Category Archives: News Bites

Short news items

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 28, 2017

Zip Slip Vulnerability Affects Thousands of Projects

Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.

The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.

The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.

And, likely, most of those developers are completely blind to the fact their their software  is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.

Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it.  (Source: Bleeping Computer)

NSA Forms Group to Counter Russian Threat in Cyberspace

In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace.  The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did.  The President has called the threat fake news many times.  It would appear that General Nakasone has a difference of opinion with his boss.  Source: Bloomberg

Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected

Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online.  The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.

The data was found by Chris Vickery of Upgard.  Chris has found dozens of unprotected data sets just in recent months, usually on Amazon.  Chris DOES NO HACKING.  All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked.  In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating.  That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies.  Source: NY Times

Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid

The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights.  DHS says there were likely  hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management).  Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?).  Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall.  For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time.  Source: CNET

Russian Hackers Attack Senator Claire McCaskill

Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri.  The Senator says that the attack was not successful.  McCaskill is a vocal opponent of Russia.  This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up.  Source: The Daily Beast

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather