Category Archives: Hacks

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

The Active Cyber Defense Certainty Act – What COULD Go Wrong

Most of the time we feel pretty helpless when it comes to going after hackers.  There is a good reason for that  – for the most part, we are helpless.  The hackers operate under their own rules and law enforcement really isn’t equipped to deal with them.  It is hard enough for the cops to catch burglars and murderers (how many of those cases go unsolved every year), but when it comes to cyber crimes, I would hazard a guess that 999 out of every 1,000 go unsolved.

Enter ACDC, the Active Cyber Defense Certainty Act.  This bill would allow businesses, within certain parameters to hack back at the hackers to destroy stolen information and try to unmask the hackers as long as they don’t do damage.

There was a recent case where this was tried with no success and I think this is going to be the normal situation – no success.

London Bridge Plastic Surgery is a high end plastic surgery practice in England – they do plastic surgery on the rich and the famous, including the Royals.   They were hacked and the hackers shared graphic photos of their patients with the media.  So far, I don’t think they have published those photos.

Apparently, the chief surgeon fancies himself a bit of an amateur hacker and sent the hackers a word document with a link to a file on their server with the hopes of getting the hacker’s IP address from this.

Not surprisingly, the hackers detected this attempt and publicly scolded the doctor who said that he didn’t do it.  The hackers now say that they are going to punish the doctor for attempting to uncover them, although they have not said what that might be.

In the end, you run the risk of upsetting folks who may have backdoors into your system and, in this case, claim to have terabytes of your sensitive data, which they could easily dump on the web.

So if ACDC passes and you choose to hack the hackers, understand that the hackers might be smarter than you and there could be serious consequences for you, your company, your data and your clients.

On the other hand, if you think you are smarter than the hackers then why were they able to hack you?

Information for this post came from The Daily Beast.

Facebooktwitterredditlinkedinmailby feather

Hackers Fool iPhone FaceID for $150

It usually doesn’t take very long.  Whether it is fooling the fingerprint reader or jailbreaking an iPhone, it often comes within hours of a new device or software release.  Maybe, in this case, it says that Apple did good because it took a week to break Face ID.

On the other hand, it only took about $150 to do it.

Wired spent thousands trying to create 3D masks and were unable to fool it,  but some hackers in Vietnam it on a budget.

In Apple’s defense, they did have to spend about 5 minutes videoing the subject to get good data, but if you are going after a politician or a celebrity, getting 5 minutes of HiDef video will not be a problem.

The first thing they did is take the video and make a 3D printed frame for the attack.

Next they added a silicon nose.

Finally, they 2D printed (like on a piece of paper) the user’s eyes and attached them to the mask,

In the demo, when they uncovered the mask, the iPhone X unlocked.

So much for security on your $1,000 phone.

Probably, for the average person, the level of security FaceID provides is adequate.

But remember, the iPhone X is a status symbol, not a phone.  Who is going to buy them are business executives on expense accounts and politicians using other people’s money.   Those are great targets for the bad guys and worth, for sure, spending $150 to compromise their phone.

In fairness to Apple, the researchers have not revealed enough details to enable people to recreate this.

In fairness to the researchers, they have presented previous hacks of Lenovo and Toshiba facial recognition at Black Hat.

So, depending on your level of concern regarding the security of your phone, a good old password is likely best.  Make it reasonably long and avoid the glitz.

For the billionaires who buy an iPhone X, you might want to reconsider your proclivity for convenience over security and steer clear of FaceID.

Your call.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather

The Cost of Cyber Breaches

Earlier this week Merck said that the NotPetya is going to cost them and the numbers are staggering.

In last Friday’s earnings call Merck said that NotPetya has impacted third quarter results to the tune of around $300 million.  That includes $135 million in lost sales and $175 million in costs.

But that is not all.  They also said that they anticipate a similar impact to revenue and costs in the fourth quarter.

That means in just this year alone, it could cost Merck $600 million plus. It is likely that the costs will not end with the turning of the calendar page to January.

Also likely is that they have cyber insurance, but that might pay $100 million and could be a whole lot less than that.  That could leave Merck with having to write a check for a half billion dollars. Or more!

Moving on to the Wannacry attack, The Guardian is reporting that hackers moved 108,000 British Pounds out of a few Bitcoin wallets that people paid ransoms into.  Note that this is not what it cost people to deal with Wannacry, but rather what they paid the attackers.

Since Bitcoin is not anonymous (in fact it is anything but, which is why, months later, we know exactly each and every withdrawal from the Bitcoin wallet virtually instantly), the police are tracking those transactions and may be able to figure out who is moving the money.

