those of you who do not have the patch yet, such as users using obsolete Android phones, and Linux based IoT devices, the only possible defense is to disable Bluetooth.  That may not be what you want to hear, but that will protect your device.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

The Unpatchable Bug In All Modern Cars

We have seen a number of hacks of cars including the hack of a Jeep driving down the highway at 60 miles an hour – from miles away – on 60 Minutes, but now researchers have come up with a new attack – one that cannot be patched.

The CAN bus or Controller Area Network bus, is the main communications highway in all cars built, at least, in the last 25 years.  The standard, designed in 1983 and in use since 1989 has not really changed very much since then.

In 1983 no one really worried about hackers so the bus has no security, no authentication and no encryption.

Today, almost every single car and light truck is controlled by the CAN buses in it.

Researchers from Trend Micro, Politecnico di Milano and Linklayer Labs discovered that you can overwhelm the bus with error messages.

Right now, today, the attack requires local access to your car.  That was the case with the Jeep attack – until attackers figured out how to do it remotely.

The attack injects error messages onto the bus which can, eventually, cause devices like the anti-lock brake controller or the airbag system to go offline and deactivate.  Since almost all car functions from the brakes to the engine control are computerized and attached to one of the CAN buses, if you can cause those devices to go offline, you will disable those functions.

Worse yet, without redesigning the CAN bus protocol, there is very limited remediation that car manufacturers can make.  On top of that, it is UNLIKELY that any cars currently on the road will ever be fixed because this is not a bug – it is, basically,  a feature.

SO, next time you get into your car… Well, I am not what you can do.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Who Turned Off The Lights?

The security firm Symantec is reporting that hackers have compromised energy companies in the U.S.  and Europe.

Well that sounds bad enough, but we have to ask the question “what do you mean when you say compromised?”

The answer is a little bit complicated.  For most energy companies, in a bid to make it tougher for hackers, isolate their operations network – the one that controls power generation and distribution – from the administrative network – the one where users get email and browse the web and such.

Except that life is never that clean.  The power companies, as part of their business, need to get data out of their operational network to manage the business, upgrade software and many other things, so the two networks are not really completely separate – but they do try hard.

Well, according to Symantec, in this case, when they mean compromised, they mean that the hackers were into the network far enough that they could turn off your lights.

Symantec says that the group that they are calling Dragonfly is attacking energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry equipment providers.  Companies who were compromised were located in the United States, France, Spain, Italy, Germany, Turkey and Poland.

Assuming these hackers could really “flip the switches”, it would seem like they could do a LOT of damage.  And, depending on what they actually did, it could take a little time or a long time to fix.

Symantec says that this group is likely state sponsored.  Which state they aren’t saying, but I’m betting on Russia.

Symantec provides a lot of details on how the attack works, so if you are interested  go to the Symantec link below for more information.

You may remember that hackers – likely Russians – actually did turn off the lights in Ukraine in the dead of winter in 2015 and 2016.  It is not that far a stretch to think that hackers could do that to the U.S. energy industry.

Homeland Security has been working with the energy industry for the last several years to try and mitigate this threat and they probably have made some headway, but making headway and saying hackers can’t turn off the lights are two very different things.

Of course Homeland Security does not want the American public to panic, so they are going to try very hard to spin things into “this is not a problem;  we have it covered”.  If you believe that line, I have some land I want to sell you in the Florida Keys.

Unfortunately, there really isn’t a lot for the average bear to do.  You can’t fuss at the power company.  Well, you can, but they will likely call you a nut case.

Being knowledgeable on the situation and providing input when possible is a reasonable course of action.  Panicking is not.

I wish I had a better answer, but I don’t.

Information for this post came from Symantec and Wired.

Facebooktwitterredditlinkedinmailby feather

Patching IoT Gets Out of Hand

In what may be the first of its kind event, the FDA recalled a pacemaker from St Jude, now owned by Abbott Labs.

Researchers discovered the flaws prior to Abbott’s acquisition of St. Jude and reported them to both the FDA and St. Jude.  Both decided to do nothing about it until the researchers went public.

In April of this year, the FDA put out a “warning” – also likely a first of it’s kind – that the devices which can be controlled remotely, were likely hackable and also had a battery problem that could cause it to go dead – possibly along with the patient  – before it was supposed to.  At that time Abbott said that they took security seriously and had fixed all the problems (see Fox Business).

Fast forward to this week and the FDA has now issued a recall of close to a half million of the supposedly fixed devices.

Since the devices are implanted inside people, the plan is NOT to perform a half million surgeries to remove them, but rather to go to their doctor to have the firmware in the device updated.

As I recall, one of the problems WAS this update capability.  The researchers were able, I think, to buy pacemaker programmers on eBay and reprogram any pacemaker from that manufacturer without authentication.    All they had to do is be in radio range of it.

Obviously, being able to reprogram the pacemaker (which has to be done in a facility that can control a patient’s heart rhythm while the pacemaker is being hacked.  Err, patched.  Err, upgraded) is a LOT safer than a half million surgeries, but still it is not without risk.

No clue what the cost of this little adventure will be, but it won’t be cheap.  Even if each doctor visit costs a hundred bucks – which is highly unlikely – that would still be a cost of $50 million.  If the cost is $500, then the total would likely be in the $250 to $500 million range when you add legal fees, fines and support costs.

One other interesting feature.  The researchers approached St. Jude about paying them a bug bounty, which is common in the tech world, and they decided not to.  Instead, the researchers approached Muddy Waters Capital, who sold the stock short, then announced the vulnerabilities.  When the stock price went down, which it did, Muddy Waters covered their short sell and made out very nicely.  Muddy Waters and the researchers had a deal to do some sort of split of the profits.  There were some people who that was a bit too capitalistic, but, it is not illegal.  Maybe next time, they will work with the researchers when they approach them.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

Industrial Espionage – Much Worse Than Credit Card Breaches

General Keith Alexander, former director of the National Security Agency, said that cyber espionage is the greatest transfer of wealth in history.  In 2012 when he made that statement, the the value of cyber industrial espionage on an annual basis was $338 billion.  Per year.  5 years later I am sure that number is greater.

Of course industrial espionage is not new.  In the early 18th century John Lombe, a British silk spinner went to Italy to steal the technology of an Italian company.  At night, by candlelight, he sketched drawings of the Italian company’s machines that he had managed to get a job working for.  He returned to England with the stolen technology and built a better machine to compete with the Italians.  Industrial espionage is not new.

What is new is the ease with which this can be done.  With everything being connected, you can now steal secrets from half way around the world.  And with cyber security practices at many businesses being a bit lax (there are a few industries for which this is not the case, but they are the exception), it is pretty easy to do.  Even defense, which you think would be secure, is not.  Lockheed lost the technology for the F-35 and now the Chinese make a knockoff and sell it at a fraction of the price.

Unlike credit card or personal information theft which is required to be disclosed, for the most part, stolen intellectual property is kept quiet.  It is embarrassing and would likely make stockholders upset.  What they don’t know won’t hurt them.

As the manufacturing process becomes more computerized, it is a huge leak opportunity.  Traditional IT security solutions sometimes don’t work on the factory floor.  Crooks know that and attack at that weak spot. In the absence of controls, detection and good processes, the crime will go undetected.

Fast forward a couple of centuries.

6 men in Houston were arrested for stealing technology for creating marine foam.  China wanted to increase it’s marine business and this foam is used in building boats due to its special buoyancy.

The Chinese, like John Lombe above, spent years weaseling their way into the company in Houston that makes this.  The crooks sent the info back to China who then had the gall to try and sell it back to the company they stole it from saying they could make it for less.

In the process of stealing the information they kept coming back to the insiders in the U.S. to get more information when their efforts at cloning the process was not working.

Now, except for one guy who is in China, they are all under arrest.  BUT, the technology has already been stolen, so it is not clear how this company can get the genie back in the bottle.  Not clear at all.

