Category Archives: News Bites

Short news items

Security News for the Week Ending August 14, 2020

China and Russia Continue to Interfere with the Elections

According the the White House, China has been targeting the US election infrastructure ahead of the election and Russia has been trying to undercut Democratic candidate Joe Biden, much like their did with Clinton in 2016. Could it be that Russia thinks that the Republican Administrations are distracted by China and are ignoring the damage that Russia is doing? After all, Its not like Russia doesn’t want to do damage. Credit: South China Morning Post

China Hacking Government Sites, Others

Just in case you thought I was saying that China is a bunch of good guys… China has been using malware called Taidoor to hack government sites, private sector and think tanks since 2008 according to Homeland Security and the Pentagon. They are using this malware to maintain a presence, undetected, on these servers. DoD’s Cyber Command has only been uploading samples of this malware to the virus engines since 2018, so it is not clear what happened during the first 10 years of the attacks. Credit: Cyberscoop

Anomaly Six Accused of Secretly Embedding Location Tracking in Hundreds of Apps

US Government contractor Anomaly Six, who has strong ties to various national security agencies, is accused of creating a software development kit that secretly tracks the user’s location and reports the data to them. Apparently hundreds of apps use this SDK as the company pays the developers for the data.

The company refuses to disclose which apps are using it and, in theory, the apps should disclose they are selling the data. Assuming the apps are not completely rogue, they would need to ask for the location permission. I suspect we will hear more now that this cat is out of the bag. Credit: Hackread

OOPS! This is Embarrassing

The SANS cybersecurity training company suffered a data breach because an employee fell victim to a phishing attack. While we can make some fun at their expense, the real point is that not falling for phishing attacks is hard and takes a strong program. If you don’t have a strong anti-phishing program, we have a great one. The attack was the result of a SINGLE phishing click. This allowed the attacker to install a malicious Office 365 add-on. The result was the hacker was able to forward over 500 emails representing the PII of 28,000 SANS members, before being detected. The good news is that they have some of the best forensics experts in the business on their staff. They are conducting an investigation. Credit: Bleeping Computer

Another NSA Advisory: Linux. Rootkit. Russia

I know China is a threat. It is. But Russia is just as big a threat – they just operate differently. The NSA released an alert that says that Russia’s intelligence arm, the GRU, has built and targeted Linux systems with Drovorub. It is a Linux rootkit that can steal files, run arbitrary commands and forward network traffic to sniff it. Other than that, not a big deal. It hooks into the Linux kernel making it hard, but not impossible, to detect. Given the nature of the GRU, they are likely to use it against high value targets like, perhaps, tech companies, defense contractors or Covid-19 researchers. Beware. Credit: The Register

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Security News Bites for the Week Ending July 10, 2020

Digicert to Incinerate 50,000 Certificates this Weekend

Due to a process failure, Digicert is going to invalidate about 50,000 SSL (TLS) certificates this weekend. This is happening with only 5 days notice. If Digicert is your certificate provider, make sure that your certificate is not one that is going into the bonfire. Credit: The Register

National Coin Shortage

Okay, this is not a security item, but fascinating none the less. I went into a gas station this week and there was a sign on the counter – pay with exact change or use a credit card. National Coin Shortage. News to me, but apparently true according to the Federal Reserve. Due to Covid-19 and stores closing, coins are not circulating. Combine that with the U.S. Mint reducing some production due to the virus, and the Fed says that there is a coin shortage. They say it likely won’t be fixed for months. Interesting. Credit: Vice

The Hidden Purpose of New Mac Ransomware

If you are like most people, you probably assume that the purpose of any ransomware is, well, to collect a ransom. According to researchers, that might not be the case with EvilQuest. Instead, it’s purpose, they say, is to steal information. Almost anything. Images. Documents. SSL Certificates. Crypto wallets. Spreadsheets. I.e., almost anything with bits. Probably a good idea not to get infected with it. Credit: SC Magazine

DHS’s “SSN Lock” – Nope. Not Even Close

I have written before that you need to create your online account at important vendors before a hacker creates one for you and takes over your account.

Great concept. For **MOST** companies, that actually works. Not so for your Social Security Number at the Department of Homeland Security.

After a reader alerted him, Brian Krebs created an account on DHS’s web site and locked his social security number. Brian then created another account on the site using a different email address but with his social and the system allowed him create that second account and to unlock his social. We call that pretend security. Most companies do better than that. Credit: Brian Krebs

Russian Hacker Who Hacked Linked In and Dropbox is Guilty

Russian National Yevgeniy Nikulin was found guilty of hacking LinkedIn and Dropbox, among other sites. He was arrested in the Czech Republic in 2016 and extradited to the US in 2018 over objections of Russia who wanted to, they said, bring him to trial in Russia (sure, we believe them). The case has been a bit of a circus with him not cooperating with his lawyers, meeting with Russian officials without his lawyer present and being placed in solitary after vandalizing his cell. He will be sentenced in September. Credit: Cyberscoop

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Security News for the Week Ending June 26, 2020

Anonymous Gonna Rise Again. Question Mark?

A hacker or hackers claiming to be affiliated the non-group Anonymous has posted a million documents coming from over 200 police departments and other law enforcement agencies. While the documents do no purport to show illegal activities, they are likely both embarrassing and also confidential. The fact that the police could not protect their own information is probably not great for their reputations either. Credit: Wired

Republican Senators Create Bill to End Use of Warrant-proof Encryption

Senators Lindsey Graham, Tom Cotton and Marsha Blackburn say that they plan to introduce a bill that will require service providers and device manufacturers to insert backdoors into their software and devices so that cops can decrypt the devices when they want to.

They have not published the bill yet and we have no idea whether it will get any traction, so who knows, but the main issue is that there is nothing to stop bad actors from installing software from web sites in countries that don’t really case about what Mrs Graham and Cotton or Ms. Blackburn want. Sure you will catch stupid crooks, but we catch them anyway. Credit: ZDNet

Pentagon Creates List of Companies Controlled by Chinese PLA

There is a 1999 law that requires the Pentagon to produce a list of companies controlled by the Chinese military. Always prompt, 21 years later the Pentagon has produced that list. Huawei is one of those companies, of course. At this point it is not clear what the White House will do with that list, but we assume that it will be used to add pressure to China. Credit: Time

Feds Ask FCC to Deny China Access to New Fiber Optic Cable from US

Team Telecom, that federation of executive branch agencies that has been completely toothless in stopping China from compromising our telecom has finally decided that to feels its Wheaties. Renamed CAFPUSTSS, they say we should not drop an undersea fiber cable in Hong Kong for China to tap. The proposed cable would have a speed of 144 terabits per second, otherwise known as way fast. If the White House has its way, the cable will go from the U.S. to the Philippines and Taiwan and bypass Hong Kong. Google owns the Taiwan segment and Facebook owns the Philippines segment, but China owns the proposed Hong Kong segment. Credit: CSO Online

Hackers Use Captcha to Thwart Detection

Captcha, those annoying puzzles/questions/pictures that websites use to try and distinguish bots from humans, is now being used by the baddies. The hackers are putting their malware, like infected spreadsheets, on websites behind a captcha, likely to try and avoid detection by the good guys. If the good guys automated testing cannot complete the captcha, it won’t test the content behind it, leaving it available for victims to download and get infected. Credit: ARS Technica