As the British Health Services (NHS) are doing an after attack review from Wannacry, the story that is coming out is that they could have avoided the attack if they had implemented basic cyber security practices.

As far back as 2014 the Department of Health and the Cabinet told NHS that they needed a robust plan to migrate away from old software (like Windows XP) and in March and April 2017 (a month or two before the attack) NHS Digital issued a critical alert for NHS organizations to install the patches needed to stop Wannacry in its tracks.  Those patches were not installed.  NHS blamed cost cutting measures from reducing resources needed to manage their systems.

NHS Digital had conducted on site assessments of 88 out of 236 of the health trusts in England.

NONE PASSED.

But NHS Digital has no enforcement powers to make anybody fix the problems.

Bottom line is that these attacks can be tremendously costly and in many cases, simple measures would have mitigated the attacks, possibly completely.

Information for this post came from Tech Republic, The Guardian  and another Guardian article.

Facebooktwitterredditlinkedinmailby feather

Another International Law Firm Hacked

You might think that after the Panama Papers breach in which the law firm of Mossack Fonseca was hacked and 11 million documents exposed – including ones that forced the prime minister of Iceland to resign and the prime minister of Pakistan to be removed from office – that law firms around the world would have stepped up their cyber security efforts.

I am sure that some have improved their security while others have made minor efforts to improve it, but it is not working.  Until clients of these same law firms start conducting frequent cyber security audits of those firms, it is unlikely that significant changes will be made in the industry.

Remember that security and convenience oppose each other and security costs money.  If their clients are not demanding that they spend money on security, they likely will spend that money elsewhere.

So what is this week’s news?

The Bermuda based law firm Appleby, with 10 offices around the world and around 470 staffers admitted this week that they had been hacked.   The hack, they said, occurred last year.  That hack was not disclosed at the time and legally they were probably not required to do so. The only reason they are talking about it now is that the international investigative journalist group ICIJ was given at least some of the documents and has been pouring through them and asking embarrassing questions.

Apparently, clients of the firm include the rich and the famous, especially in Britain, possibly including some Royals.  While the firm says that try to do things lawfully, “no one is perfect”.  Whether what the two prime ministers who were exposed in the Panama Papers breach were doing things legally or not, the court of public opinion didn’t think what they were doing was appropriate.

When members of the rich and the famous get exposed doing things that may be legal or may be shady or may be perceived as illegal by the masses, that is not good for their public image.

The apparent threat that these documents are now going to be published probably scared the poop out some of the firm’s clients, which forced them to admit the breach.

This brings us to an important point.  In the United States (and the firm has no offices in the U.S.; their offices are mostly in tax havens), companies that are hacked are required to disclose that fact ONLY UNDER SOME, LIMITED, CIRCUMSTANCES.  If personally identifiable health care information is breached, if payment card information is breached and if non-public personal information as defined in the various state’s laws is breached, for example – then, assuming the data wasn’t encrypted, etc. etc. – the companies have to fess up to the breach.

If, however, if the breach did not expose that kind of information  – say it exposed your company’s not yet filed patent applications or information regarding a merger or information regarding an off-shore business transaction – then maybe that information does not have to be disclosed – either publicly or even to the client.

For U.S. based law firms, the American Bar Association has created model ethics clauses for states to adopt – some have been adopted and  others not – that says that attorneys should try to protect client information, but the wording is a bit loose.

As a client of a law firm, your CONTRACT with that firm can certainly be a tight as the two parties agree for it to be (assuming the terms are legal, of course).  You, as a client of a law firm, for example, can say that if you want me as a customer then if you suffer a breach and my information is exposed, then you must notify me within, say 72 hours.  That would put the onus on the law firm.  For small clients that is a difficult issue to force.  For larger clients, it is less difficult.  That doesn’t mean that lawyers, as good negotiators, won’t try to make the terms more favorable to them and you can’t blame them for wanting to do that.  Still, you have a say in the matter and you can always choose to find another firm.  There are lots of law firms in the country.

While there are probably thousands of clients of the Appleby law firm that are currently holding their breath, this, along with the multiple other law firms that have been hacked, should act as a wake-up call to clients to push their law firms to improve security.

I would think that most reputable law firms REALLY don’t want to have their client’s information compromised, independent of ethics rules or client contracts, but security is both inconvenient and expensive.

However, so is being hacked,  as is having your name dragged through the mud and losing clients.

Since many of the largest breaches in the U.S. are the result of vendors being hacked (think Target or Office of Personnel Management, for example), we work with clients to create a vendor cyber risk management program to tighten up the parameters of their vendor contracts and cyber security programs.

Stay tuned; there is likely to be more fallout from this breach.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather