Category Archives: News Bites

Short news items

News Bites For June 22, 2018

Latest Cost Estimates For Equifax Breach is $439 Million

According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history.  Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300  million plus.  Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow.  While Equifax’s investors can write that check, I am sure that none of them are happy about doing so.  (Source: Computing.co)

Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI

After all, what could go wrong?

U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products.  Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.

A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries.  Forcing companies to disclose will keep the pressure on to stop doing that.

The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.

The companies say that the reviews are done in company controlled facilities.  I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.

The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.

The article has a graphic with examples of software reviewed and who uses it.  (Source: Reuters)

Senate Votes 85 to 10 to Continue ZTE Ban

ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department.  President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat.  The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution.  Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)

macOS Quicklook Feature Exposes Data on Encrypted Volumes

Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac.  MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not.  Apple says this is a feature and is not going to fix it.

This problem also exists on Windows.  If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume.  The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)

Software Supply Chain is a Critical Issue

Recently there have been a number of reports of cities having credit card breaches.  It turns out that it all ties back to the same vendor that those cities all use called Superion.  At least 10 cities have reported being breached and there are probably more.  Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug  that had not been patched.  The cities counted on Superion to keep them safe.  Superion is blaming Oracle.  Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end.  Likely those cities were not even aware that they were running Oracle software.  Who’s fault is that?  (Source: Dark Reading)

Facebooktwitterredditlinkedinmailby feather

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 8, 2018

One Vendor, Two Unprotected Servers Equal Disaster

Agilisium, a cloud storage vendor to Universal Music Group, exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords and the internal and SQL root password to the open internet – all via two instances of the Apache Airflow server with no password.

Your Vendor Cyber Risk Management Program (VCRM) manager needs to work with all vendors, especially those who are high risk, to make sure their cyber security program matches your risk, because you are the one who is going to take the heat (Source: Threatpost).

Online Ticket Service TicketFly Hacked, Shuts Down As a Precaution

Online Ticket Service TicketFly and some of the venues that it provides service for shutdown last week after it was hacked.  It came back up briefly but is down again today, June 4.  Concert venues that use TicketFly have had to delay ticket sales and concert goers that did not print out paper tickets for concerts going on during the outage will have to wait on line at the ticket office of the venue and hope they can get them tickets.  Ultimately, if that fails AND they paid for their ticket with a credit card, they will get their money back under federal law.  If they had to fly to the venue and didn’t get in, well that may be a different story.  The dangers of an always online world that is not always online.  Eventbrite bought TicketFly last year for $200 million (Source: CBS).

Stingrays in Use Near the White House

It has long been suspected that the Ruskies (or Chinese. Or both) have been using cell site simulators near sensitive areas to capture information.  When Sen. Wyden whined about it, DHS said that it wasn’t in the budget for them to protect the White House or Congress from those pesky Ruskies.  Well after they were sufficiently embarrassed, they did a small pilot and, well, it is true.  And, on top of it, the bad guys are hacking the public phone networks control system, called SS7, written in the 1980s, and which has very little security in it.  Fixing SS7 is a major world wide undertaking, would cost billions and take decades to fix.  So DHS still says that they don’t have money to fix it, but we do know that, along with hacking the elections, the Ruskies are hacking our phones.  (Source: The Register).

What Did Atlanta Lose?

When Atlanta got hit by a ransomware attack, they seemed to downplay the impact, but now they are telling a different story.  The city has spent $5 million in the aftermath of the attack, both to recover and to improve security, but it is not all sunshine.

The did lose years’ worth of police dashcam footage – never to be recovered.  If that was important evidence in a case, the case may need to be dismissed.  It did not affect body cam video, however.  What other files will be discovered to have been lost – that we will need to wait to find out (Source: We Live Security).

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday May 25, 2018

FCC Investigates Securus

Now that LocationSmart who’s data was used illegally by a Sheriff to track other law enforcement officers and was then hacked is out of the closet, their somewhat shady but possibly completely legal business practices are no longer in the shadows and the FCC has begun an investigation.  We shall see if the FCC does anything – stay tuned.  They say that they are working to verify that their data was always used with people’s consent.  If it was, I bet the consent was pretty subtle (Source: Ars Technica).

Comcast/Xfinity Web Site Leaks Customer Info

A bug in Comcast’s Xfinity web site that customers use to set up their Internet connection leaks customer address and WiFi network name and password, which, apparently, Comcast stores unencrypted.  All it takes is the account number and the house number of the street address.  IF the customer is providing his own router, then Comcast does not know that information and would not be able to leak it.  The “bug” will return the user’s address and password, among other info, even if the service has previously been activated.  Comcast says that there is nothing more important than their customer’s security;  they removed the feature from their web site after they were told about it (Source: ZDNet).

Apple Allows Users To See Their Own Data on Eve of GDPR

Two days before the law forced them to, Apple has debuted a new web site called PRIVACY.APPLE.COM .  Right now it only works where they have to do it or face a fine of up to $9 billion.  That is a pretty good motivator.  Apple says it will be available later in other places.  Among the data that you will be able to see is :

  • App Store, iTunes Store, iBook Store, and Apple Music activity
  • Apple ID account and device information
  • Apple online store and retail store activity
  • AppleCare support history, repair requests, and more
  • Game Center activity
  • iCloud bookmarks and Reading List
  • iCloud Calendars and Reminders
  • iCloud Contacts
  • iCloud Notes
  • Maps Report an Issue
  • Marketing subscriptions, downloads and other activity
  • Other data

Source: Cult of Mac

Chinese Hackers Find Over a Dozen Bugs in BMW Cars

Chinese security researchers have disclosed 14 vulnerabilities in a host of BMW vehicles including the 3 series, 5 series, 7 series, i series and X series.

4 flaws require physical access; another 4 can be exploited with indirect physical access.  Some of them can be exploited remotely via the entertainment system, the telematics system while others exist in the head unit.

Some of the bugs can be patched “over the air”, but others require the owner to bring the car into the dealer to fix.

One thought.  Given these researchers work for the Chinese government, how many vulnerabilities did they find and not tell us about?  That is not a far fetched scenario (Source: The Hacker News).

Facebooktwitterredditlinkedinmailby feather

Friday News Bites for May 18, 2018

Signal Does it Right

Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face.  It’s really nice.”  But even nice code isn’t perfect.  Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download.  I wish every vendor moved at this speed.  Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).

Google Gets It RIght – Probably.  Finally.

One of my big complaints about Android is the lack of consistent patching from vendor to vendor.  Some vendors were even caught lying saying that they had patched software that was not patched.  Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement.  Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The  Hacker News).

Facebook isn’t the Only One Selling Your Data

The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors.  Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown.  While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off.  And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors.  Sounds like a win for everyone but you and me.  They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal.  While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why.  (Source: ZDNET).

Securus Attacked By Hackers

Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked.  We also don’t know if the attacker was somehow thinking that they deserved it.

One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers.  Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.

We also don’t know what else the attacker took or what he plans to do with it.

Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).

For the Second Time in a Week – Another Critical Signal Bug

Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 .  Yup!  That means that they found another bug – a critical one – that could reveal data and even Windows passwords.

Does this mean that Signal is bad?  Actually not,  Think about the number of patches for Windows that Microsoft has released over the years.  The number is likely in the tens of thousands.  Signal has released 10.  BUT, no software is perfect.  Or invincible.  So upgrade your copy of Signal and don’t assume that Signal is invincible.   It is not.  It is good, but that is different. (Source: The Hacker News).

Facebooktwitterredditlinkedinmailby feather