Category Archives: Hacks

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing


Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer


The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet


Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC Magazine

Facebooktwitterredditlinkedinmailby feather

Telcos Not Doing Good at Preventing SIM Swap Attacks

A SIM is the (usually) hardware card that gives your phone its “personality”.  The SIM is tied to the carrier and contains all the information that the phone needs to talk to your carrier.

As users SLOOOOWLY migrate to using text messages as an extra layer of authentication for logging in to a variety of online accounts, hackers need to figure out how to compromise that.

One way to do that is to tell your carrier that you have a new SIM (typically a new phone).  If the hacker is successful, then all of the text messages (which may include password reset messages for things like your email or your bank account) are destined for you will go to the hacker, along with all of the money in your bank account.

In theory phone carriers are not supposed to do a “SIM swap” unless they know the request is coming from you.

But they want to be customer friendly and that is sometimes a challenge when it comes to security.

Recently some Princeton researchers did a test of five major phone carriers – AT&T, T-Mobile US, Tracfone, US Mobile and Verizon – and wrote a study regarding the carrier’s authentication procedures.  The results were:

  • AT&T – 10 out of 10 fraudulent swaps successful
  • T-Mobile US – 10 out of 10 fraudulent swaps successful
  • Tracfone – 6 out of 10 fraudulent swaps successful
  • US Mobile – 3 out of 10 fraudulent swaps successful
  • Verizon – 10 out of 10 fraudulent swaps successful

The problem is that the carriers want to make the process simple for their staff so they ask for secret information only you would know – like you address or email or date of birth.  Not so secret.

Sometimes they will try to send a one time password to your phone but if you say that your phone isn’t working, they often give up.

You may remember that Jack Dorsey, the CEO of Twitter, got his own Twitter account hacked following a SIM swap.  Source: The Register

If that doesn’t work, they bribe some phone company employees to give them remote access into the phone company systems so that they don’t have to bother trying to trick other employees – they can do the SIM swap themselves. They just enable RDP into the bribed employee’s workstation.  Source: Motherboard

Several Congress-critters have written to the FCC’s chairman Ajit Pai suggesting that he do his job and actually regulate the carriers.  Don’t count of the FCC doing anything useful.

One thing that you can do is ask the carriers what other security measures they have like passwords and PINs and other measures.

Of course you can lobby your Congress-critters to pass a law forcing the FCC to do what it should do.  Of course the carriers don’t want to have to do any more work than they have to, so they will probably drop bags of cash in Congress to get them not to pass such a law (I guess I am a bit pessimistic that DC will actually do anything helpful).

Ultimately, it is important that yoou be vigilant because that is much less painful that trying to regain control of stolen accounts or getting your money back from your bank.





Facebooktwitterredditlinkedinmailby feather

Phishing Campaign Takes Different Tactic With Similar Outcome

When phishers attack users, they typically try to steal your credentials – your userid and password.  If you are one of the small percentage of users that religiously use two factor authentication (Google says that 90% of GMail users do not use two factor authentication), these password thefts do not help a hacker unless they can figure out a way to compromise that second factor too.  Since the vast majority of people don’t use two factor, if the hackers do get your password, then they are in and can steal your data.

But what if – just sayin – that you change your password?

I know.  I know.  You are saying that you haven’t changed your email password in 37 years.  But just say that you do.  Maybe you think the password was compromised.  That means that the hacker has lost access to your information.

Hackers have come up with another technique that will actually survive you changing your password.

Here is how it works.

The hacker gets you to click on a link and the link takes you to the legitimate Microsoft (or Google) login page.  With one tweak.

If you  look at the URL, there is a redirect with a request for permissions.

You enter your credentials and you are redirected to a hacker’s site which now asks for permissions to access your mail and contacts, etc.

If you accept this (and you might because you just came from the real [Microsoft or Google] login screen), the hacker now has access to your stuff.

Even if you change your password the hacker will still have access to your stuff.

The only way to turn this off would be to look at your permissions page to see what apps or websites you have granted access to your stuff.

This means that  you have to be VERY CAREFUL when you see a permissions request screen to look at the URL that is asking.  Of course, you may or may not understand the URL.  In this case it was an Office 365 attack and the hacker’s domain was .  That is close enough that it probably seems legit.

Which the hacker is counting on.

