Category Archives: Privacy

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Privacy in the Land of California

For those of you that live in California, work in California or have customers in California, 2021 is going be different.

Probably more complicated for businesses and possibly a little better for consumers.

Act 1: CA AB-1864 creates the Department of Financial Protection and Innovation (DFPI). California is not particularly happy that the Republican administration in Washington has defanged the Consumer Financial Protection Bureau. My personal opinion is that there are people in the legislature who are not happy that Xavier Becerra, the California AG, has been less than enthusiastic about enforcing CCPA.

The result is DFPI, aka California’s own CFPB. The governor is expected to sign the bill later this month.

Like the CFPB was supposed to do, the DFPI will have the power to bring administrative and civil actions, issue subpoenas and create rules and regulations. It also requires that all money collected by the department (AKA fines) will be used to fund the department. If the commissioner wants more staff … issue more fines.

For many of our clients, there is good news. Escrow agents, mortgage originators, broker-dealers, banks and other financial institutions are exempted from this regulation.

Who is not exempted are fin-tech companies. They need to watch out. The text of the bill can be found here.

Act 2: The second bill is SB-908, which will require debt collectors to be licensed. And regulated. Mortgage lenders are NOT exempted from the provisions of this bill. The governor is expected to sign this bill as well.

Given the current financial “troubles” in the country now and in the foreseeable future, there is going to be a lot of non-performing debt. For debtors in California, this bill will attempt to make the debt collection process a little more civil. Given the reputation of the industry as a whole, civil is not a term that I would generally use when describing the process. Of course, there are many exceptions. The text of this bill can be found here.

Act 3: The last bill in the collection is CA AB-376, which establishes a student loan borrower bill of rights. Among other things, this bill, which will be enforced by the new DFPI, requires loan servicers to operate like a fiduciary by managing payments to the benefit of the borrower and to reduce fees to the borrower.

The bill would allow a borrower that suffers damages as a result of a debt collector’s failure to follow this law or other relevant federal laws to sue the debt collector for actual damages, injunctive relief, restitution, attorney’s fees and other relief, including treble damages in some cases. The text of this bill, which the governor is also expected to sign, is available here.

This is not all; there is CCPA 2.0, but I will leave that for another day.

As you can see, for folks living, working or doing business in California, 2021 will be an interesting year.

Also remember, where California leads, the rest of the country follows. If you don’t believe that, check out CA SB 1386, the 2002 law that created privacy rights and the basis of state law in virtually every state in the country.

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Windows 10 App Background Permissions

This is one of a series of user tips for protecting your privacy and security.

Windows 10 has a feature that allows apps to run in the background.

Is this a problem? Well, not in theory, but that is the problem. Theories are just that – our best guess at the moment.

If you allow an app to run in the background, even if you don’t explicitly start it or ever use it, the app can receive information, send notifications, download and install updates and eat your bandwidth and battery life (on laptops).

If you are running on an Internet connection that is not unlimited, it will also eat into whatever limit you have on your data transfer.

I don’t know about you, but I don’t recall saying it was okay for any applications to run in the background. You didn’t. To paraphrase a famous quote, we’re from Microsoft and we’re here to help you.

On your Windows 10 machine, start the SETTINGS app and then go to PRIVACY and then BACKGROUND APPS.

You should see a screen that looks like this:

In fact, there are multiple screens on my computer:

All of these apps are running in the background.

Whether you use the apps or not.

Many of these apps I have NEVER used.

It is possible that Microsoft MAY install updates in the background rather than through the Windows update process, but this seems dangerous since people can turn background apps off, so I am guessing they don’t do that.

Windows 10 lets you turn off background running on individual apps or all apps (at the top).

Also consider that you may break something that depends on whatever – the xbox game bar – running in the background.

I, for one, am going to see if anything breaks.

Is Your Computer Spying on You?

It is pretty interesting what you find when you rummage around your computer.

Most computers these days have cameras and microphones. Do you know which applications can access your camera? What about your microphone? I didn’t. In fact, I didn’t even know where to look to find the answer to that question. When I looked, I was surprised what I found.

Both of these device controls can be found in the Windows SETTINGS app.

