Category Archives: News Bites

Short news items

Security News Bites for the Week Ending February 15, 2019

Anybody Know What 5G Cellular Means?

5G is the next generation of cellular, promising blindingly fast service and web page loads in the blink of an eye.

Unfortunately, it doesn’t really exist yet.  Yes, a few carriers have set up a few cell sites in a few cities, but there are basically NO phones that are 5G capable at this time.  Apple should launch one in 2020.

5G will also require a LOT more cell sites that don’t exist and that most people don’t want in their backyard.

What this means in reality is that 5G won’t be a factor for years and in many places – low density areas – it may never come due to the expense.  And definitely not until you buy a new phone.

But that hasn’t stopped AT&T from adding a 5G “e” to some of their phones.  AT&T is doing preemptive marketing hoping that people won’t understand that they are not getting 5G service and not getting a 5G capable phone.  But, by that time, they will be locked in.

AT&T says the “E” means evolution, whatever that means.  Other people say the “E” means eventually – just not with that phone or that cell site.

Here’s what Verizon said about it:

5Ge. It’s pretend, it’s fake, it’s the kind of BS that gives marketers, communicators businesses and the wireless industry a black eye. So let’s have some fun. Some people call it “Faux Five G”. There’s “5G Eventually”. What’s your name for @ATT false marketing?

So Sprint is suing AT&T.  AT&T says that people won’t be confused.  Sprint did a survey in which 17% of the people said that they already had this non-existent 5G service.  Stay tuned.  Source: PC Mag.

 

Discarded Smart Lightbulbs May Be a Security Hole

Smart lightbulbs are smart because they are network connected and since most people are not going to plug a network cable into that bulb, they talk over WiFi.

Researchers took a LIFX smart bulb apart and took the circuit board out of it.  When they analyzed the board they found the WiFi password – not encrypted.

Next all of the security settings for the processor are disabled.

Finally, the company’s RSA private encryption key and root certificate are also accessible.

Given this takes a bit of work to reverse engineer, it is not likely a hacker is going to do it, but to get the company’s private encryption key, which would allow them to sign malicious code and download it wherever they want – that would be worthwhile.

Maybe they should call it a dumb lightbulb.  Source: Limited Results web site.

 

If You Live in the UK, be Careful Where You Click 

The UK signed into law (what they call Royal Assent) the Counter Terrorism and Border Security law this week.  This law makes it a crime to VIEW information “likely to be useful to a person committing or preparing an act of terrorism”.

One click.  Penalty is up to 15 years in prison.

Seems like a bit of over-reaction to me.  The UK’s special rapporteur on privacy said the law was “pushing a bit too much towards the thought crime”.  1984, we are here.  Source: The UK Register.

 

FTC in Negotiations with Facebook over Multi-Billion Dollar Fine

Sources have confirmed that the FTC and Facebook are negotiating over a multi-billion dollar fine over Facebook’s privacy practices.  The details have not been released and it could ultimately wind up in court if the two sides cannot agree.  If it does, get your popcorn out because it could be a humdinger.  The FTC’s investigation has been going on for about a year.  Source: Washington Post.

 

Gov Testing Smartphones as a Replacement for CAC Access Cards

The DoD is testing whether your smartphone can identify you as well as their current Common Access Card to get into DoD buildings and computer systems.

Your smartphone knows how you walk, how you talk, how you type.  You get the idea, but there is more.

With software on the phone, they are going to know exactly where you are at every moment of the day, where you spend your free time (maybe you have someone on the side), what web sites you visit, what bars you visit and how long you stay there.

It may work, but it may be a little bit too 1984 for me.

Using constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time. Source: Nextgov .

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

Security news for the Week Ending January 11, 2019

Australian Emergency Notification System Hacked

The Australian Emergency Warning Network, run by a private company, was hacked.  The hacker sent out a message that said “EWN has been hacked.  Your personal data stored with us is not safe.  We are trying to fix the security issues.  Please email support at .. if you want to unsubscribe.”

This service seems similar to the CodeRED system that many Colorado cities subscribe to. In Colorado it is a voluntary sign up process.  It seems like that is the case with this one too.

The alerts went out by email, text and voice.  The company shut down the system during the attack to limit the number of messages that went out;  still tens of thousands did go out.

This happened right after the Australian government passed a law requiring companies to create backdoors to their software and make data available to the government on request.  Are these related?  Unknown.  Details here.

 

Federal Shutdown is Impacting Cyber Defenders

As a follow up to this week’s opinion piece on the Federal shutdown impacting cybersecurity, the Department of Homeland Security cancelled its 2019 Cybersecurity and Innovation Showcase due to the shutdown.  That was supposed to be their largest cybersecurity event of the year.  They said the hope to reschedule it after the government reopens.

The Department of Commerce has also cancelled events and powered down web servers that have cybersecurity standards on them.

DHS’s new cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA)has furloughed 45 percent of its workforce.  CISA is still manning its “Watch floor” and has some unpaid people who will respond to a major attack on critical infrastructure.

A former attorney at the FTC pointed out the obvious – that “the government shutdown is anxiety inducting, and drives great employees away from government service.”  If it wasn’t bad enough that people who do cybersecurity work get paid less than those doing the same work in the private sector, now they have to worry about getting paid too.  Details here.

Comcast Debuts Xfinity xFI Advanced Security

Comcast announced a new service using the buzzword of the week, AI, saying that their AI powered service is designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home.  It appears to run inside the Comcast router.  A solution like that is a smart way to do it since you do not have to install anything on a device, but it is limited in what it can do since most data is encrypted.

Cost is $5.99 a month, but you have to have the xFi Gateway, which rents for $11 to $13 a month, depending on the market.  Details here.

 

Coinbase Suspends Ethereum Classic

In the ongoing saga of cryptocurrency attacks, this one creates a new low.

One thing people have always said is that since cryptocurrency uses distributed ledgers, it is immune from people changing history and reusing coins.

W.R.O.N.G.!!!

Multiple sources said that they saw more than 100 ledger blocks “reorganized” (i.e. changed after the fact) – something that should never happen.

Coinbase suspended trading on that particular cryptocurrency.  It is only one of over 2,500 different currencies.

Coinbase said that they saw about 88,000 Ethereum coins being double spent, worth about $460,000, but I saw other reports that said the attack is ongoing and the numbers were much larger.  Source: Coindesk.

Weather Channel (App) Caught Selling User Data Without Permission

The Weather Channel collected user location data under the guise of telling you what the weather is where you are, but in fact, was selling that location data.  The City of Los Angeles is suing them over the misrepresentation.

The NY Times article said that they also sold the data for targeted marketing and to hedge funds for gathering consumer preference information.  The Weather Channel is owned by IBM.

Amazon’s Ring Video Camera Allow Employees in Ukraine Unrestricted Access to All Videos

Let me start by saying that an Amazon spokesperson says that this is not the case, but the Intercept says that multiple former employees say that Ring has given R&D employees in Ukraine unrestricted access to all videos, including those from inside your home to employees, executives and engineers.  The videos are not encrypted because, they say,  that would make the company less valuable.

A Ring spokesperson refused to answer questions about their data security practices but offered a written statement that says that they have strict policies in place for all employees.

After the article was published, Ring tried to do some damage control by still not answering questions, but issuing another email saying “Ring employees never have and never did provide employees with access to livestreams of their Ring devices,” a claim contradicted by multiple sources.

I have a Ring device and was considering buying more.  Not anymore.  Looking for a competitor.

One more time, caveat emptor.  Source:  The Intercept.

Facebooktwitterredditlinkedinmailby feather