Consider yourself warned.  Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Cloud Hopper Attack Bigger Than Reported. MUCH Bigger

I hate to keep beating on this drum, but the message is important and the news keeps getting worse.

Yesterday I wrote about yet another managed service provider that was hit by a ransomware attack and a number of their clients had their data encrypted.

Today the Wall Street Journal is reporting that the Cloud Hopper attack in 2016, which was revealed last year, was much bigger than has been previously reported.

Up until now, the news we knew about was that 12 managed service providers had been successfully attacked.  Among the 12 was Hewlett Packard (HPE).  According to the Journal, HPE was so compromised that even as they were giving their clients the “all-clear”, the Chinese were re-compromising their network.

The Chinese hacking group, known as APT10 (for advanced persistent threat – not your average 400 pound hacker that our President talks about) had access to the data of hundreds of firms.

Included in that list are Rio Tinto, Philips, American Airlines Group, Deutsche Bank AG, Allianz SE and Glaxo Smith Kline.

Director of the FBI Christopher Wray said it was the equivalent to stealing the master keys to an apartment complex.

The Journal says that whether the hackers are still inside those networks is an open question.  They say that data from the security firm Security Scorecard shows that thousands of IP addresses globally are still reporting back to APT10.

The US Government is now worried about their own possible exposure.  Yikes.

The government says that the hackers took personnel information on over 100,000 Navy personnel.  You can only imagine what that might mean.

This could be part of the reason that the government is moving so fast on CMMC (government fast, that is).  CMMC is a new security requirement for government contractors scheduled to go into effect very soon.

If this isn’t scary enough, the Journal says that the Ruskies, not wanting to be outdone by the Chinese, are also trying to breaking to Cloud Service Providers.

Check out yesterday’s blog post for recommendations, but the number one recommendation is to get a robust logging and alerting solution in place so that you know when you are under attack and don’t wind up like Marriott – discovering that the bad guys are inside your system.  FOUR YEARS after the fact.

Unfortunately the WSJ article is behind a paywall, but if you have access, it is fascinating reading.

Your job now is to protect yourself.

Like in previous times when Willie Sutton was robbing banks, he said that is where the money is.  Today, the money is in information and that information is at MSPs and other hosting providers.

Source: WSJ


Facebooktwitterredditlinkedinmailby feather

More Businesses Are Opting to Pay Ransom to Get Their Data Back

The 2019 Crowdstrike Global Security Attitude Survey said that the total number of organizations around the world paying the ransom after falling victim to a supply chain attack almost tripled from 14% to 39%.

In the UK, the number of organizations that have experienced a ransomware attack and then paid the ransom doubled from 14% to 28%.

The ransoms, which often range in the 6 to 7 figure range (~ $500,000) are motivating the hackers to ramp up the attacks.

Here in Colorado we saw one attack that compromised a managed service provider and compromised over a hundred dental practices.  Each of those practices had to either pay the ransom or figure out another way to get their data back.

So why are these attacks continuing to be successful?

First of all, organizations of all sizes are not taking the necessary measures to protect their organizations.  Patching, not-reusing passwords and two-factor authentication are among the basic measures that many organizations are not doing across the board.

Next comes good backups.  We often see that backups are online (because that is more convenient) and the backups get encrypted as well.  Offline or write once backups are an important part of the backup strategy.

Finally, how long will it take you to recover.  After the Atlanta ransomware incident, the city spent 3 months recovering their systems.  For many companies, if they were down for three months, they would be out of business.

Given that ransomware attacks are, for the most part, attacks of opportunity, no one, big or small, has a get out of jail free card to use.  That means that everyone needs to be prepared to deal with a ransomware event and you want to be ready before it happens.

This is where disaster recovery, business continuity and computer forensics come in.

A Business Continuity program manages the process of making sure that critical business services continue to work in case of an attack.

A Disaster Recovery program manages the recovery process.  If you cannot rebuild your systems from backups within a time window that the business needs, you may be left with the very unpalatable option of paying the ransom.

If you do pay the ransom, you should assume that the attackers still have access to your system or have the ability to reinfect your systems after they come back online.  You need to understand how they got in there in the first place and that is where the third leg of the stool comes in – incident forensics.

While none of this cheap, having a program in place and your team trained could be the difference between responding to an incident and going out of business.

Source: ZDNet


Facebooktwitterredditlinkedinmailby feather

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer


Facebooktwitterredditlinkedinmailby feather