Category Archives: Hacks

This IoT Hack Could Kill You Literally

Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.

The researchers took real CT lung scans and let their malware modify the scans.  In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.

After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.

In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.

This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,

The researchers said that this technique could also be used to fake clinical trials one way or the other.

This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).

These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.

Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off.  Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial?  After all, if a competitor can get a trial derailed, it could  mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.

This, of course, is just one example of how an IoT device could be hacked.  In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?

Source: the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.

Facebooktwitterredditlinkedinmailby feather

Hacker Well On His Way to Publishing ONE BILLION User Records

While some people say that you can’t prove that people have been harmed by lax cybersecurity practices, the laws are making it more expensive for companies to believe this.  Fines in the hundreds of thousands, millions and even billions of dollars are happening.  So whether companies believe cybersecurity is an issue or not, their wallets are suggesting that they need to make improvements.

To encourage that, one hacker who goes by the handle GnosticPlayer is making it a one man mission to make life miserable for businesses with weak security.

Until this week he has made 4 dumps of data –

  • round one contained 620 million records
  • round two contained 127 million records
  • round three contained 93 million records and
  • round four contained 26.5 million records.

This brought the total to over 850 million records,

Until this week.

Round five contains 65 million records from 6 companies, bringing the total to over 900 million records.

In case you are questioning whether this is a business, apparently the data is available, sorted by category.  For a “fee”.  In Bitcoin.

Stolen email addresses are sold to spam networks,

Financial details are sold to groups that specialize in tax fraud and online fraud.

Usernames and passwords are sold to groups that specialize in credential stuffing (the technique of taking a million userids and passwords, throwing them at a web site and seeing which ones work).

The hacker is selling his data on Dream Market, a pretty public dark web marketplace.  He does not appear to be very shy about publicity, so my guess is that he is not in a country friendly to the U.S.

For businesses and consumers, this means that your information is being used against you.  

Credential stuffing allows hackers to attempt to hack your bank account and empty it.  Is that important to you?

Tax fraud means that your tax return will be rejected by the IRS and you will not get the refund that you are owed.

Other attacks might mean that you will lose access to your email account or other accounts.

So unless you think that the issues above are not important to you or your customers, you need to work hard to improve your business’ and personal cybersecurity hygiene.   

Source: ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather

Who *IS* Going to Rescue Us

It is old news that Jeff Bezos was caught cheating on his (soon to be ex-) wife.  That isn’t terribly unique news.  Powerful men seem to do that a lot.  At this point it is still somewhat murky as to how AMI, parent of the National Enquirer, obtained pictures that Jeff shared with his girlfriend.

It is certainly possible, as AMI claims, that they got them from the brother of Bezos’ girlfriend, Lauren Sanchez.  It is not clear why he might have done that.  Possibly he didn’t like the situation.  Possibly, they offered him a suitcase full of cash.  Surely he must have known that would not enhance his relationship with his sister.  Maybe he didn’t care.  Maybe he didn’t even like her.  Who knows.

That gossip is not terribly interesting in the big picture.

There is, however, an aspect of the story that we should all be concerned with.

Bezos, having a few billion here and there, even after going 50/50 with his soon to be ex, hired an investigator to figure out how AMI got those compromising pics.  In case you don’t keep up with the gossip, the pictures included parts of Jeff’s body that most people do not expose to the sun.

The investigator wrote an opinion piece for the Daily Beast saying it was the work of the Saudis.  I certainly don’t know if this is true or not.  Certainly the Saudis don’t like Bezos must since the newspaper he owns, the Washington Post, said that the Saudi Crown Prince was responsible for killing and dismembering a journalist, Jamal Khashoggi.  Whether you think that Khashoggi was innocent or not, people generally don’t like the idea of ordering hits on people and then cutting those people up and stuffing their body parts into diplomatic pouches to get them out of the country.

We could debate for a long time the merits of all of the above, that is not the point of this piece.

Lets assume for the moment that we reliably believe that the Saudis did hack either Bezos’ or Sanchez’ cell phones, steal the photos and give them to AMI.  This is an assumption, not a fact, but something we need to agree for the moment is possible.

Lets assume as an alternate, that some other government that we have a love-hate relationship hacked into some U.S. company for reasons of their own and either stole stuff or did some damage.  An example of this is Sony and North Korea, but that is not a good example because we have a hate-hate relationship with them and not a love-hate relationship.

