Category Archives: News Bites

Short news items

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).

Facebooktwitterredditlinkedinmailby feather

Friday News

Delta Airlines Terms of Service “Concern”

Users that tag pictures with Delta Skymiles hashtags (#Skymileslife and #Deltamedalionlife) agree to some interesting terms and conditions according to a recently modified Delta Skymiles program terms.  First, they give Delta a perpetual license to use the tagged content (photos) and (b) they warrant they are the sole owner of the content and have the authority to post the content.  Note that you are not posting this on Delta’s web site.  The next term is the one that is mind blowing.  (C) you agree, under your Skymiles program agreement that if you post something, say on Twitter, with those hashtags, that you will indemnify Delta and pay any legal fees, among other terms.  Pretty amazing.  (Source: BoardingArea.com).

Ransomware May Kill You – Literally

Researchers at Vanderbilt studied the mortality rate in hospitals and correlated that data to hacking attacks.  They found that the mortality rate increased by about one-third to one-half percent after an attack.  They also say that the size of the breach doesn’t seem to affect the mortality rate.  (Source: Dark Reading).

Alabama is the last state in the union to enact a data breach notification law

Almost 15 years after California’s landmark privacy law, SB 1386, became effective, Alabama passed a data breach notification law and the governor signed it.  Like many other states, it refers to “implement and maintain reasonable security” and “conduct a good faith and prompt investigation” in case of a breach.  What is a bit less customary is that they give some detailed specifics as to what is reasonable.  Yeah for Alabama.  (Source: Ballard Spahr)

Homeland Security Says Rogue Stingrays Operating in DC

Stingrays, one brand name for cell phone call interceptors were found by Homeland Security to be operating in DC last year according to a memo between DHS and Sen. Ron Wyden (D-OR).  DHS said that they did not have the equipment or funding to monitor for rogue devices.  It makes sense that foreign intelligence services would be very interested in intercepting cell phone calls made by government officials in DC and likely many other cities where there are large defense and intelligence communities.  Wyden said that leaving cell phone security to the phone companies has been disastrous, which is certainly true, but he didn’t mention efforts by the NSA to weaken crypto over the last 20 years or efforts by the FBI to intentionally build in back doors to all encrypted communications, so, maybe, what goes around, comes around  (Source: Associated Press).

Why Vendor Cyber Risk Assessments Are So Important

Bangalore based Business Process Outsourcer [24]7.ai admitted that they suffered a breach between September 26th and October 12th 2017.  Being an outsource vendor, their breach likely affected many customers.  Among those that have fessed up, so far, are Delta Airlines, Sears and yesterday, Best Buy.

[24]7.ai said that they thought that only a million of their customers credit cards were affected by the breach

You can outsource the work, but you can’t outsource the liability.  Even though Sears, Delta and Best Buy are trying to throw [24]7.ai under the cyber liability bus, who their customers will blame is them (Source: Economic Times of India).

Facebooktwitterredditlinkedinmailby feather

Friday News

ATLANTA HIT BY RANSOMWARE ATTACK

Atlanta, GA is the most recent city to get hit by a ransomware attack – on Thursday, March 22.  Cities seem to be a hot target, likely because they are big, public and behind the private sector when it comes to IT and cyber security (One of Atlanta’s Councilman said “As daunting as the city of Atlanta’s apparatus may seem, we’re still limited by the amount of resources we have to defend our systems,”.   Atlanta’s mayor “compared the city’s network to a decade-old pickup she drove until it was wrecked”.).   Atlanta’s mayor said to expect a “massive inconvenience”.  The attacker is asking for $50,000 and they are considering it.  One piece of good news:  the city does have cyber insurance, so the taxpayers won’t be footing the entire bill to put Humpty-Dumpty back together again.

The local CBS affiliate said that the city was warned months ago that IT was in critical condition on life support, but doesn’t have the resources to recover.  (Source: Atlanta Journal Constitution).

TLS 1.3 APPROVED BY IETF

After FOUR YEARS and TWENTY EIGHT drafts, the Internet Engineering Task Force, the group of geeks that control the Internet’s protocols, have approved TLS 1.3.  While to the average user, that doesn’t mean anything, to the geeks in the room it means that HTTPS will be a little bit more secure – a lot bit more secure than some HTTPS traffic – and a little bit faster.  While it will take some time for traffic to move to this new version, it will and it will likely do it faster than the move to 1.2 was.  An effort to build in a back door to security for the convenience of network managers – and also spies and hackers – was beat down and not added to the spec.  Score one for you and me.  (Source: The Register).

The New York Times is reporting that the FBI is working with a team of security experts to attempt to craft a back door to encryption on mobile devices – the so called going dark problem.  The team, headed up by a professor at MIT, is testing out different possibilities, although the FBI says that it is not ready to ask Congress for legislation.  Yet.  At least, this time, they are working with security experts, which likely would yield a better solution than anything that politicians invent.  Still, there are problems.  First, is it really possible to keep a back door secret?  Can they get Congress, over the massive distrust on all sides of the conversation, to agree to such a law?  How do they get application developers, based in foreign countries and maybe even hosted in foreign countries, to agree to such an intrusion?  Lots of questions, not very many answers.  (Source: New York Times).

MICROSOFT MELTDOWN PATCH WORSE THAN THE DISEASE

Microsoft’s Meltdown patch for Windows 7 64-bit and Windows Server 2008 R2 left critical kernel tables readable by anyone means that malware could read any memory, make themselves an administrator and modify the operating system’s memory map.  The good news is that it does not affect Windows 8 or 10 and has been fixed in the March Windows update release.  (Source: The Register).

