Category Archives: News Bites

Short news items

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Security news Bites for the Week Ending March 29, 2019

We’re From the Government and WE’RE HERE TO HELP YOU!

Well, not really.

We don’t have to worry about the gov being hacked.  They just give our information away.  At least in this case there is no hard evidence that the data was misused.

FEMA hired a contractor to help it find temporary housing for 2+ million people displaced by the recent hurricanes and wildfires.  In order to validate that the people were eligible for assistance, FEMA shared data like name and last 4 of social with the vendor.

Unfortunately, they also shared people’s address, bank account number, bank routing number and other financial details.

FEMA’s OIG discovered it and FEMA says they are sorry.

FEMA then conducted an audit of the contractor and didn’t find any obvious signs of abuse/misuse.  They are also fixing the problem.

Hopefully, that is the end of it, but given how much government agencies use contractors, are you betting this situation is unique?

Are YOU oversharing information with third parties? Are you sure?

 

Drones are rapidly becoming a large security risk

Because, at the low end, drones are really cheap and expendable and at the high end, really sophisticated, the bad guys have figured out that that are a great tool to cause disruption and potentially even death.

We saw late last year that rogue drones shut down London’s Gatwick airport.  While this was distressing, what if, instead, a drone hovered over some crowd and released some lethal whatever.  Relatively easy to do and it could cause mass casualties.

While the drone makers are adding no fly zones around places like airports and prisons, users can hack the drone software or pick second tier targets.  Everything can’t be off limits, otherwise the drone business will end.

For very high risk targets, authorities are trying to use military anti-drone technology, but that won’t be possible to protect every possible target.

Alternatively, drones are great surveillance tools – quietly photographing potential targets and eavesdropping on WiFi signals.

And, there are many more issues – and right now, no good answers.  Source: Threatpost.

Source: ZDNet.

 

Norsk Hydro says that they lost $40 Mil in the first week alone after the ransomware attack

Norsk Hydro estimates that they lost over $40 million in the first week after the ransomware attack shut down many factories and forced others to run in manual mode.

The good news is that they say they have cyber insurance led by AIG (so apparently multiple interlocking policies to give them more coverage with multiple providers sharing the risk).  How much insurance they aren’t saying and what the final costs are, including any lawsuits, won’t  be known for years,

They believe it will take weeks to repair all of the affected systems, which, actually, is good, scary as that may seem.

Norsk says that they think they have cleaned all of the infected servers and are ready to begin restoring data.

My assessment from a distance is that they appear to have a well designed and well tested INCIDENT RESPONSE PROGRAM.  Still it will cost them tens of millions of dollars – maybe more.

Consider how you would respond to an incident like this.  There is no indication that this was a targeted attack, but rather a random event.

Source: Security Week.

 

36 New Security Flaws Found in CURRENT Cellular Networks

While the president seems hell bent at stopping Huawei from becoming an integral part of the worldwide next generation cellular network due to security risks (which is probably not a bad idea, but will no impact on security for at least 5-10 years until 5G cellular becomes the norm), the government is doing nothing about the security holes that are affecting us today and will continue to affect us for years and likely decades.

Security researchers from Korea (South, not North) have identified 51 vulnerabilities in the current cellular network, 36 of which were previously unknown.  While they have reported these issues to various parties, it is likely that hundreds of millions of phones and maybe even the network itself will never be fixed.  Source: Computing.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 15, 2019

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google.  While hackers may not be explicitly targeting these small municipalities, they may be.  After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents.  The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget.  There is no indication that the county had any insurance.  In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage.  Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid.  Source: Bleeping Computer.

 

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a  very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure.   Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect.  There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that.  MUCH – repeat MUCH – more secure.  Source: Bleeping Computer.

 

App 63red Security Lacking;  Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect.  Inside the code of the app the researcher found the developer’s email, password and username in plain text,  Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed.  The first two statements are accurate but misleading.  He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security.  Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground.  Sources:  The Daily Beast and Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 8, 2019

Commerce Department Wants Companies to Publish Ingredients of their Software

The Commerce Department is trolling around the RSA conference trying to get companies to publish the ingredients in their software – the so called bill of materials that I have written about before – so that users can understand what libraries are being loaded.  The objective is to avoid another Equifax style breach because people don’t know that this particular software package uses a vulnerable version of, say, Struts.  Then people have to figure out how to use it.  Big project, but a useful one.  Source: The Cybersecurity 202.

Massachusetts High Court Orders Man to Unlock Phone

Various courts have come down with different decisions regarding whether a person can be compelled to unlock his or her computing device after a warrant is issued.  In general, it has been held that you can be forced to look at your phone (face ID) or put your finger on your phone (fingerprint reader), but not to enter a password (compelled testimony).  But not all courts agree.

The Massachusetts Supreme Justice Court announced (seriously) “the end of privacy in the digital age” when it compelled an accused pimp to unlock his phone.

Whether this particular case winds up in front of the US Supreme Court or not, the issue will ultimately have to be decided there.  Source: Boston Herald.

Brits Say Brexit was a Russian Plot

As politicians scramble to spin reality regarding Russia’s inflluence peddling efforts, British foreign secretary Jeremy Hunt says that there is no evidence of successful Russian interference with UK polls in the face of lawsuits compelling the government to investigate if that happened.

He is likely right that the Ruskies did not try to literally break into the (digital) ballot box and change votes, but on the other hand, it is equally likely that they used their normal social media techniques to influence the outcome in a direction favorable to Russia.

Why Hunt thinks that England is in some kind of “no-influence” bubble is beyond me (other than to admit it would be politically damaging).  After all, governments around the globe (including the US) have been working hard to influence elections for decades.  Source: The Guardian.

Huawei Sues US Government Over Ban

The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat.

In what will likely be a years long court battle, China is demonstrating that it does not plan to roll over and play dead for Trump.  Source: The New York Times.

 

Its Y2K All Over Again

Its been a few years (like around 1977 or so), but I seem to recall that we discussed this at the time and it is in the spec, but who reads specs anyway.

The Global Positioning System tracks time in weeks since January 5, 1980.  It uses a 10 bit number (1024 weeks) because memory was expensive in 1977, so we knew it was going to roll over about every 20 years and our code (inside the receiver that was placed in a fighter jet) handled the rollover.

But, apparently, not every software developer is as forward looking as we were, so come April 6, 2019 (the next rollover day), some GPSes may become wonky.

In the case that the GPS is directing you to the nearest Starbucks, you might get lost.

If the GPS is controlling a weapon system or a piece of high precision nuclear medicine equipment…. well… people could wind up dead.

So at least a few people are doing the Y2K thing all over again.

I suspect that if you power off your GPS on the day before the rollover and then power it back on, everything will be fine (as I remember the code in the GPS, but that was a real long time ago).  That means you are on your own finding that Starbucks, but powering off that weapon system may not be an option.

It is very likely that the GPS firmware on your phone will be fine, I predict.  We shall see.  Source: Homeland Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 1, 2019

We Don’t Need Back Doors in Crypto – We Have Enough Bugs Already!

Researchers have found three new bugs in the protocol design (as opposed to the implementation) in both 4G and 4G cellular networks.  The design flaws can be carried out by any person with a little knowledge of cellular paging protocols.

The hardware to carry out the attack can be purchased for less than $200 and all four major carriers are vulnerable since these are protocol design problems and not implementation bugs.

The good news is that since these are protocol design flaws, the networks of all of our adversaries (and our friends) are also vulnerable, which probably makes the spy-guys happy too.

There is no fix approved or planned for the security holes.  Source: Techcrunch.

Google Slipped a Microphone into your Nest Security System – Forgot to Tell Buyers.

When Google announced that the Nest security system would now support “Hey Google” with no hardware upgrade, a few geniuses figured out that there must have always been a microphone in the Nest that Google just accidentally forgot to tell people about.

Google is trying to spin down the tornado saying that yes, they just forgot to tell people that there is a microphone in there, but not to worry because it isn’t enabled by default.  They put it in there to detect breaking glass and other features, they say.

Alarm systems often have microphones, usually to detect glass breaking, but the control panel, where Google put it, might not be close enough to all of the windows in the house to detect that.  Some alarms support two way voice communications to the alarm monitoring center, but if a system has that, it is not a secret, but rather a feature, loudly announced.  More likely, Google kept it a secret so that competitors wouldn’t figure out their future plans.  Source: The Intercept.

 

Hacking Tools Going Mainstream

Celebrite, the Israeli company that makes tools for law enforcement (and, I think, for anyone else who’s check clears) to hack iPhones and Android phones has grown a conscience.

Used Celebrite devices are showing up on eBay for as little as $100 – and, of course, will the ex-owner’s data still intact.

Celebrite is “warning” their customers not to do that but rather to return their devices to them for destruction.  If you think they are really concerned about your security, then that makes sense.  On the other, if you believe that they would rather sell you a new one for $6,000 rather than you buying it on eBay for $100 …..

In any case, they are available and many of them still have the captured data on them.  Source: Forbes.

 

TSA’s Pipeline Security Team Has Five People

2.7 million miles of pipeline and five employees.

Roughly half a million miles of pipe  per person.

And none of them have cyber expertise.

Since 2010 the number of people assigned to pipeline security have ranged from a low of 1 to a high of 14.  Not very comforting.

And they don’t plan to add any cyber expertise anytime soon, instead they are relying on begging other parts of Homeland Security for help.

Given that TSA hasn’t figured this out in almost 19 years, some folks in Congress want to move the responsibility elsewhere.

In the meantime, lets hope that the terrorists do not understand how bad things are.  Source: FCW.

Facebooktwitterredditlinkedinmailby feather