Category Archives: Hacks

News Bites for the Week Ending March 27, 2020

Hacker Sells 538 Million Weibo Accounts

Karma is a B**tch.

With all of the Chinese hacking efforts, someone is hacking back.  Is it us?  Not clear.  In any case, the data includes information like real names, site names, location, etc. and 172 million of the 538 million records include users’ phone numbers, but not passwords.  The data is available for $250.  Given China’s iron grip on the Internet, they should be able to catch this guy.  Unless he is not in China.  Source: ZDNet

Pentagon Increases Progress Payments to Primes

The Pentagon is trying to keep the Defense Industrial Base afloat during these trying times by increasing so-called progress payments to primes and other measures.  Whether it will be enough to keep small subs in business is not clear, but what we have seen is that the bankruptcy courts have seen that these companies’ intellectual property as an asset and sells it off during liquidation – even selling defense information to the Chinese.  In theory, CFIUS should allow the government to stop these (and it absolutely can if it moves fast enough) and FIRRMA (aka CFIUS 2.0) gives the government even more power to stop it but the bankruptcy courts have, for the most part, thumbed their noses at it, possibly (kindly) because they are clueless about the risk.  Source: National Defense Magazine

Experts See Over 600 Percent Spike in Malicious Emails During Covid-19

Barracuda Networks researchers saw a 667% spike in malicious emails using Coronavirus.  The goal is to get you to click on malicious links or download attachments that include viruses.  They saw almost 10,000 coronavirus linked emails attacks in the last three weeks compared to 1,800 in February and less in January.  Phishing attacks are nothing if not tied to current events. Source: The Hill

Netflix Reduces Video Quality in Europe Over Bandwidth Crunch

According to Variety, Netflix uses one out of every eight bits traversing the Internet (12%).  As general  Internet usage goes up, Europe has asked Netflix and other streaming video providers to reduce their video quality from HD to SD.

“As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators.”

Netflix has agreed to reduce its video stream bitrate by 25% for the next month.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Fintech Provider Gets Hacked?

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks.  Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others.  Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks.  Banks are regulated.  For the most part, fintechs are not regulated.

Okay, so why am I talking about this?  Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup.  They have 10,000 employees and 9,000 customers  in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago.  Today they said it was ransomware.

So what does all this mean?

Well, a couple of things.  People are using more fintech technology.  Mobile apps.  Data aggregators.  Many other things.

These apps and web sites have your financial data.

Maybe they have decent security.  Maybe not.  For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked.  I know;  I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on.  Many ransomware variants steal data in addition to encrypting it.  Was this one of those?  We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up.  Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this.  These data centers are off line in addition to being powered off.  As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important.  For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised?  Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss.  Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs.  You could be arguing for a while.  Worst case, you might have to sue them.  You might not win in court.  It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked.  They don’t have the money or the insurance to make their clients whole.  They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart.  Understand the risk.  Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Facebooktwitterredditlinkedinmailby feather

Cyberspace Solarium Commission Warns of “Catastrophic Cyberattack”

The U.S. Federal Cyberspace Solarium Commission issued its long awaited report last week and warned of a “catastrophic attack that leaves the nation in tatters”.  While right now everyone is worried about Covid-19, this represents a longer term problem that won’t be fixed in a few months.

The report creates a vivid hypothetical attack and is written from the point of view of an unnamed U.S. legislator.

Kind of like with Covid-19, in this hypothetical attack “everything went so wrong, so fast”.

In the narrative, the Potomac River is polluted by toxic chemicals from  treatment plants that were hacked, an attack on the city’s floodwater management system leaves an oily sludge in the front of the Lincoln Memorial, the debris of drones litters the city after they were hijacked and crashed into crowds like torpedoes and finally there is a toxic rail accident in Baltimore after the control system was compromised.

The report also provides a slew of recommendations – many of which will be hard to swallow.

For example, to better secure Internet of Things devices, the report suggests moving away from a “first to market” philosophy to one with better security.  I predict that will only happen if laws hold companies financially liable for their insecurity – something that has already started in California.

In fact, the report recommends that final goods assemblers be held responsible for damages as a result of cybersecurity incidents.

It makes suggestions around changing Sarbanes Oxley to include more cybersecurity requirements.

Another recommendation is for the government to clean up its own act.  Currently there are a lot of cooks in the federal government’s cybersecurity kitchen and that is creating a lot of confusion.

It also suggests that Congress reorganize its committees that really don’t deal well with cybersecurity.  I think we need to reorganize the Congress people and find some who understand the problem, but that is a separate issue.

The report goes on and makes a lot more recommendations, but now it is up to the federal government to actually act.  The alternative is the response we currently have to Covid-19, which is, in my opinion, a bit of a train wreck in slow motion.

One way or other, these cyberattacks will continue and increase, as we are already seeing during the Covid-19 pandemic.  During this pandemic, hospital and government systems are being hit by cyberattacks, slowing response and distracting first responders from their mission.  Source: Verdict

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending March 13, 2020

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks

AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research.

Known as “Take A Way,” the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD’s Bulldozer micro-architecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. Source: The Hacker News

And… AMD is Not Alone This Week  – Intel has Unpatchable Flaw

And the “chip wars” continue.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The flaw, if exploited (only theoretical this week) would allow hackers to extract the root encryption key in the Intel Mangement Engine – which is the same for all chips in a particular processor family.  That potentially would nullify all DRM and all whole disk encryption, among other things.  Source: The Hacker News

President Signs Bill To Help Rural Telecom Carriers Replace Chinese Equipment

The President signed the Secure and Trusted Communications Networks Act this week.  The bill mandates that US telecom carriers rip and replace any “suspect foreign network equipment”.  It requires the FCC to set up a compensation fund to help rural telecom carriers do this;  the bigger carriers are on their own – which will likely be reflected in your bill as a fee or surcharge.

Carriers have to provide a list of equipment and estimated costs to replace it by April 22.  Sometime after that, we will have a better estimate of the cost.

For some reason which is not clear to me, the bill will not cover the cost of replacing equipment purchased after August 14, 2018.  It appears that telcos do not need to replace new Chinese equipment.

The requests and status of replacement activities will be posted on the FCC’s website.

The law authorizes the FCC to spend $1 billion in this year’s budget to do this.

The bill also allows companies that won spectrum bids in the last auction to abandon their builds and get their money back for the spectrum if they determine that they can’t build out what they promised without using suspect gear.

It would also appear that if the telco buys or has bought Chinese gear without a government subsidy, they can continue to use it.  Source: Engadget

Microsoft Says: 99.9% of Compromised Accounts did NOT use Multi-Factor Authentication

Microsoft tracks 30 billion login events every day.

They say that roughly 0.5% of all accounts get compromised every month.  That translated to around 1.2 million accounts compromised in January.

THEY ALSO SAY THAT AROUND 99% OF ALL ATTACKS TARGET LEGACY PROTOCOLS, SO, IF THOSE PROTOCOLS CAN BE DISABLED AND MULTI-FACTOR AUTHENTICATION IS TURNED ON, SUCCESSFUL ATTACKS GO TO NEARLY ZERO.

THEY ALSO SAY THAT MULTI-FACTOR AUTHENTICATION BLOCKS 99.9% OF ALL ATTACKS.  Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Crypto Backdoors are Good – Except When The Other Side Has Them

Attorney General Barr and FBI Director Wray have been lobbying strongly for companies such as Facebook and Google to add backdoors to their cryptography so that they can eavesdrop on conversations when they need to.

But there are problems with backdoors to encryption.

Mostly, you cannot control who uses them.

Case in point Huawei.  The U.S. says that Huawei has a backdoor into their telephone gear.  One which, I might add, the U.S. requires them, by law, to put there – so this is not the first crypto backdoor rodeo.

But now the U.S. says that Huawei is using that backdoor that we made them install.  Probably on behalf of the Chinese government.

It is not clear to me why the U.S. thinks that if we make Google or Facebook or some other company install a crypto backdoor that we will be the only ones that use it.  That puts companies in a bind when some non-friendly government makes them decrypt conversations that might get people killed.

All this is just a lead in to today’s post.

There is a Swiss company, Crypto AG, that built encryption hardware for governments.  Apparently the crypto was pretty strong. And the company, being neutral, sold it to countries that the U.S. was friendly to.  And not friendly to.

So how could we break the crypto?

Secretly, the CIA, in partnership with West German Intelligence, bought the company.  This enabled them to do, well, whatever they might want to do.  Such as sabotaging the software so that Germany and the U.S., as well as some other governments could read other governments supposedly secure communications.  Ones that were protected by systems that they paid Crypto AG a lot of money to secure.

Talk about supply chain risk.  Holy cow.

Crypto AG sold their systems to as many as 120 countries, so, for the CIA, it was a target rich environment.  They knew what agencies in which governments were using their systems and had installed backdoors to allow them to decrypt those supposedly secure messages.

In this case, it was the good guys who had the master key, but they were read the messages of our allies in addition to our adversaries.

If they didn’t sell their systems to the good guys, the bad guys would get suspicious.

But this is kind of how the spy business works.  Sometimes collateral damage is OK.

But this is also the problem with crypto backdoors.  Once you have them, it is hard to control how they are  used.  Source: Washington Post

Facebooktwitterredditlinkedinmailby feather