NOT MUCH HAS CHANGED IN VOTING SECURITY SINCE 2016

I have written before that DHS won’t finish with all of the audit requests from states regarding voting process security until this summer, leaving no time to actually fix any problems.   Now, the Brennan Center for Justice at NYU has released an updated version of their 2015 report on voting machine security.  Only 41 states now use  voting systems at least a decade out of date.  That is kind of like if you were still using an iPhone 3G – one that likely has not been patched in 5 or more years.  That is down from 44 states being in that position in 2015.  They also talk about all the other phases of the voting process, from registering voters to election night tallys, that are likely easier to compromise.  It all boils down to money and time, something the states and cities do not have available and which the feds do not think is important enough to fund.  (Source: GovCyberInsider).

Facebooktwitterredditlinkedinmailby feather

Friday News

It was only a matter of time.  Researchers say that they have discovered “things” on the blockchain.  Not so nice things.  Like child porn.  If true, and I have no reason to doubt the researchers, that would make possession of a copy of the blockchain illegal in 112 countries.  And, since we know that you can’t change the blockchain, now what?  Normally, when the cops find child porn on a web site, they get it removed or shut it down.  Do you have any idea how to shut down a distributed database with tens of millions of copies on every continent of the globe, expect, maybe, not Antarctica.  Me neither.   And think about it.  You could use this technology to distribute any kind of illegal information that you want to.  Hidden in plain sight and unstoppable.  (source: PC Magazine).

Department of Homeland Security Secretary Kirstjen Nielsen testified before the Senate Intelligence Committee this week that they have completed the security clearance process on 20 election officials to be able to share classified intelligence about foreign government attempts to hack into their election systems.  Given there are about 10,000 election jurisdictions, at this rate it may take a while to complete.

Suffice it to say, it would seem that after 14 months, this administration is a tiny little bit behind the 8 ball when it comes to protecting our election process.  (source: Axios).

Possibly in the wake of the Cambridge Analytica “situation”, the Facebook security chief, Alex Stamos quit.  Followed, the next day by Michael Coates, head of security for Twitter quitting.  Followed the next day by Michael Zalewski, Director of information Security Engineering at Google.  Not a great week.  Is someone sending the big guys a message?  (source: National Herald).

Mossack Fonseca, the law firm at the eye of the storm of the Panama Papers leak of millions of documents of the rich and famous announced they are shutting down due to reputational damage, media attention to a company that would rather operate in the shadows and other fallout from their breach.  While their breach was very public, their finances were deep.  However when customers started deserting them like rats deserting a sinking ship, their ship was doomed.  While it took a couple of years, it was inevitable. (source: The Guardian).

The government has filed civil and criminal charges against a former Equifax exec for insider trading.  Jun Ying, a not very smart tech exec at the company heard rumors about a breach and decided it would be a good time to sell all of his vested stock options, netting him almost a million bucks in profit.  And, possibly, ten years at the crossbar hotel.  Not very subtle on his part.  Hopefully only the beginning of going after folks at Equifax, buy who knows.  (source: Reuters)

Facebooktwitterredditlinkedinmailby feather

Friday Quick Notes

Breaking from my usual theme of one day, one story, here are a few quick notes for you to ponder over the weekend.

In a story that no one saw coming, Adobe is going to patch a critical zero day flaw, being exploited in the wild.  Next Week.  In fairness to Adobe, they do have to develop, package and test the fixes, so it does take some time, but it doesn’t take the hackers as long to exploit the problem.

I thought I had uninstalled Flash on my machines but after the announcement today I looked and it was back again.  I don’t remember reinstalling it, so maybe some Microsoft update installed them.  Find details on the zero day here.  As of yesterday, this was being exploited in Korea, but likely, as of tomorrow, it will be worldwide.

People like to beat up Google and Android as not being as safe as iPhones and in fairness, beating them up is fun and often accurate.  Still Google is sensitive to being criticized.  They just announced that they removed 700,000 apps from the Google store in 2017.  That’s a lot.  In fact it is up 70% from the year before.  While nothing is perfect, pulling 700,000 apps is a lot of work.  Read the details here.  In an even more encouraging statistic, 99% of the apps were removed before anyone could download and install them.  They also identified 100,000 malicious developers and blocked them from the Google store. Go Google!

Researchers have found a new flaw in Oracle’s Micros point of sale or POS system that is used by 200,000 restaurants and 30,000 hotels in 180 countries.  There is a patch for it, but as we discovered with the Equifax breach, people don’t always install patches.  In the case of restaurants and hotels, when, exactly, do you want to take down your point of sale system to patch it?  The result is that many of these systems will never be patched.  Read the details here.  Note that this site may require you to create a free account.

In a move that I would label “Its about time”, starting March 1, 2018, Microsoft’s anti malware tool will bully the bullies.  Those software tools that claim to have detected a virus and for only $99 or whatever they will remove it for you – Microsoft will label them malware and fix the problem for – by deleting those apps.  Yeah, Microsoft.  Read the details here.

Cybersecurity researchers at Ben Gurion University of the Negev say that medical imaging devices like CT scanners are at risk.  Risk of killing patients if a hacker wanted to, by hacking the PC that controls it and changing the radiation level. Hackers could also hold the imaging devices ransom  – taking them out of service until the ransom is paid or the hospital figures out some other solution.  Apparently, the ransom thing has already happened;  the killing part has only happened to a mannequin.  At least that people are willing to fess up to.  Read the story here.

 

Facebooktwitterredditlinkedinmailby feather