Category Archives: News Bites

Short news items

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Oct. 5, 2018

Web Page Load Times Double Due to Trackers

Trackers, those microscopic bits of pixie dust that web pages and advertisers insert into web pages to track our activities, make a significant negative contribution to user experience.

Full disclosure – this study was done by Ghostery, who makes software – free software – that blocks these trackers.

Ghostery looked at the page load time of the top 500 US web sites as defined by Alexa and discovered that it took, on average, 10 seconds longer to load with trackers enabled than when blocked by Ghostery.

The 10 slowest of the top 500 sites loaded 10x faster without trackers, saving users 84 seconds on average.

Obviously you could run their free software to reduce your page load times and I have run it for years.  It is amazing how many trackers can exist on one web page.  Source: Ghostery

Feds Issue Alert Regarding Remote Deskup Protocol

Sometimes it takes the feds a little while to realize what we have known for years.  Remote Desktop Protocol or RDP is a Microsoft mechanism for remotely logging in to another computer.  Sometimes people (not very wisely) enable this capability over the Internet.

RDP was designed for LAN administrators to remotely access a user’s computer or a server on the same network, so security considerations were never a top priority.  Over the years Microsoft has improved the security of RDP but still – my opinion – it is foolish to enable this so that a hacker in Timbuktu can try to hack into your network.

Finally, after several years of these widespread attacks, the FBI has issued an alert telling people this is not a good practice.  There are ways to secure that RDP connection, the easiest of which is to require remote users to establish a VPN connection first.  Source: Homeland Security.

Adobe Patches 85 Vulnerabilities in Acrobat and Reader

Adobe has released patches for 85 vulnerabilities in Acrobat and Acrobat Reader for both Windows and Mac.  85 is a pretty big number.  Some of the vulnerabilities allow for remote code execution while others allow for information disclosure or privilege elevation.  In other words, an entire buffet of problems.

This points to why it is so critical to understand what apps you have installed and make sure that they are patched quickly.  Every single time patches are released.  On every device in the network.  Desktops.  Laptops.  Servers.  Phones.  Tablets.  Everywhere.  As of today, Adobe says they are not being exploited in the wild – that they know of.  Tomorrow, at a minimum, every foreign intelligence agency in the world will have reverse engineered them and figured out how to use them as a weapon.  That doesn’t count the hackers.  Source:  The Register.

FBI Forces Child Abuse Suspect To Look at His Phone

In August, for the first time ever that we know of, the FBI obtained a warrant to force a person to look at his iPhone X to unlock it using Apple’s face recognition.  A month later he was charged with receiving and possessing child porn.

While no sane person is going to suggest that the judge should not have issued the warrant in this case, it points to the assumption that people have that stuff on their mobile devices is private.  A bad guy could put a gun to your head and that would likely have the same effect as the warrant.

Privacy is a relative term and as long as everyone understands that, we are all good.  Source: Forbes.

DoJ Indicts 7 Russian Hackers;  Odds of Them Standing Trial Are Almost Zero

The Department of Justice announced criminal charges against 7 Russian intelligence operatives this week, charging them with wire fraud, money laundering, identity theft and hacking.

Russia is unlikely to hand them over to the United States to stand trial and unless the Intelligence agents are not very intelligent, they will never visit any country that has an extradition treaty with the U.S.

That being said, a couple Russian criminal hackers (who are likely not as intelligent as GRU officers) have been known to visit countries friendly to us, so it is, technically possible, that they could wind up on trial in the U.S.  Just not very likely.

These indictments add more fuel to the fire that Russia is hacking us, although this is not specifically tied to the elections.  Source: CNN

 

Given that the President has

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather