Category Archives: Hacks

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week

 

Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register

 

vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.

 

Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.

 

Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

Facebooktwitterredditlinkedinmailby feather

Security news for the Week Ending September 20, 2019

A New Trend?  Insurers Offering Consumers Ransomware Coverage

In what may be a new trend, Mercury Insurance is now offering individuals $50,000 of ransomware insurance in case your cat videos get encrypted.  The good news is that the insurance may help you get your data back in case of an attack.  The bad news is that  it will likely encourage hackers to go back to hacking consumers.  Source: The Register.

Security or Convenience Even Applies to Espionage

A story is coming out now that as far back as 2010  the Russians were trying to compromise US law enforcement (AKA the FBI) by spying on the spies.

The FBI was tracking what Russian agents were doing but because the FBI opted for small, light but not very secure communications gear, the Russians were able crack the encryption and listed in to us listening in to them.  We did finally expel some Russian spy/diplomats during Obama’s presidency, but not before they did damage.  Source: Yahoo

And Continuing the Spy Game – China Vs. Australia

Continuing the story of the spy game,  Australia is now blaming China for hacking their Parliament and their three largest political parties just before the elections earlier this year (sound familiar?  Replace China with Russia and Australia with United States).

Australia wants to keep the results of the investigation secret because it is more important to them not to offend a trade partner than to have honest elections (sound familiar?).  Source: ITNews .

The US Government is Suing Edward Snowden

If you think it is because he released all those secret documents, you’d be wrong.

It is because he published a book and part of the agreement that you sign if you go to work for the NSA or CIA is an agreement that you can’t publish a book without first letting them redact whatever they might want to hide.  He didn’t do that.

Note that they are not suing to stop the publication of the book – first because that has interesting First Amendment issues that the government might lose and they certainly do not want to set that precedent and secondly, because he could self publish on the net in a country – like say Russia – that would likely flip off the US if we told Putin to shut him down.  No, they just want any money he would get. Source: The Hacker News.

 

HP Printers Phone Home – Oh My!

An IT guy who was setting up an HP printer for a family member actually read all those agreements that everyone clicks on and here is what they said.

by agreeing to HP’s “automatic data collection” settings, you allow the company to acquire:

… product usage data such as pages printed, print mode, media used, ink or toner brand, file type printed (.pdf, .jpg, etc.), application used for printing (Word, Excel, Adobe Photoshop, etc.), file size, time stamp, and usage and status of other printer supplies…

… information about your computer, printer and/or device such as operating system, firmware, amount of memory, region, language, time zone, model number, first start date, age of device, device manufacture date, browser version, device manufacturer, connection port, warranty status, unique device identifiers, advertising identifiers and additional technical information that varies by product…

That seems like a lot of information that I don’t particularly want to share with a third party that is going to do who knows what with it.  Source: The Register.

Private Database of 9 Billion License Plate Events Available at a Click

Repo men – err, people – are always looking for cars that they need to repo.  So the created a tool.  Once they had that, they figured they might as well make some money off it.

As they tool around town, they record all the license plates that they can and upload the plate, photo, date, time and location to a database that currently has 9 billion records.

Then they sell that data to anyone who’s check will clear.  Want to know where your spouse is?  That will cost $20.  Want to get an alert any time they see the plate?  That costs $70.  Source: Vice.

Election Commission Says That It Won’t Decertify Voting Machines Running Windows 7

Come January 2020, for voting machines running Windows 7 (which is a whole lot of them) will no longer get security patches unless the city or county pays extra ($50 per computer in the first year and then $100 per computer in the second year) for each old computer.  Likely this means a whole lot of voting machines won’t get any more patches next year.

The nice folks in Washington would not certify a voting machine running an operating system that is not supported, but they won’t decertify one.  That, they say, would be inconvenient for manufacturers and cities.   I guess it is not so inconvenient for foreign nations to corrupt our elections.  Source: Cyberscoop

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 30, 2019

Lenovo “Crapware” Allows Attacker to Compromise Any PC in 600 Seconds

I am not going to get on my soapbox about why you should not buy a PC built by the Chinese government because I know people love their old IBM Thinkpads, but handle this issue no matter what.

Apparently the Lenovo “Solutions” Center has a bug that allows any user (meaning a hacker that has installed any malware on your computer – so your computer has to be compromised at some small level for this to work) to  become an admin in 10 minutes, the frequency that Solutions Center runs.  You can read the details in the link, but the simple fix is to delete the app completely.  Lenovo has a new app that does not have this vulnerability if you actually use the Solutions Center functionality.  Source: The Register.

 

Should You Block Newly Registered Domains?

Researchers say that OVER 70% of newly registered domains are malicious or otherwise potentially harmful to organizations.  Newly registered means 32 days.  Some organizations are already blocking these or alternatively giving users a warning if they go there.

Two thoughts on this – if YOU plan on launching a new domain, you should plan in advance and buy the domain early.  Many hackers do not have the patience to do this (and in fact their domains are only live for a few hours) and second, you should consider implementing a block or warning on newly registered domains to protect your users.  Source: Help Net Security.

 

House Dems Ask FSOC to Regulate AWS, Azure and Google Cloud

Two House Democrats have asked the Financial Stability Oversight Council (FSOC), which is comprised of Federal bank regulators, to consider making the big 3 cloud providers “systemically important” to the banking industry and as a result directly regulate them.

This was directly in response to the Capital One breach, even though that breach was the fault of Capital One’s bad security practices and not a security failure at Amazon.

It is probably obvious but I will point out that given the current political climate, it is unlikely that the administration will do anything that Democratic Party lawmakers suggest.  Still it does point to the possibility that Congress will try to legislate that if the administration doesn’t do anything about cloud security.  Source: Rep. Velazquez.

 

Cloud Archive for Dentists Hit By Ransomware Attack

DDSSafe, a cloud archive solution for dentists, was hit by a ransomware attack that encrypted the data of hundreds of practices.  This follows the FBI/DHS alert that hackers were going after cloud service providers because one attack can generate a massive payday.  In this case it is believed the hackers were asking $5,000 per practice and if 500 practices were affected, that would represent a $2 Mil+ payday.  Tax free.  Source: Krebs on Security.

 

Google Reveals Websites That Hacks iPhones With No Interaction

Google’s Project Zero identifies bugs in a variety of software from every vendor.  This week they announced 14 flaws which, when chained together in different ways, created 5 different ways an iPhone user can be totally compromised just by visiting a malicious web site, without clicking on anything.  The flaws were shared with Apple in February and Apple fixed them in version 12.1.4 of iOS.  Successful attacks allow a bad guy to steal your photos, contacts, location and passwords.  The bugs go back to iOS 10 and the web sites have been serving up malware for two years.  The nature of the attack was such that rebooting the phone (and not visiting those sites again) would get rid of the  malware.  Source: Computing.

Facebooktwitterredditlinkedinmailby feather

Ever Heard of VxWorks? Me Either!

Turns out that VxWorks is an extremely popular “real time” operating system or RTOS.  RTOSes are used in devices that need to be able to respond to real time events, unlike, say Windows, Linux or MacOS.  VxWorks can make sure that say, if an MRI machine is zapping someone with energy in order to create an image and the computer decides that the patient has received enough energy, the beam is turned off.  NOW!  RIGHT NOW!  Windows, Linux and MacOS would turn it off too, but  it might happen a little later – possibly killing the patient in the process, which is generally not considered a desirable outcome.

So who uses VxWorks?  Apparently about 2 BILLION devices.  These include firewalls, routers, printers, the MRI machines that I talked about above, patient monitors, satellite phones, industrial control (SCADA) devices, VOIP phones and many other devices.

One other benefit of RTOSes is that they are small.  Very small.  For example, Microsoft recommends 2 Gig of RAM and 20 Gig of disk for Windows 10.  VxWorks will work with 1 Meg of RAM and 512K of ROM.  More is better, but, as you can see, it will work in a very small footprint.

Researchers found 11 serious flaws in VxWorks, most of which allow an attacker to compromise the system without any user interaction at all.

Wind River, the company that makes VxWorks has released patches and they also say that, while they don’t really know, all 2 billion devices are not as equally compromisable.  Maybe ONLY 200 million are at high risk (well, not a big deal then – ONLY 200 million devices).  Of course the low risk devices become high risk as soon as an attacker compromises the crunchy outer shell of your network.  It is also not clear that they know every place that VxWorks is deployed since many companies might buy it from a third party.

Two vendors who have publicly announced patches are Xerox and Sonicwall.  Users may be used to patching their Sonicwall firewalls, but how many users patch their Xerox printers and copiers?

The researchers say that attacks against VxWorks (named URGENT/11) can be detected at your firewall.  Unless the firewall is being attacked or it the attacker is launching the attack from an otherwise compromised device inside your network or the device is located on the public Internet.  Researchers demonstrated the attack against Sonicwall, Xerox and also a patient monitor at Blackhat recently.

So what do you do?

This is where those Bill of Materials that I have talked about for a long time come into play (even though most vendors can’t or won’t provide one).  Alternatively, you need to ask vendors if they are vulnerable to the URGENT/11 attack.  Start with vendors who’s equipment is (a) mission critical, (b) exposed to the Internet, (c) affects life safety or (d) could kill you (as in a patient monitor or SCADA device).  ANY one of (a), (b), (c) or (d) qualifies.  Two or more ups the risk.

Make sure that your Firewalls and intrusion detection/prevention systems have signatures to detect URGENT/11.  While this is not perfect for the reasons I mentioned before, it can’t hurt.

Be alert to unusual network behavior.  This could be an indication that your network has been infiltrated.

The big problem here is that most of those 2 billion devices will never be patched.  This bug goes back to 2006 – yes 13 years ago – AT LEAST that far back.  Not all versions of VxWorks are vulnerable to all of the bugs, but every version is vulnerable to at least one of the bugs.

Many of the devices are no longer supported by the vendor and in some cases, the vendor might not even be in business.

If the vendor is in China, where an amazing amount of hardware and software comes from, of course they may have no incentive to patch the holes as most users would have no clue as to whether the device is vulnerable and the Chinese might want to use the vulnerability to compromise affected devices.

The bigger problem is supply chain.  You buy, say, a security camera from Cisco.  Seems like this might be made in the US.  But they buy a processor board for the camera from vendor X and vendor X gets software for the system from vendor Y and other parts for the system from vendor Z.  Very quickly you lose track of where things come from.  If you think about something like a car, it could have 200 processors in a high end car, possibly each from a different vendor and each with its own supply chain issues.

The problem is not simple to solve.

Source: CSO Online.

 

 

 

Facebooktwitterredditlinkedinmailby feather