Category Archives: News Bites

Short news items

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.

 

If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 5, 2019

This is What Spies Do

It has come out that western (read one or more of the five eyes countries) inserted malware into Yandex (Russia’s equivalent of Google) in order to steal administrative credentials.  The purpose was, apparently, to read emails of interest to the western spies.  We need to understand that we do it to them and they do it to us, but the idea is to make it hard for them and easy for us.  Source: Reuters.

Firms That Claim to be Able to Reverse Ransomware Sometimes Lie

Another so called “Data Recovery” firms that claim to be able to recover from ransomware just pay the ransom and mark the cost up.  The most recent firm to be outed is Red Mosquito Data Recovery was outed when they were the target of the sting.  The researcher played the role of both the victim and the ransomer and discovered what Red Mosquito was doing.  Remember that if you do pay the ransom, you still need to rebuild your systems from the ground up because you do not know what time bombs or back doors the ransomer left behind.   Source: Propublica,

Trump Changes His Mind – Huawei Not a National Security Threat?

After Tweeting for months that Huawei is a national security threat; that their equipment needs to be banned in the US and abroad and that existing equipment needs to be removed — to it is okay if we sell Huawei parts.  This happened the day after he met with Xi at the G20 and it is reported Xi told him that the trade war would continue until the ban was removed.  While not removed, it is a hole wide enough to drive a tractor trailer through.  Source: The Register.

One Terabyte of Police Bodycam Video Available on the Dark Web

In another example of companies not requiring vendors to have adequate cybersecurity programs in place, researchers found a terabyte (that is 1,000,000,000,000 bytes) of police bodycam video from Miami and other cities available on the dark web.  It is likely this video has been copied and sold.  Miami PD is not talking.  Probably a good time for the police to plead the Fifth.  The problem is linked back to 5 IT vendors who did not protect the data.   Either police departments did not care (worst cast) or do proper due diligence (best case).  I hope they have a bunch of insurance because you know that there will be lawsuits.  At some point people will figure out that even though vendor cyber due diligence is hard, getting sued and defending yourself is even harder.  Source: The Register.

If China Can’t Buy Memory Chips From the US, it will Get into the Memory Biz and Compete Against Us

In the trade wars are hard department, the Chinese just convinced the Godfather of Japan’s DRAM business to come to China and head up a company that plans to build its own memory chips.  This is likely the result of the current trade war.

If successful, the result will be that western memory chip makers will lose all of their sales to China, but more importantly, China might flood the market with cheap memory chips, damaging the worldwide multi-billion dollar memory business.  Source: The Register.

Microsoft to Require CSPs to Use Multi-Factor Auth

In light of the recent leak of details on Cloud Hopper, Microsoft is becoming very visible and requiring their O.365 resellers to use multi-factor authentication in order to reduce the risk that they represent to the ecosystem.  This is a proactive effort on their part – likely – as  they have not been publicly named as a cloud hopper victim, but they certainly are a target.  Source: Brian Krebs.

 

Presidential Alerts Spoofable

Okay, no jokes about our current President’s love of twitter.

Researchers at the University of Colorado (CU) have demonstrated how easy it is to spoof the Presidential alerts – assuming you even get them (you may remember they tested the system last year and lots of people, including me, didn’t get the test).

In this case, the CU researchers say that 4 low power base stations could target every person in a football stadium of say 50,000, causing mass panic.    While it might be hard to get these briefcase size devices inside a football stadium, it would be pretty easy to get it into soft targets like office buildings or shopping centers and depending on the message (Ex: Inbound nukes from China; will detonate here in 10 minutes), could cause mass panic.  Source: BBC

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending June 14, 2019

SandboxEscaper Releases Yet Another Windows Zero-Day

SandboxEscaper has it in for Microsoft.  He or she has released over a half dozen zero-days including four of them just a couple of weeks ago.  He or she has put Microsoft behind the power curve multiple times and now he or she is doing it again.

This time SandboxEscaper has figured out how to exploit the patched version of one of the previous exploits.  This exploit can be triggered silently with no obvious warning to the user.  There is no patch available for it yet. Source: The Hacker News.

If history is any example, this is probably not the last time we will hear from SandboxEscaper.

 

License Plate Pictures Taken by CBP Cameras Available on the Dark Web

As reported last month but not confirmed by Customs and Border Protection until this week, an unnamed vendor of license plate readers to CBP and others was hacked and hundreds of gigabytes of data stolen.

Included in that data was thousands of photos of license plates captured at the US border and travelers at US Airports and they are available on the dark web.

The government (no surprise) has a poor vendor cyber risk management program.  The vendor, widely believed to be Perceptics, although the government is shielding it for some unknown reason,  copied data from the government’s computers  to their own.  After this, the vendor was hacked and hundreds of gigabytes of data stolen.  Source:  The Register.

 

A Year Later, U.S. Government Websites Are Still Redirecting to Hardcore Porn

Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domain names that redirect visitors to porn sites.

Gizmodo reported this a year ago and it is still not fixed,  Actually a few sites were fixed and a few more added to the broken list.

Users were being redirected from government sites to sites with names like” Two Hot Russians Love Animal Porn”.  One site infected was the Department of Justice’s Amber Alert site.  To be clear, the government is not running porn sites.

And these are folks that we are relying to to protect our cyber universe.  Source: Gizmodo.

 

Philly Courts Still Down After Cyber-Attack Last Month

Another day, another city.  In this case, it was the court system in Philadelphia was hit by a cyber-attack.

After the attack, e-filing, docketing and email systems were taken down and now there are still problems.

So far, the courts have released very little information – not even the name of the firm that they hired to fix their mess.  Likely, that will come out later.

Suffice it to say, with each of these attacks, it becomes more and more important to evaluate YOUR disaster recovery system.  Can you afford to be down for weeks in case you suffer an attack?  Source: Infosecurity Magazine.

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather