Category Archives: News Bites

Short news items

News Bites – Appalachin Healthcare, Business Email Compromise and NITs

ITEM 1:  As I wrote about a couple of weeks ago, Appalachian Regional Healthcare was attacked with some form of malware, forcing them to shut down every single computer in every hospital that they run.  Finally, after twenty days, the hospital chain says that things are back to normal.

Appalachian says that they do not believe data was compromised, but they have not released any details about what happened, so we do not know if data was not compromised or if that is just wishful thinking.  The hospital chain operates 11 hospitals in Kentucky and West Virginia.

During those almost three weeks, employees were forced to write down instructions on paper, ambulances were redirected, in some cases, to other hospitals and doctors told their patients to bring their medications to office visits so that the doctors would know what the patients were taking.

Is your company ready for a twenty day outage like this?

ITEM 2: A small investment fund, Tillage Commodities was the victim of a Business Email Compromise that played the company that they hired to protect their investor’s money for a fool.

Not only did the management company that Tillage hired not follow its own rules, but when the wires that they sent to China, supposedly at the request of Tillage, but in reality at the request of hackers, failed, they fixed them for the hackers.

Tillage closed their doors – an unfortunately too common occurrence after these email scams and are suing the management firm, SS&C Technology, to recover their investor’s money.

Tillage hired SS&C because, as a small firm, they didn’t think they had the needed controls to avoid things like this.  Instead, by trying to do the right thing, they got put out of business by a lack of employee training and policy execution.

Reading the details, SS&C appears to have completely screwed up and if they are smart, they will settle quickly to make this go away – before other customers become rattled that they will do this to them and not stand behind their mistake.  As it is, they probably have already sustained some damage.

ITEM 3: The FBI has a kinder, gentler term for hacking into your computer and it is called a Network Investigative Technique or NIT.  Different courts have held differently as to whether the FBI hacks are searches and I suspect this will go on for a while until the Supremes figure it out.

In the case in question, the FBI Hacked – oh, wait, NITted – thousands of computers to figure out who was accessing a web site that contained illegal images.

A court in Texas says that yes, causing a web server to install unauthorized software on someone’s – or many someones’ – computers is a search and does require a warrant.

One judge went so far as to say that users who used the TOR network – who’s only purpose is to create a small degree of privacy for the user – had no expectation of privacy and hence the FBI didn’t need a warrant.

The Supremes recently granted the FBI’s request to allow a single judge of the FBI’s choosing, anywhere in the country, to issue a warrant to allow the FBI to hack into an unlimited number of computers anywhere in the world.  Assuming Congress doesn’t pass a law in the next 60 days rolling back the Supremes’ action, which it likely will not do, this will become the law on December 1.  If the new rule 41(b) does go into effect then the FBI will likely get into the hacking business in an even bigger way than it is already.

 

Information for the Appalachian news came from Information Management.

Information for the Tillage news item came from CSO.

Information for the FBI news item came from Techdirt.

Facebooktwitterredditlinkedinmailby feather

Newsbites: GoToMyPC, Carbonite, DHS and CISA and the FBI

Carbonite: Carbonite sent out an email to all customers to reset their passwords.  They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.

They say that based on their security review, they have no evidence that they have been hacked.

If none of these attempts to get in was successful, then why force millions of people to change their password?  Likely, at least some of these attempts were successful.

Source: Carbonite web site.

GoToMyPC:  GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.

Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.

Citrix provided little additional information about the situation.

Source: BBC News.

Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game.  Some recommendations are:

  1. Use a password manager so that you don’t have to remember all those passwords.  Many of them, such as LastPass, will automatically log you in, making the password step easier.  While this is a security risk in itself, it is likely less of a risk than using simple passwords.
  2. DO NOT reuse passwords across important sites like online backups, banking, email and remote access.  Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
  3. For any important web site, such as banking, Amazon and others, use two factor authentication.  I know it adds an extra step to the login process, but it makes stealing passwords much less useful.

DHS and CISA:  DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year.  The bill created a voluntary system trying to encourage businesses to share threat data with the government.  The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data.  Out of the 30 million or so businesses in the United States, so far 30 are using it.  That would be .0001 percent.  I think it is going to need some more users to be effective.  To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.

Source: IAPP.

FBI:  The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no.  Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.

Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want.  And it’s all happening in secret.”

The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them.  The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.

Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.

Source: IAPP

Facebooktwitterredditlinkedinmailby feather

Kill Flash Now or Patch These 36 New Vulnerabilities

I don’t normally publish posts on individual software updates, but Flash is such a mess and such a security swamp that I feel compelled to do that.  Microsoft’s attempt to copy Flash – Silverlight – is even worse.  It is so bad that Google doesn’t support it inside Chrome.

My recommendation is that you uninstall Flash and Silverlight if you can do that and still operate your business.  Some web sites that businesses use still require Flash so you may need to keep it around.  More and more web developers are moving away from Flash due to the swamp that it is.

OK, so let’s look at this particular patch.

36 separate bugs are patched.  Microsoft releases patches once a month and usually has around 10-15 patches covering 50 software products.  Adobe seems to patch just this one product several times a month – sometimes several times a week – and is still patching 36 bugs in a single patch.   They have been doing this for as long as I can remember.  What does that mean about the security quality of the product?

One of those bugs, named CVE-2016-4171, is being exploited in the wild right now.

Adobe says the bugs were found by Cisco Talos, Google, FireEye, Microsoft, Tencent, Kaspersky, Pangu Lab and Qihoo.  That, of course, does not include every intelligence agency in the world.

To add insult to injury, this patch comes days after Adobe’s regular monthly Flash (and other product) patch release.

Apple has announced that it will be disabling Flash by default in Safari, Joining Google’s Chrome.

I use two browsers.  One browser, the one I use every day, has Flash completely disabled.  The other browser, a kind of ‘break class in case of emergency’, has Flash enabled, but I only use it if my main browser complains.

A lot of malware is delivered silently by Flash based ads that contain malware in the ads.  Major sites like The New York Times, BBC and AOL, among a number of others were hit with malicious ads recently.  The ads delivered ransomware to users who happened to have particular unpatched vulnerabilities and it DID NOT require users to click on anything to become infected.  Disabling Flash protects you against these attacks.

If, after all this, you really do need Flash, then make sure that you install this patch as soon as possible.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Hacks, Hacks, Everywhere A Hack

Back in 2012, LinkedIn told its users that  it had been hacked – to the tune of 6.5 million users.  Well, it turns out, that was a tad bit shy of the truth.  It turns out that the real number was 117 million email and password combinations.  – roughly 18 times the number that they had admitted to.  LinkedIn told the 6.5 million users to change their passwords, but not the other 110+ million users.  The Fortune article has links to other sources if you want more information, but my recommendation is that you change your LinkedIn Password.

Tumblr says that it just discovered that hackers stole 65 million user email/password combinations in 2013.  That is a long time to figure that out.  I assume that is because hackers are now trying to sell those passwords.  Since people reuse passwords on other sites and don’t change their passwords, it is likely that many of those passwords still work.  The good news is that the passwords were hashed and salted, making it a LOT of work to decode them – but not impossible.  This is a perfect example of companies being hacked and not even knowing about it.  The only reason they found out is that someone is trying to sell the data.

On the lighter side, Katy Perry’s Twitter account was apparently hacked – or else she was having a REALLY bad day.  Her 89 million followers were treated to a series of inappropriate hacks.  This reminds me of the recent (a couple of years ago) hack of the DoD Twitter account.  This just means that protecting your (Twitter or any other) account with just a password is likely not at all secure.

On the “Gees, that is a big hack” side, Myspace (remember them?) data is now coming up for sale.  The dataset includes 360 million records, but only 111 million had users names in them.  However, many of them had email addresses (which could also be a user name for another site if the user reused their password) and passwords.  The total number of passwords in the dataset was 427 million.  While I doubt anyone still uses Myspace, if that email/ password combination is used elsewhere …..

What is the take away from this?

  • Even though it is tempting, do not reuse passwords on any account that you care about, even in the least (From Amazon to Twitter, banking to Email)
  • Use two factor authentication on important accounts (such as banking or any account that stores your credit cards and allows the user to use them)
  • Change your passwords periodically.  Notice that most of the news above is about old hacks where the data is being resold now.  If people changed passwords regularly (at least annually), then that data would be useless.

There is a web site called HaveIBeenPwned.com that allows you to enter JUST an email address to see if in their database of over a half billion breach records, that email address comes up.  It is safe because all you enter is your email address.

Information for the LinkedIn hack came from Fortune.

Information for the Tumblr hack came from Motherboard.

Information for the Katy Perry Twitter hack came from Techcrunch.

Information for the Myspace hack came from Fortune.

Facebooktwitterredditlinkedinmailby feather

Maybe Oracle Doesn’t Like Other People To Find Security Holes

Oracle has a love-hate relationship with security researchers.  Actually, mostly hate.  Given that Oracle finds enough of it’s own bugs – it released 193 patches in it’s July patch fest – maybe it doesn’t want people to find any more bugs.

This all started when Oracle Chief Security Officer Mary Ann Davidson wrote a rather long winded rant on her company blog saying that people should stop reverse engineering Oracle’s code because it is a violation of the license agreement and you never find anything worth while – just waste our time.

While the company has axed her blog post, the Internet never forgets, so her post is still available on the Internet Archive.

While she does make some good points, the bad will from the tone of the post way over shadows it.

What she could have said in a lot less words is:

1. The first thing you should do is make sure that the software is configured in the most secure manner reasonable for what your business needs to do.

2. Make sure that you are running the current release and have installed all the patches (it is amazing how many Oracle customers fail this test).

3. Use the tools that Oracle provides to make sure you are not missing any secure configuration issues.

4.  Don’t bother to run a static or dynamic code analyzer against our software because 99+% of what they will report are false positives and it takes way too much time to sort out the 1 potentially valid issue out of the 1,000 false ones.

And a note to Ms. Davidson: don’t worry about the reverse engineering of Oracle’s code that some analysis tools do because it is a violation of the license agreement.  Anyone who wants to steal your code will ignore the license agreement anyway, so what good do you do by beating up the customers that pay your salary?

She also said that Oracle would not give credit to researchers who find security holes.  What that statement does is cause researchers to publish exploits first.  As an example, we see a lot of that at BlackHat and Usenix Security for just that reason.  The media will give them credit.  Then Oracle has to figure out how to do damage control.  Not a great move.

There.  I think I did that in a lot less words and likely annoyed a whole lot less Oracle customers in the process.

Hopefully, someone took Ms. Davidson to the break room and explained corporate branding 101 to her.  If not, the media certainly has.

That being said, as you consider a vendor, covertly assessing that vendor’s posture with respect to security researchers might be useful.  The good vendors embrace the reputable researchers because they often find stuff that the vendors don’t find and you don’t have to pay them.  Even if you have a bug bounty program, you only pay them if they find something you have not found.  More, it is about attitude.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Google Search Rules Changed Last Week

For those of you depend on Google search engine position for your business, the world changed last week.

As of April 21st, 2015, Google is using mobile friendliness as a criteria in search engine rankings.  This affects mobile search (not your desktop) in all languages, world wide.

Google has been saying that mobile friendliness is important for several years.  Now they are sort of “emphasizing” that point.

If your web site is not mobile friendly according to their criteria, your ranking will drop like a rock (see Google changes ranking criteria).

Google has even created a mobile friendliness ranker to see if your web site passes muster.  I just checked my site and it passes.  WHEH!

The good news is that this is all fixable and when you fix it, if you  need to, your position will return to a normal place.

Check things out.  See where you are.  Fix things if you have to.  Otherwise, consider that you are likely to “disappear” from Google.

Facebooktwitterredditlinkedinmailby feather