Category Archives: Privacy

Self Inflicted Cyber Breaches Still Huge Problem Along with Third Party Risk

And it continues to be a major issue for some reason.

This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.

The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.

The sever has been connected to the Pyramid Hotel Group.  Their web site says they provide superior operations, owner relations and support services to hotels and their investors.  IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.

The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.

IN THE U.S., THERE MAY BE NO LEGAL REQUIREMENT TO DISCLOSE BREACHES OF THIS TYPE BECAUSE THEY MAY NOT CONTAIN AND NON-PUBLIC PERSONAL INFORMATION.

It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.

Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.

What’s in the data?

  • Information on hotel room locks and room safes .
  • Physical security management equipment.
  • Server access API keys
  • Passwords
  • Device names
  • Firewall and open port data
  • Malware alerts
  • Login attempt information
  • Application errors
  • Hotel employee names and usernames
  • Local PC names and OS details
  • Server names and OS details
  • security policy details
  • and a bunch of other information.

In other words, a veritable road map for the bad-peops.

Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.

Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.

Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.

And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.

Information for this post came from ZDNet.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Germany (And Others) Talks About Banning End to End Encryption

Der Spiegel is reporting that the German Ministry for Internal Affairs is planning to require all Internet message service providers be able to provide unencrypted copies of messages if requested.

This is, of course, not new.  The Crypto Wars started in the 1990s with Phil Zimmerman and PGP and continues to this day.  A few years ago the FBI got into a fight with Apple after the San Bernadino shootings and lost.

But politicians are not stopping.

Maybe what is going on in Germany is an edge case, but we should not assume that.

If end to end encryption is banned (meaning that Whatsapp, iMessage, Signal and a host of other products would be illegal), how would that be enforced?

Would ISPs be required to have access to your computers and phones to detect and remove such products?

Would countries have to implement tech like China’s great firewall (which Russia and other countries are already working on doing)?

Lets assume such a law passes and messaging providers comply.  That means that they would have to have the crypto keys needed to decrypt any message.  Or the government would.

Given that hackers seem to be winning the war, do you really think that Russia or China would not compromise some Apple or Google employee?  Threaten to kill their entire family?  Or worse?

Of course, people could install software that was written in countries that didn’t have such a law.

Possibly, the law could say that if you are found in possession of such software they will throw you in jail.

And how do you deal with Steganography – the art of hiding information in photos and other images.

I promise this will not end any time soon.

Unfortunately, we need to educate politicians worldwide about the risks and difficulties of what they are asking for and that won’t be easy because people want to feel safe and that is what politicians think they are offering them.  In fact, what they are really doing is increasing risk.  Risk to people’s privacy.  Risk to people’s healthcare.  Risk to people’s finances.  Risk to people’s lifestyle.

Just remember that proverb – may you live in interesting times.  It is definitely interesting.

Some information for this post came from Boing Boing and Bruce Schneier.

 

 

Facebooktwitterredditlinkedinmailby feather

Security news for the Week Ending May 24, 2019

SalesForce Gives Users Access To All of Your Company’s Data

In what can only be called an Oops, SalesForce deployed a script last Friday that gave users of certain parts of SalesForce access to all of the data that a company had on the system.  The good news is that it didn’t show you anyone else’s data,  but it did give users both read and write access to all of their company’s data.

In order to fix it, Salesforce took down large parts of its environment, causing some companies that depend on SalesForce to shut their company down and send employees home.

This brings up the issue of disaster recovery and business continuity.  Just because it is in the cloud does not mean that you won’t have a disaster.  It is not clear if replicating your SalesForce app to another data center would have kept these companies working.  Source: ZDNet.

Google Tracks Your Online Purchases Through GMail

While this is probably not going to show up as a surprise, Google scans your emails to find receipts from online purchases and stores them in your Google purchase history at https://myaccount.google.com/purchases .  This is true whether you use Google Pay or not.  One user reported that Google tracked their Dominos Pizza and 1-800-Flowers purchases, as well as Amazon, among other stores.

You can delete this history if have masochistic tendencies, but I doubt anyone is going to do that because it requires you to delete the underlying email that caused it to populate the purchase, one by one.  There is also no way to turn this “Feature” off.

It appears that it keeps this data forever.

Google said they are not using this data to serve ads, but they did not respond to the question about if they use it for other purposes.  Source: Bleeping Computer.

President Trump Building An Email List to Bypass Social Media

Welcome to the world of big data.  The Prez has created a survey for people to submit information about how they have been wronged by social media.  And get you subscribed to his email list.  Nothing illegal.  Nothing nefarious.  Just a big data grab.

If you read the user agreement, it says you “grant the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content.  (NOTE: That “content” includes your email address and phone number).  The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media.” 

This seems to be hosted on the Whitehouse.Gov servers.  It is not clear who will have access to this data or for what purpose.  Source: Vice.

Colorado Governor Declares Statewide Emergency After Ransomware Attack

Last year the Colorado Department of Transportation suffered a ransomware attack.  Initially the state thought it was getting a handle on the attack, but ten days later it came back.

It was the first time any state had issued a Statewide Emergency for a cyberattack.  Ever!  Anywhere!

It had the affect that the state was able to mobilize the National Guard, call in resources from other departments, activate the state Department of Homeland Security and Emergency Management and get help from the FBI and the US Department of Homeland Security.  It also allowed them to call for “Mutual Aid”, the process where neighboring jurisdictions  – in this case neighboring states – provided assistance.

It worked and since then, other states have begun to do this.

When you have a disaster, even a cyber disaster, you need a lot of resources and an emergency declaration is one way to do it. Source: StateScoop.

 

Latest Breach – 885 Million Records

First American Financial, one of the largest title insurance companies, exposed 885 million records going back to 2003 due to a software design flaw.  The records include all kinds of sensitive records that are associated with real estate closings.  Source:  Krebs on Security.

Facebooktwitterredditlinkedinmailby feather

Hidden Cameras in Your Vacation Rental or Hotel Room?!

After you are done gasping — it is not a far fetched scenario, at least for vacation rentals.  There have been many stories of AirBnB rentals having surveillance cameras – even though their agreement requires that they be disclosed if present.

When it comes to hotels, it is much more likely that those cameras were placed there by pervs rather than by the hotel staff.  Remember the Erin Andrews nude video story?  (See story here if you don’t remember it.  Note:  this is suitable for work – there are no pictures, just the story).

On the other hand, if you are in a foreign country, hotel video cams are more common, especially if you are an American executive, work for a tech company or have a security clearance.  If you do travel internationally and need a defensive security briefing, contact us.

First thing I need to do is provide a warning.  For international travelers, even detecting surveillance cameras, never mind disabling it, can be hazardous to your safety, literally, depending on the country.

This advice comes from a guy, nicknamed Monk, who does counter-surveillance for members of the U.S. military’s Special Operations Command among many others, so I take his advice at face value.

There are three primary methods for checking for hidden surveillance devices.  Remember some of these cameras are maybe a quarter inch across, so they are not easy to see.  They can be hidden in almost anything, including light fixtures, bedside radios, smoke detectors and other places.

The three methods are scanning for transmissions, detecting the lenses and physical search.    Many devices that will help can be purchased online for less than $100, but remember this is an art, not an exact science.

Scanners only work, of course, when the device is transmitting.  This MAY not be a big problem because the smaller devices likely don’t have a lot of storage, so they have to transmit often.

Lens detection works quite well, but there is a technique to develop.  And, it requires a lot of patience. Physical detection works quite well also, but you have to have an idea of what a bug might look like and you have to be willing to disassemble stuff like your bedside radio or the smoke alarm.

I have a sample video of foreign intelligence officials “reviewing” a hotel room when the occupant was gone, so that is definitely real.

As I said, this is not an exact science, but a mixture of all three is probably going to serve you best.

First thought – where are they going to hide a camera?  Kind of depends what they want.  If they want compromising video, it needs a clear line to the bed.  If they want your userid and password, it needs a clear line to your desk.  Remember, top down is fine, so the ceiling is a good candidate.

Alarm clocks, outlets, surge  protectors and lamps are all good locations because they have a built in source of power that won’t raise any suspicions.

This is not meant to be a complete how to article.  That would require way more ink.  Mostly, it will (probably scare you) warn you of the risk.

Hiding cameras in air vents and returns provides good cover because the cameras, electronics, power and storage can be bigger but still hidden.

The article suggests that you ask for a room change, but if you are being targeted, they will just put you in another room with built in surveillance.  Instead, block the suspected camera.  Turn the lamp camera to face the wall.  If it gets turned back the next time the room is serviced, you were probably right.  Point the alarm away from the bed, etc.

While this story may scare the bejibbers out of you, remember that most of the time, the surveillance is there to record damage to the owner’s property, although Erin Andrews’ surveillor had different ideas,  This is also the case if you are a higher risk business person.  AND do not fall for the “who would want to steal stuff from me” ruse.  Higher value business person is a relative term.

Just in case you think I am paranoid (well, that is valid, I am), here is a link to an article by entertainer Kim Komando who hosts a weekly show on tech.  It is real.  What we don’t know is how prevalent is is.  No idea.

Information for this post comes from USA Today.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather