Category Archives: Safety

5G Security Is a Mess and Banning Huawei WILL NOT Help

The President is right that cellular security is a problem, but not for the reason that he thinks – although that is a problem too.

Researchers at Ruhr-Universität Bochum have discovered a way to compromise 4G cellular security – the cell service that almost all of us use now.

It allows them to impersonate the phone’s owner and book fee based services that get charged to the owner’s phone bill.

It also could impact law enforcement investigations because it would also allow a hacker to access websites using the victim’s identity. In fact do anything the real owner can do.

If the attacker wanted to blackmail someone, they could upload sensitive or compromising information and then lead the cops to that info. The cops would believe the owner did it. Hackers could threaten to do that in order to blackmail someone.

The vulnerability affects all LTE devices – Apple, Android, Windows – even Cellular IoT devices.

And the only way to fix it is by changing the hardware – at both the user end and the cell company end. Any bets on that getting fixed? I didn’t think so.

The team is trying to figure a fix for the next generation (5G). They say that it is possible.

But it is going to cost the cell carriers money.

The additional security requires the phones to transmit more bits, costing the carriers overhead.

And all 5G phones would have to be replaced (DO NOT buy one if you have not already done so).

And the base stations would have to be expanded.

Other than that, it is a piece of cake.

The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping. However, it is possible to modify the exchanged data packets.

For more info see Help Net Security and CSO Magazine.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

Facebooktwitterredditlinkedinmailby feather

Swatting is on the Rise

Swatting, the very illegal and sometimes deadly practice of making a prank call to 911 in attempt to get SWAT police to storm a building is apparently on the rise.  The premise is often that someone is holding a hostage or threatening to murder someone which puts the cops in a no win situation.  If they don’t treat it seriously and someone is being threatened they get in trouble.  If they do treat it seriously and it is a fake, the police can do a lot of damage and, in some cases, kill people.  That happened recently when the victim, who it turns out was not even the person who was supposed to be SWATted came out of his house when the police arrived and the police shot and killed him.  The guy who did it was caught and prosecuted and is serving 20 years at least.

One of the challenges is that the police in almost every city in the country are NOT trained to figure out which 911 calls are real and which ones are hoaxes.  In the case of the Kansas man above who was killed, the caller was smart enough to evade the 911 call recording and tracking mechanisms by calling the non-emergency police number.

According to the NY Times, this is a problem on both coasts with police being called to multiple executives homes over the last few months.

Corporate security at some tech companies are working on dealing with the threat, but we should remember that the police in Kansas went to the “wrong” house (it was the house they were told to go to, but it was not the house the SWATter wanted them to go to).

Seattle is the only city in the country where the police have created a high risk register where executives can register their family members so the cops can attempt to reach someone to try and figure out if it is a hoax or not.

We don’t really know how frequent this is happening because unless things go horribly wrong, the police try and keep things quiet.  In addition, the victims also don’t talk about it because that would only bring attention to them.

Information for this post came from CNet.

Recent SWATting events include one in Victorville that ended well when the cops figured out it was a fake and another one in Washington that targeted the author of a book.

SWATting has been around for years;  the FBI even put out an alert in 2013, but the frequency has been increasing enough that it is a threat to public safety.

 

 Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing

 

Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer

 

The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet

 

Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC MagazineFacebooktwitterredditlinkedinmailby feather

Are Smart Cars Safe Cars?

Here is the punch line.

Automotive cybersecurity incidents doubled in 2018 and are up 605% since 2016.  That doesn’t seem that safe to me.

Here are some statistics from Upstreams 2019 automotive cybersecurity report:

  • 330 million vehicles are already connection and top brands in the US say that they will only sell connected vehicles this year.  If true, one attack vector might be to design a hack to disable all smart vehicles in a specific area.
  • Smart vehicles will benefit from 5G cellular, if and when it becomes widely available in the US because 4G speeds in the US tend to be very variable and often horribly slow.
  • Since 2016, the number of annual incidents has increased by 605%
  • Incidents more than doubled in 2019 compared to 2018.
  • 57% of incidents were criminal in nature – disruption, theft and ransoms.  The rest were researchers trying to stay ahead of the bad guys.
  • The three most common attacks are keyless entry, backend systems and mobile apps.  Remember, if you choose not to install your car maker’s mobile app and register your vehicle, you are leaving your car open to attack if a bad actor registers your car instead.
  • One third of all incidents resulted in the theft of a vehicle or a break-in.
  • One third of the attacks included taking over some of the car’s function.
  • 82% of the attacks in 2019 did not require physical access to the car.

Car makers understand these security issues and are working to improve their security, but the basis of all smart cars is software and we know that software always works perfectly.

Users like the features, so they will continue to ask for them but they might also want to ask their insurance agent if their insurance covers these new types of attacks.

Also recommended is to talk to your legislator to make sure that laws take into consideration that the risks of smart cars.  For example, if you are in an accident and you say that you lost the ability to control your vehicle as we saw on 60 Minutes a couple of years ago, will the police believe you?  Or hold you responsible?  What if someone else is hurt as a result of that?  In today’s level of sophistication, it is going to be hard to prove that it wasn’t your fault.

Source: HelpNet Security

 Facebooktwitterredditlinkedinmailby feather

What Do You Think About a National ID Number?

No, I am not kidding.  Currently, your Social Security Number is effectively a national identifier. Except when it is not allowed to be used.

In many healthcare situations, they use first and last name plus birth date.  Apparently, however, that is more than a bit error prone.  This has led to treatment errors and medication errors.

When HIPAA was enacted, it mandated the creation of a Universal Patient Identifier (UPI).  That has been stymied by a ban that has been put into the annual funding bills every year that bans the government from spending any money to do this.

So, instead, we use the Social Security Number as a de facto universal identifier.

Rep. Ron Paul initially and now Sen. Rand Paul have said that a national identifier is a threat to personal privacy.  In a sense that is hard to argue with.  On the other hand, Using the Social Security Number as a universal identifier for healthcare not only compromises medical information when there is a breach, but also a person’s financial information.

Some people say that stricter penalties for breaches, identity theft and other related crimes would reduce the abuse, but I am skeptical.  After all, the war on drugs, which tried exactly that, is certainly stopping drug sales and use.

This year the House removed the ban from the funding bill but the Senate left it in.

Some places are using biometrics to help identify patients, but the use of biometrics represents a whole other raft of problems.

There is not a simple solution, but continuing to use your Social Security Number as a universal identifier is NOT the answer.

For more details, see the article in Health IT Security.

 Facebooktwitterredditlinkedinmailby feather