Category Archives: Hacks

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

Lawsuits Often Follow Ransomware

Last October Wilmington Surgical Associates was dealing with a ransomware attack.

Allegedly, the Netwalker ransomware group stole 13 gigabytes of data, which in today’s world easily fits on a flash drive, and leaked that data online.

The patients of the North Carolina clinic whose data was stolen and leaked are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…” 

Hackers often post “proof” that they have really stolen the data. In this case, the initial post leaked 3,702 files and 201 folders, which included both patient and employee data. Given the nature of the business, most of the data stolen was likely sensitive.

The clinic notified 114,00 people just before Christmas, likely within the legal notification timeline.

The lawsuit says that Wilmington Surgical inadequately protected the PHI and PII in their possession and maintained data in a reckless and negligent manner.

They also claim that the clinic failed to properly monitor its network, system and servers.

The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical  to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.

While some of these suits are settled quietly, others come with multi-million dollar settlements. There have been a number of these lawsuits filed recently.

So here is my question for you. If you had a breach and the claim was similar to the one above in red, how would you or could you defend yourselves? Just asking.

Credit: Health IT Security

Supply Chain Risk in the Software Process

I have been talking a lot about supply chain risk lately and there is a good reason. From open source products with backdoors like Webmin or Rubygems to NotPetya a few years ago which shut down many companies around the world to the recent attacks against SolarWinds or Centreon, supply chain attacks are running rampant.

There is a good reason for this – we have not, historically, paid enough attention to them, so they work very well.

Here is a new attack that works against the software development process.

Security researcher Alex Birsan posted a blog on February 9th that detailed how he used dependency, or namespace confusion to push malicious proof of concept code to organizations like Microsoft, Apple, Tesla, Uber and others. It is not because these companies are stupid. They are not. It is because we are not paying enough attention to the problem.

The good news is that he is a good guy and wasn’t trying to take down the world.

I am not going into total-geek with details of why this attack works, but right after the vulnerability was announced, hundreds of copycats were released into the wild. And still are being released – knowing that some companies will ignore or not understand the problem and remain vulnerable, potentially forever.

Not surprisingly, the root of the problem is the tradeoff between security and convenience.

The problem is that if the bad guys are sophisticated, developers will not detect the problem because their malicious code won’t activate until a trigger event happens and all of the normal functionality works correctly.

The researcher who launched the test attack called the results simply astonishing. I don’t think the copycats were launching mock attacks.

For more details on how this attack works, read the article here.

Bloomberg Says China Adds Spy chips to Computers

In 2018 Bloomberg ran a story that claimed that China had embedded tiny microchips on Supermicro computer server processor boards in 2015. Everyone denied it – Supermicro, the intelligence community (IC), China.

Supply chain attacks seem to be everywhere these days and this is another one.

I don’t know if it is true, but why would Supermicro or China admit what what going on. The IC might know but might not want China to know how much they know and when they knew it.

While Bloomberg took a lot of heat for the story at the time, they never gave up on it and continued to investigate.

Well this week Bloomberg wrote chapter two of the story.

They are saying that China targeted Supermicro products for over a decade, that the IC was aware of it and that they kept it quiet because they were studying it and trying to figure out how to counter it.

14 former law enforcement and IC sources confirmed the story to Bloomberg.

According to Bloomberg, the Pentagon detected the chip implant back in 2010. Intel detected that China had hacked it in 2014 and the FBI issued a private warning to multiple companies in 2015 telling them that China had planted a surprise inside their computers.

Bloomberg also says that the Feds got a FISA warrant in 2012 to surveil several Supermicro employees.

And of course, Supermicro issued a new denial.

Would you expect anything else?

Remember also that it is well documented that the NSA did hardware implants for years.

You get to figure it out.

However, I do recommend you dust off that vendor cyber risk management program and see if you are doing all that you can do. Credit: The Register

Is $100 Million Enough of a Reason to Improve Security?

SIM swap attacks is a hacking technique where hackers socially engineer cell phone providers to steal a victim’s phone number. That means that hackers get the victim’s text messages and phone calls.

While two factor authentication is not used by the majority of people, when it is used, the most common form of two factor is text messages. That means that if a hacker can hijack your phone number, he or she will get those text messages and, in combination with a stolen password, can compromise your your bank account.

In this case, law enforcement in England, Scotland, Malta and Belgium, assisted by Europol, The US, and Canada, arrested ten kids (ages 18 to 26) for hijacking US celebrities phones in order to compromise their Bitcoin accounts.

Celebrities often have bad security because, well, they are celebrities and they don’t have to ….

Of course, now that their net worth is $100,000,000 lighter they might want to reconsider that theory.

For you and me, $100 is about my limit; maybe less.

There plenty of alternatives to text messaging for your second factor from the fancy end with RSA hardware tokens, to the plain version of software tokens. With any of them, unless the hacker physically steals your phone while it is unlocked, any of these alternatives are better than text messages.

Now the next thing is to get providers to stop allowing you to do a password reset by sending you an email or a text message for the same reason.

Security or convenience, pick one. Credit: The Record

Beazley Insight on Breaches

Beazley is one of the largest cyber risk insurance providers in the country and publishes periodic reports on claims that they see. Here is a summary of what they saw.

Ransomware evolved during 2020, reaching new levels of complexity. Rather than getting an employee to click on something, they hack the network, install malware that is highly persistent, try to destroy your backups, steal your data and threaten to expose you.

Other than that, 2020 was just like 2019.

Beazley says that the cost of ransomware payments in 1H2020 was double what they paid in 1H2019. That is in line with their estimate that extortion demands in 2020 will wind up being double what they were in 2019.

The attacks are getting more sophisticated (the SolarWinds attackers were in there for a year, for example). Beazley says that more often, hackers have access to the network prior to the ransomware attack, they figure out how to escalate the privileges that they have, they move throughout the network doing reconnaissance and figure what what data is there and where it is stored.

More importantly, often they steal (exfiltrate) the data, both to prove that they have access and to threaten the victim.

According to incident response firm Coveware, almost 50% of ransomware cases in Q3 2020 included the threat to release exfiltrated data , up from 22% in Q2. That is an amazing increase in just one quarter.

In one recent case, Beazley responded to a ransomware attack where the initial demand was a half million dollars. Using Beazley’s services they were able to lower the ransom to $50k and because their backups were hosed, they decided to pay.

Beazley points out that, if the hackers stole your data including PII or PHI, you may be legally required to notify the affected people. After all, you have no guarantee that the hackers will actually destroy the data if you pay the ransom and, in many cases, you may be dealing with several actors, some of which may have no role in your little agreement to pay money and destroy data.

While the article doesn’t say this, you also need to consider that the Treasury Department is putting pressure on organizations not to pay these ransoms by threatening to throw them in jail if they do. As a result, preventing attacks is likely the better long term strategy.

They wrap up the post with 7 great suggestions. If you are not already doing this, start now. Here is the abbreviated version:

  1. Conduct a risk assessment
  2. Set up strong controls on email content and delivery
  3. Manage access effectively
  4. Backups, backups and more backups (and make sure they are OFFline. Harder to hack that way)
  5. Educate users
  6. Patch systems and applications and
  7. Secure remote access

Beazley has more tips for its clients and if you don’t have cyber risk insurance, you need to reconsider that decision.

For more information, check out this link. Credit: Beazley