Supposedly, this information that was stolen was only known to about a half dozen employees in this company – it was the company’s crown jewels and now the cat is out of the bag.

The company considered buying the stuff from the Chinese knockoff IF the Chinese would give them an exclusive.  SO, rather than go public and be outed, they proposed making a deal with the devil.

When the Chinese started offering this U.S. company’s technology to other companies in the U.S., the company called in the FBI.  That started an investigation and, eventually, the arrest of these 6 engineers. FOUR years later.

Unfortunately, this is one of, likely, thousands of incidents.  Stopping one will NOT stop the hackers.  They just consider that an acceptable loss or collateral damage to the bigger game.

And American companies continue to ignore the warning signs (because, in many cases, there are no warning signs because the companies who got hacked keep the attack quiet).

Think about what happens to your company if you lose control of your intellectual property, whatever that is.

Information for this post came from IIoT World and the Houston Chronicle.

Facebooktwitterredditlinkedinmailby feather

Business Email Compromise Attacks Are Not Always Sophisticated

 

Business email compromise (BEC) attacks are relentlessly attacking businesses with no let-up in sight.  BEC attacks have traditionally used CEOs and CFOs as their foils, pretending to be them and getting people to wire money to the hackers.

The oil and gas industry was targeted by a single individual using old generic malware readily available online and scraping company’s web sites for email addresses.  It doesn’t always require a sophisticated plan of attack,

One guy in his 20s targeting 4,000 organizations using a few fake Yahoo email addresses was all it took in this case. Over a few months he successfully attacked a few large companies, getting away with a lot of money.

According to Cisco’s midyear cybersecurity report, over the last 3 years, businesses lost over $5 billion.  Likely, this number is low because a lot of companies don’t want to let customers know that they were hacked – possibly by a lone hacker using obsolete software and no infrastructure to support him.

One industry that is being hammered is the real estate industry.  For the most part, industry members don’t like talking about it, but every now and then we do hear stories.  One group that is often targeted is real estate agents.  These people are often one person organizations with limited technical support and, in many cases, not technically sophisticated.  And, they act as trusted intermediaries between all the parties to the transaction.  My recommendation to real estate agents is to not get in the middle of the finances and make that clear to the parties.  Otherwise they will potentially wind up in the middle of a lawsuit just for trying to help out.

In one example, a real estate agent got an email from a person claiming to be looking for a house.  The scammer then sent a link in another email to the agent, claiming that the link was a bank mortgage pre-approval letter.  In fact, it was an attempt to steal the agent’s email password.  If successful the attacker, could then, silently, read all of the agent’s emails.

As soon as the hacker sees an exchange with information about wiring funds, they can inject their own emails changing those instructions and wiring money to them.

We have seen multiple cases where the money lost was well over a hundred thousand dollars in each case.  For a company, with the right kind of insurance, while this loss is a pain, but it is manageable.  We know of one local company that lost close to $150,000 because they did not have the right insurance coverage.

For homeowners who are either buying or selling a house, they have no insurance and the real estate agent or title company likely has zero liability for giving you back the money.  It is possible that the might have insurance coverage, but it depends a lot on exactly how the attack worked.

If the company does not have the right kind of insurance and they don’t have the funds to reimburse the buyer or seller, that company will likely face a lawsuit and may go out of business.  For real estate agents, that could be a judgement against them and bankruptcy.

We always tell people that they need to have the right kind of cyber insurance and the Cisco report gives 5 billion reasons why.

It is important to understand exactly what insurance coverage you do have and we strongly recommend that our customers seek out the advice of a cyber insurance knowledgeable insurance agent before purchasing cyber risk insurance.  Unfortunately, many agents who sell cyber insurance do not have the training needed to take care of the customer.  They are not bad people, just people who need more training before selling an insurance product that can be very complicated.

Information for this post came from Dark Reading .

Facebooktwitterredditlinkedinmailby feather