Category Archives: News Bites

Short news items

News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).

 

 

More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.

 

O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.

 

Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.

 

Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.

 

Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.

 

British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.

 

Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.

 

Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending November 23, 2018

Japan’s Cybersecurity Minister has Never Used a Computer

Yoshitaka Sakurada, the deputy chief of Japan’s cybersecurity strategy office and the minister in charge of the 2020 Olympic Games in Tokyo says that he doesn’t use computers – basically, he has secretaries and employees to do that.  He also acted confused about whether Japan’s nuke plants use USB drives.

While a few people joked that he has mastered cybersecurity (which of course is not true unless he plans to shut down all of Japan’s computers), most people were amazed that the government put someone with absolutely no understanding of cybersecurity, never mind no expertise, in charge. Source: The Guardian .

Suspect Remotely Wipes iPhone that Police Seized as Evidence

Juelle Grant is a suspect in a shooting in New York in October.  Police think she was the driver and hid the shooter’s identity and hid the gun.

Apparently Grant tried to out-think the police and used Apple’s find my phone feature to do a remote wipe of the phone.

The cops were not amused and charged her with tampering with evidence and hindering prosecution.  The police could have foiled her by putting the phone in a $1.00 foil bag.

That she was able to successfully do this is indicative of the up hill battle that police face shifting from a world of cops walking a beat to a world of cyber experts.  Source: Apple Insider.

China’s Response to Tariffs – Increase Hacking

According to a U.S. government report released recently, China’s response to U.S. tariffs is to increase, not decrease hacking.  The tariffs, which were put in place due to unfair business practices, including hacking, were supposed to get China to reduce hacking our intellectual property, but according to the report, has in fact, had the opposite effect.

The report says that Chinese hacking efforts aimed at stealing American technology and trade secrets have “increased in frequency and sophistication” this year.

The Chinese appear to be interested in stealing information on artificial intelligence and other technologies and includes a “sharp rise” in hacking against manufacturers.

What this means is that U.S. need to take efforts to protect themselves.  Source: Real Clear Defense .

 

Adobe Releases Yet Another Emergency Fix For Flash

In the “gee, what a surprise” category, the pile of Band-Aids (R) that some people call Adobe Flash released yet another emergency patch for a bug that would allow an attacker to run arbitrary malicious code on a user’s device by getting them to visit a web page that had, for example, a malicious ad on it.

Adobe has announced that they will discontinue support by the end of 2020, which means that we still have years of emergency patches in the wings, followed by hacks for new bugs that are never going to be patched.  Source: CyberScoop.

 

Just Visiting a Website Could Have Hacked Your Mac

A bug in Safari allowed an attacker to take over your Mac simply by getting you to visit some web page.  The bug, now patched, would have allowed an attacker to own any Mac.  The researchers released a video and proof of concept code now that the hole has been closed.  That, of course, does not mean that other hackers didn’t know about it already.

Attacks are getting more sophisticated as vendors try to lock down their systems.  This exploit used three different Mac bugs to take over your computer.

No user involvement was required after the user opened a web page in Safari.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .

 

The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.

 

HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .

 

U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.

 

Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.

 

This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

Facebooktwitterredditlinkedinmailby feather

News Bites for Week Ending November 9, 2018

Score One For Amazon Security!

People who have read my blog for a while know that I am a big fan of two factor authentication.  That little bit of extra security usually gets thrown out the window if you call in to customer service instead of logging in to the company’s web site.  Two factor is not a silver bullet, but it does help security, dramatically.

Apparently, at Amazon, two factor means two factor, even on the phone.

I was having a problem with a delivery and had to call in to get it handled.  They refused to do anything at all unless I confirmed the one time password (second factor). They said that even if I escalated the call to a supervisor, the system WOULD NOT ALLOW THEM to access my account without the second factor authentication.

KUDOS TO JEFF BEZOS AND THE AMAZON SECURITY TEAM!

Usually, companies decide that being customer friendly, even at the expense of massive fraud, is more important than security.

Thank you Amazon for being a tad bit more sane!

