Category Archives: Hacks

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Sextortion Campaign Adds a New Twist

Sextortion is malware that tries to convince you that the attacker has compromised your computer and has videos of you visiting adult web sites.  The attackers promise not to share the videos with your friends if you pay them money.  The videos do not exist, but scared people sometimes pay.

The new variant of the attack tells you to download a sample video to prove their claims.

In fact, the so called video is really malware.  The first piece of malware steals your account passwords, files and more.  The second piece of malware encrypts your data.

Before downloading the sample video you thought you had a problem.  After the download, you really do have a problem.

So, what should you do?

First of all, if you get a threatening email like the above, slow down, take a deep breath and consider things.

For most people – who don’t visit porn sites – keep your curiosity at bay and DELETE the email.  DO NOT OPEN THE ATTACHMENT!

I always recommend covering your webcam on your laptop.  If you have followed this advice, see the above.

For the very small group of people left, it you think that this video actually may exist, consult an expert.  They can safely deconstruct the attachment and figure out if it really what the attacker claims.

Lastly, as I always say, backup early.  And often.  Preferably multiple copies.  If possibly, at least one copy offline.  I keep at least one version of my backups in a bank vault.  Very hard to hack.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Patching, Patching and More Patching – This is Ridiculous

Last Tuesday I said patching is critical and it still is.

Maybe this is a weekly post, but I hope not.

Today’s episode:

#1 – Zero day exploit for Oracle’s Virtual Box

A security researcher got mad at how Oracle treated him in the past and so, when he found a new exploit, basically gave Oracle the middle finger and published the exploit and sample code.  All the amateur hackers now have the recipe to escape from guest virtual machine and run code in the host machine.  If you use virtual box, you should patch this quickly since it came with sample code to run the exploit.  Source:  The Hacker News .

#2 – WooCommerce plugin WordPress

WooCommerce, the eCommerce tool that is used on millions of websites can be used to gain full control over a website that has not been patched.  Again, pretty easy to exploit.  The good news is that there are patches for both WordPress and WooCommerce, but you have to  install them.  Source: The Hacker News .

#3 – Apache Struts Critical Vulnerability

Yes, THAT Apache struts.  The same one from Equifax fame.  A flaw in the file upload routine in versions earlier than 2.5.12 allows a hacker to upload and execute arbitrary code.

Here is the bad news.  There is a fix.  You have to drop in a replace JAR file with the new code.  There is no new install or version update, so this will be a pain in the ………

Vendors like Cisco and VMWare, among thousands of others, who use Struts will have to update and re-release their products, so users won’t be safe until all of these vendors have updated their code.

Hackers, of course, will try to take advantage of this flaw to attack your systems knowing that it will likely take years to get rid of all the affected code.  Source: The Register .

#4 – Microsoft Edge Browser Zero Day About to be Revealed

As, apparently, the stressed relation between security researchers and vendors continues, two researchers are about to release sample code and details of an unknown (zero day) remote code execution flaw in Microsoft Edge (shades of item 1 above).  The researchers are also trying to get hacker nirvana by elevating to system level privileges as part of the exploit.

To stick their finger in the eye of Microsoft, the researcher released a video showing the hack where they got Edge to launch Firefox and have it load the Chrome download page.  (Source: Bleeping Computer).

This is but a tiny sample of this week’s high profile bugs.  Gee Wiz!

Facebooktwitterredditlinkedinmailby feather

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

Patching is Critical

Three news items today – different platforms, but one common message.

#1 – A new iPhone passcode bypass was found within hours of the release of iOS 12.1.  This follows on from the passcode bypass fixed in 12.0 and another iPhone passcode bypass in 12.0.1.  As iOS becomes more bloated (or feature rich, depending on your perspective), more bugs are likely to appear (source: The Hacker News).

#2 -Microsoft quietly patched a bug in Windows 10 that allowed certain Universal Windows Platform applications that had certain permissions to access user’s files without their knowledge.    The update changed the default for the “Broad FileSystemAccess” permission to OFF by default.  Up until now, it was ON by default.  Users may need to selectively turn that on now if the user feels that is safe (Source: The Hacker News).

#3 – Researchers tattled on Microsoft regarding a bug or feature in Word 2016 and earlier versions that allow a hacker to abuse Word’s (bloated?) feature that allow you to embed online videos.

