Category Archives: Hacks

What Does Foreign Influence in Elections Look Like?

The issue of foreign influence in US Presidential elections has been and continues to be a hot button.

Sometimes the focus on election hacking is on hacking the ballot box, but while this is possible, it would be very hard to do that on a national scale, so it is unlikely that this is the tactic that they would take.  However, since we know that Russia attempted to penetrate election systems in all 50 states during the 2016 elections, we should not rule this out completely.

Whether the foreign powers want to help or hurt a particular candidate (and there are likely some of each), there are many things they could do.

Obviously, they could hack the emails and other systems of candidates and release embarrassing emails.  They could also hack candidates personal phones and computers in addition to the campaign’s systems.

More likely, these powers will launch disinformation campaigns.  The number of emails that I get on a daily basis that are designed to inflame or contain outright lies is amazing an will only increase as we get closer to the election.    Same thing with social media.  Whether people will disregard these campaigns is not clear.  It seems that people tend to accept spam that they agree with and reject spam that they disagree with as opposed to treating it all with a whole lot of skepticism.

While it is illegal, foreign governments have been injecting money into campaigns of candidates that they like.  This is done via proxies who can contribute, so figuring out who is a shill for, say, China, might be hard.

Remember also that hacking elections is a time honored tradition.  While the techniques  have gotten better, hacking elections is not new.  One source says that the US interfered with 81 foreign elections (that we know about) since 1946.

The bigger issue is that people THINK that the elections are rigged and do not vote at all.  If this happens, the bad guys win. 

Voters need to be on the alert for all kinds of tricks that a foreign OR DOMESTIC actor might try.  Smart voters will reduce the impact of the bad actor’s work.  And you must vote.

Sources: Nextgov and The Washington Post.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

THIS is Why Patching Your Phone Is Important

I tend to be a bit of a dog on a bone when it comes to patching your phone.  Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.

But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone.  For those phones, Google releases and installs patches like Apple does.

For every other Android phone, Google publishes the open source code to a public repository every month.  Then the phone’s manufacturer had to download it and integrate any changes that it made.  Up until recently, this was a completely optional decision on the part of the phone manufacturer.  Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world.  The mobile carrier then needs to integrate its changes into the code and test it.  Again, completely voluntary.  There will be a new option for brand new phones released with Android 10 this fall, but nothing now.

One more thing.  Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it.  So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best.  This means that for most of the time that you are using the phone, it will be vulnerable to be hacked.  If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.

This is why understanding this and being vigilant about patching is so important.  And why many Android phones are already compromised.

So why today?

Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.

Check out the link below for the details and CVE numbers.

Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.

Some of the Qualcomm chipsets affected are:

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Point is – a lot of them, affecting a lot of phones – most of which will never be patched.

While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.

If you use an Android phone, check to see if it is receiving patches.  if you store anything sensitive on the phone, disable WiFi if you can. 

IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.

It will not be long before attackers figure out the details and start using this in the wild.

Source:  The Hacker News.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.

Facebooktwitterredditlinkedinmailby feather

How Long Does It Take For a Public RDP Server to be Hacked

Even though we keep telling people not to enable Microsoft’s Remote Desktop Protocol (RDP) on Internet facing servers, a recent check showed there were still a million servers vulnerable.

“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP,” say Sophos researchers Matt Boddy, Ben Jones, and Mark Stockley.

Hackers use password cracking tools and buy passwords for already cracked servers in order to get in.

To see how long it took for servers to be compromised, researchers set up 10 geographically dispersed Windows Server 2019 installations in the Amazon cloud.  Those servers had RDP enabled.

To make life interesting, the servers were set up with extremely strong passwords.

The first server was hit with an attempted login in ONE MINUTE AND TWENTY FOUR SECONDS after it was brought online.

The last one was attacked in a little over fifteen hours.

The test servers were live for a month.  During that time period, there were over 4 million attempted logins to those servers.

The hackers are creative in their attacks so as to not get detected or blocked.  Sometimes people claim that the search engine SHODAN is the reason for these attacks, but these 10 servers were never listed in SHODAN.

Given this, what should you do?

First, unless you have no other viable alternative, do not expose RDP publicly on the Internet.

Security teams have been trying for years to get everyone to use strong passwords but that really has not worked.  Not at all.

You can make the hacker’s job harder by turning on two factor authentication, but if you do that, make sure that second factor is strong – not a text message,  Installing client side security certificates is one good idea because once they are installed, they are invisible to the user.

The preferred method is to require users to connect to the company network via strong VPN solution if you must absolutely use RDP.

Source: HelpNet Security

 

Facebooktwitterredditlinkedinmailby feather

Cloud Service Providers Are Not Immune from Ransomware

You moved your applications to the cloud.  Now you don’t have to worry about managing IT systems.  The headaches are someone else’s.

Well sort of.

Here is what customers of Quickbooks cloud hosting provider iNSYNNQ are seeing when they try to log on:

This is what they have been seeing for the last three days.

The hosting provider experienced the ransomware attack on July 16.

The company’s web site says that they are now beginning to restore user’s data but the process will take a while.

They are saying that some files (they are not saying how many) were encrypted and they hope that you made your own backups.  They are trying to figure out how to deal with those encrypted files.

And, oh yeah, from now on you should probably make your own backups.

And what, exactly, am I paying you for?

So what does this mean for you?

Lets assume for the moment that you are not an iNSYNQ customer, since most of the planet is not.  And, I suspect, many of their current customers will not be their current customers for long.

First, DO NOT assume that because you moved something to the cloud, things are not your responsibility any more.  Kind of like your self driving car. You better be ready to stomp on the brakes in case your car makes a mistake.

Check your cloud service provider’s TERMS OF SERVICE.  Likely it says that they are not responsible for many things.  Make sure that, for those things, you have a plan.

Many cloud service providers have a “shared responsibility” model at the core of their offerings.  That means that they acknowledge that they are responsible for some things, but you are responsible for others.  Make sure that you know who is responsible for what.

Understand what the provider’s guarantee is regarding uptime.  iNSYNQ has been down for 7 days and says that it will be more days before they are back up – possibly minus your data.   Most of the time it says that they will get things working again as best they can, but with no time frame.  Is that going to work for your business.  In this case, it is the client’s accounting software.  Is not being able to write checks a problem?  Is not being able to run payroll going to bother anyone?  Is losing years worth of financial data going to upset your investors, your regulators and your customers?

DO YOU HAVE A PLAN FOR WHAT TO DO IN A CASE LIKE THIS?

Lastly, does the provider offer a guarantee?  Often they will not charge you for the time they were down.  Lets say they charge you $200 a month for their service and they are down for two weeks.  Likely that means that they want you to pay your bill for the month, but they will very generously give you a $100 credit on that bill.

DOES THAT COVER YOUR PAIN?  I DIDN’T THINK SO.

Maybe your accounting software is not terribly important you?

What about your web site?

Or your manufacturing software?

Or whatever else you moved to the cloud.

Understanding the risk is a good thing.  I strongly recommend it.

Source:  The iNSYNQ website, here and here.

 

Facebooktwitterredditlinkedinmailby feather