And, if you don’t have two factor authentication turned on for your Amazon account, you should.  Amazon accounts are a massive target for thieves.  They usually don’t use it to buy products, although I have seen that too, but they use it to guy electronic gift cards which get used immediately, before the fraud is reported.

Usually People Don’t Die From Security Failures, but in this Case, Dozens Did Die

This is not a joke;  this is a serious story and people did die as a result of poor Internet security.

Word is just now coming out that the CIA had a serious security breach of their Internet based covert communications system used by field people, for years.  Apparently, the Iranians figured out how the system worked and that exposed the identities of CIA sources and maybe agents.  Dozens of sources in countries hostile to the U.S. were rounded up and disappeared (meaning, likely, tortured and/or murdered).

Apparently, when the CIA set up this covert communications system, they didn’t consider that state actors might try to hack into it.  For four years they did, successfully.

In defense of the CIA, apparently, the system was not really designed for the way it wound up being used, but, one more time, convenience won out over security and until the CIA was able to figure out what the source of why people were disappearing, they didn’t stop it.

Sometimes people don’t grasp the consequences.  A quote from one former official:

The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

In May 2011, Iran said that they had broken up a ring of 30 CIA spies.

In a statement that is not very comforting, the article says that “the Iranian compromise led to significantly fewer CIA agents being killed than in China”.

This just goes to show that real security is hard to do and we need to remember that.  In this case, it appears that it cost a lot of people their lives.  Source: Yahoo News.

Sen. Ron Wyden Introduces Bill That Punishes CEOs with Possible Jail Time for Security and Privacy Lapses

The draft Consumer Data Protection Act Would give the FTC more power to hand down harsher penalties on companies that violate users’ privacy.

The bill includes a national “do not track” registry, similar to the do not call registry, that would allow people to opt out from tracking for all websites that store their data.

Wyden is targeting companies that make more than $50 million and store data on more than 1 million users.

Those companies would have to submit an annual data protection report (similar, I suspect to the Sarbanes or NY DFS requirements).

Executives that INTENTIONALLY mislead the government could be held criminally liable, fined up to $5 million and jailed for up to 20 years.  These executives include the CEO, CPO and CISO.  Source: CNN .

Colorado Cities and Counties Ignore FCC Warning

Last week I wrote about an FCC commissioner who said that city run Internet services risked resident’s freedom of speech (I assume because he figured the town would censor speech somehow, if they ran the Internet service).  This FCC commissioner didn’t address that many people in the U.S. only have the choice of one Internet provider (like me), not counting satellite Internet (which is a joke) and that lack of choice, it seems to me,  is a much bigger risk to consumers than locally run Internet, where the users meet the councilpeops running their Internet in the local cafe or grocery store and give them a piece of their mind.  I am not sure how to effectively give Comcast a piece of my mind.

Well,  in 2005, Comcast bribed (probably not in the legal sense) the Colorado legislature to make it illegal for cities and counties to run municipal Internets.  EXCEPT.  They put a back door in the Comcast Law that said the law was null and void if a municipality put a ballot measure out that approved offering municipal Internet services.

So far, about half of Colorado counties have passed such a measure and this week there are another 18 on various ballots.

This past September, the town of Salida, West of Colorado Springs and Pueblo, voted on such a measure.  It passed with 85% of the vote.

Apparently, Colorado voters don’t agree with the FCC.  Big surprise.  Source: Motherboard.

UK Hands Investigation Results Over to Ireland’s GDPR Police

It just hasn’t been a good year to be Facebook (the stock price is down to $150 from a high this year of $215).   A pro-Brexit organization was fined 135,000 Pounds for running misleading ads.  And, there is a BUT.  The British Information Commissioner’s Office (ICO) handed over the results of the investigation to Helen Dixon, the Irish Data Protection Commissioner as the Brits felt that was targeting of ads and monitoring of browsing habits (which I am sure that they are), in violation of GDPR.  So now Facebook has to deal with yet another GDPR investigation. Source: Forbes .

Facebooktwitterredditlinkedinmailby feather