All of the above is just a setup for what follows.

What should we expect the U.S. government to do about it?

After all, we hack the crap out of anyone that we can – right? – NSA, CIA and other TLAs (three letter agencies).

Should the government retaliate?  Lets assume for the moment that Trump and Bezos didn’t have one of those hate-hate relationships that they do have.  Should the White House launch an attack on another nation?

This is a real question that Trump has had to deal with and the supposed reason for the China Tariffs.  It is possible that the tariffs may have some long term effect on China’s hacking of us. Short term, it seems to have increased their hacking, but long term – who knows.

We do know in the short term it is costing U.S. companies billions, most of which will be passed on to U.S, consumers in the form of higher prices and slower growth.  The auto industry says that it is causing them to lay off tens of thousands of employees.

But still, stay tuned.

China is not a good example either because what China is doing is very widespread, not targeted like going after one person or one company.

So what should we expect our government to do in cases like this?

In the aggregate, hacking is costing companies more than a half trillion dollars a year globally.  That is real money.  It is bigger than the GDP of many countries.

Realistically, individual companies do not  have the ability to keep out a determined nation state actor.  Not if they are targeted and motivated (that represents, maybe, one tenth of one percent of all of the attacks, probably much less than that).

What is also true that many small companies may become collateral damage from attacks – either by regular hackers or nation states, but not the target.  A perfect example of that is WannaCry that devastated companies across Europe who were not the target of the attackers.

Here is the bad news.

My opinion is (which along with about $4.95 will buy you an average cup of coffee at a well known coffee chain – probably a small cup) that 99+% of the time – unless you are a Sony and go up in flames – the government is not only not going to do anything to protect you or retaliate, but they are not even going to notice that you have been attacked.

The FBI gets thousands of reports of attacks a week.  In 2017, the FBI got more than 300,000 reports.  That is more than 800 reports a day, including Saturdays and Sundays.  The FBI has, as I recall, around 14,000 actual agents who are responsible for all manner of crimes including murder, kidnapping and terrorism.  How many of those 800 reports a day do you think they can respond to?

In fairness, they will cherry pick a few.   Maybe 5 out of 800 a day.  I don’t know.  Probably less.

Bottom line – you are going to be responsible for yourself.

Realistically, this means that you have to do your best to keep the bad guys out and be ready to deal with it when the bad guys win a particular battle.

You are not going to like this analogy, but after 9-11, we stood up the TSA.  Whether you think they are wonderful or buffoons, we spend almost $8 BILLION dollars a year in that one agency just trying to keep the bad guys at bay.  Based on published reports, something like 50% of guns screened by TSA get through the checkpoints, more at some airports, less at others.  Luckily, those guns do not appear to be owned by active terrorists.

From the TSA’s standpoint, while they would like to prevent another 9-11, and the director of the TSA would likely be fired if there was another one, for the rank and file, they are just doing their job.  There is not much financial consequence to the 40,000 plus employees of the TSA if another 9-11 happens.  In fact, it is likely to reinforce their job prospects unless we decide to shut down all of the airlines permanently.  Or make you travel naked with no luggage.

From your standpoint, if you suffer an attack – ransomware, theft of intellectual property, destruction of your factory like happened recently with a German steel mill, that is costing you real money, real business, real jobs.  It is very personal for you.  Norsk Hydro lost $40 million in the first week after their ransomware attack.

This means that you need to actively work to make it harder for the bad guys damage you.

For you, this means, time, energy, people and yes, money.  Sorry.

This is one case where the government can’t fix it, even if they try.

Source: The Cybersecurity 202.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 15, 2019

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google.  While hackers may not be explicitly targeting these small municipalities, they may be.  After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents.  The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget.  There is no indication that the county had any insurance.  In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage.  Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid.  Source: Bleeping Computer.

 

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a  very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure.   Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect.  There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that.  MUCH – repeat MUCH – more secure.  Source: Bleeping Computer.

 

App 63red Security Lacking;  Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect.  Inside the code of the app the researcher found the developer’s email, password and username in plain text,  Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed.  The first two statements are accurate but misleading.  He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security.  Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground.  Sources:  The Daily Beast and Ars Technica.

Facebooktwitterredditlinkedinmailby feather