Since a Word file is really a zip file, all a hacker has to do is embed a video link, such as to YouTube and then open the zip file separately outside of Word.  The zip file contains an XML configuration file that contains the embed code.  A hacker could edit that code and put in any link or javascript that the hacker wanted and that code would be silently executed when you open the document and click on the video.

The researchers gave Microsoft 90 days to fix the bug.  Microsoft says that they think it is a feature.  It likely is a feature, but a really poorly designed one.

Enterprise admins should update their anti-malware software to BLOCK any Office documents that contain the embedHTML tag.

Unfortunately, now that the cat is out of the digital bag, hackers will be looking at other similar ways to infect your user’s computers (Source: The Hacker News ).

So what is a user – or system admin – to do?

The first thing to do is to make sure that your patch management process is working.  That does not just mean your operating system patches, but also every single application installed on every computer.   Office is high up on that food chain, but things like Acrobat are targets too.  Adobe released 47 patches to Acrobat this last month that they rated CRITICAL,  46 of them allowed for REMOTELY executing arbitrary code if you use Acrobat to open PDFs in your browser.  FoxIt, an Acrobat replacement, released 116 patches this month.  The numbers are insane. 

If you look at all of your computers, you are running way more applications than you think you are – likely hundreds – probably many hundreds.  And it does not matter if you are using the apps.  In fact, unused apps are worse, because you are less likely to patch them.

IN FACT, YOU SHOULD MAKE IT A PRACTICE TO UNINSTALL ANY APPS THAT YOU DON’T NEED.

The second thing to do, and it can be time consuming, is read security intelligence alerts such as this blog and our separate client alerts.  You have to know at least as much as the bad guys.

Sorry there is no easy fix!

Facebooktwitterredditlinkedinmailby feather

SEC Investigates Companies That Send Wires to Scammers

You have probably heard about Business Email Compromise (BEC) attacks where scammers pose as company executives and ask the accounting department to wire money to them.

The FBI says this is highly effective and big business.  To the tune of $5 billion in losses since 2013.

In fact the SEC discovered that 9 publicly traded companies collectively wired almost $100 million dollars to scammers.

Is the SEC worried that these companies lost money to bad guys?

No, not exactly.

They ARE worried that these companies violated section 13(b)(2)(B)(i)  of the Securities Exchange Act of 1934 which requires some businesses to have appropriate accounting controls in place.

Wouldn’t that be a bit of a bummer to find out that you got fleeced out of $45 million (like one company did) and now you are being investigated over your accounting controls.

The SEC COULD sanction companies for having inadequate financial controls.

In some of the cases investigated, the Chief Accounting Officer was the one that was duped.

The good news is that the SEC has decided that none of THESE companies will be fined.

Whether the number is $100 million for 9 companies or $5 billion over the last 5 years, the number is huge and other than large publicly traded companies, this could be both a resume generating event for you and an existential threat for your company.

So what can you do?

First of all, if you are responsible for your company’s money, you need to become educated about the problem.  Quickly!

You need to train your employees.  Not just once, but recurringly.  For small companies we have a program we can provide that will allow you to send test emails to all of your employees every day if you want (probably overkill!) for less than $20 per employee per year.  Significantly less for bigger companies, so it is affordable (especially compared to wiring a million dollars to a scammer).

There is insurance that can be purchased to cover this loss.  Note that GCL (General Commercial Liability) insurance will not cover this, nor will fidelity insurance.  It is specialized insurance but it is not particularly expensive.  If you don’t have it, get it.  NOTE:  some of these policies have quirks so make sure you understand what the policy requires you to do in order to get reimbursed.

You also need to create policies that cover procedures so that it is harder for an employee to accidentally wire money to the scammers.  Most of the time the scam starts with an email.  If you get an email changing payment instructions, even though this means extra work, you need to verify the change.  And NO! that does not mean reply to the email asking ARE YOU SURE?  Communicate using a verified communications method.

If this wasn’t so damn profitable, scammers would stop.  Your employees are the only ones who can make it unprofitable. 

Be part of the solution and save yourself a bucket of money on top of it.

Information for this post came from the SEC and from Big Law Business.

Facebooktwitterredditlinkedinmailby feather