In settings, click on CAMERA to see this:

From this screen, you can see which apps, on my computer, had access to my camera. I understand why Skype needs access to my camera (maybe – depends if you are a Skype user), but why does the 3D Viewer need it? I am not even sure what that is. Microsoft Photos? I ONLY use it to look at pictures. Disable all of those items that you do not want to give access to your camera. You can always turn it back on if you want to.

Now move onto your microphone. It is on the same screen, just further down.

Again, there are apps that I don’t even know what they are that have access to my microphone. What is the feedback hub anyway?

Note that Microsoft’s Cortana is disabled. That is because I don’t use it. If you do use it, it needs to be on.

It is unlikely that these apps are evil, but they do increase the attack surface.

Every app has the possibility of being compromised or having bugs that allow hackers to take over the apps and take control your devices.

You have probably seen people that put tape or little slides over their cameras. That pretty effectively stops people from seeing things that they should not see.

There is no equivalent way to stop apps from hearing what is going on. Tape does not solve this problem.

In some cases there is a way to handle this.

After using a laptop for many years, last year I switched to a desktop. I wanted to have a more powerful computer – multiple disk drives, an amazing amount of memory, etc.

One thing that happened as a result of that was that I no longer had a built in camera. My camera sits on top of my monitor and plugs into a USB port.

For me – and this won’t work for everyone – I unplug my camera when I am not on a video conference. That camera, an inexpensive Logitech unit, is also my computer’s microphone. When I unplug the camera, the microphone is unplugged as well.

Highly effective. I don’t know how to hack a camera or microphone that are not connected and not powered on. Consider that.

Just food for thought.

Security News for the Week Ending August 14, 2020

China and Russia Continue to Interfere with the Elections

According the the White House, China has been targeting the US election infrastructure ahead of the election and Russia has been trying to undercut Democratic candidate Joe Biden, much like their did with Clinton in 2016. Could it be that Russia thinks that the Republican Administrations are distracted by China and are ignoring the damage that Russia is doing? After all, Its not like Russia doesn’t want to do damage. Credit: South China Morning Post

China Hacking Government Sites, Others

Just in case you thought I was saying that China is a bunch of good guys… China has been using malware called Taidoor to hack government sites, private sector and think tanks since 2008 according to Homeland Security and the Pentagon. They are using this malware to maintain a presence, undetected, on these servers. DoD’s Cyber Command has only been uploading samples of this malware to the virus engines since 2018, so it is not clear what happened during the first 10 years of the attacks. Credit: Cyberscoop

Anomaly Six Accused of Secretly Embedding Location Tracking in Hundreds of Apps

US Government contractor Anomaly Six, who has strong ties to various national security agencies, is accused of creating a software development kit that secretly tracks the user’s location and reports the data to them. Apparently hundreds of apps use this SDK as the company pays the developers for the data.

The company refuses to disclose which apps are using it and, in theory, the apps should disclose they are selling the data. Assuming the apps are not completely rogue, they would need to ask for the location permission. I suspect we will hear more now that this cat is out of the bag. Credit: Hackread

OOPS! This is Embarrassing

The SANS cybersecurity training company suffered a data breach because an employee fell victim to a phishing attack. While we can make some fun at their expense, the real point is that not falling for phishing attacks is hard and takes a strong program. If you don’t have a strong anti-phishing program, we have a great one. The attack was the result of a SINGLE phishing click. This allowed the attacker to install a malicious Office 365 add-on. The result was the hacker was able to forward over 500 emails representing the PII of 28,000 SANS members, before being detected. The good news is that they have some of the best forensics experts in the business on their staff. They are conducting an investigation. Credit: Bleeping Computer

Another NSA Advisory: Linux. Rootkit. Russia

I know China is a threat. It is. But Russia is just as big a threat – they just operate differently. The NSA released an alert that says that Russia’s intelligence arm, the GRU, has built and targeted Linux systems with Drovorub. It is a Linux rootkit that can steal files, run arbitrary commands and forward network traffic to sniff it. Other than that, not a big deal. It hooks into the Linux kernel making it hard, but not impossible, to detect. Given the nature of the GRU, they are likely to use it against high value targets like, perhaps, tech companies, defense contractors or Covid-19 researchers. Beware. Credit: The Register