Category Archives: Safety

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

Is Amazon’s Marketplace Doomed?

Courts can’t quite figure out how to treat Internet companies. Amazon is an interesting mix. It sells some products itself, it offers other products that are sold and fulfilled by third parties and it does a mix (products sold by third parties but fulfilled by Amazon).

I hope Amazon is hiring a lot of lawyers because they are going to need them.

In 2020 the California Appeals court said that Amazon was strictly liable for items, in this case a battery that exploded, sold by a third party, but fulfilled by Amazon. The court reasoned that it was too hard to reach the third party seller to sue them. Then last year, the same court said that Amazon was liable for a Hoverboard that caught fire, even though all they did is match the buyer and seller.

Now a California court says that Amazon is liable to put a Prop 65 warning on products that are sold by third parties. The court said that Amazon should review the tens of millions of products that they don’t sell directly, figure out which ones need a Prop 65 warning and change the seller’s listing if the seller didn’t have a warning.

Amazon might just put a warning on everything for everyone that says DUE TO A STUPID JUDGE, WE ARE REQUIRED TO TELL YOU THAT THIS MIGHT BE HAZARDOUS TO YOUR HEALTH, EVEN THOUGH WE DON’T KNOW WHETHER THAT IS TRUE AND DON’T EVEN HAVE ACCESS TO THE PRODUCT.

The problem is that they can’t hold the seller liable since many of these sellers are not in the U.S. or are mom and pop companies, so that won’t protect them.

Alternatively, they could get out of the marketplace business, but that is a goodly chunk of their business.

But here is the real rub. Does that mean that every company that sells stuff online is at the same risk? Logic says so. Other than the judge might not like Amazon, they are no different than any other company that sells stuff online.

eBay – sure.

Craigslist – yup.

What about someone that has an ad on their site for a product and that should contain a warning – probably?

The courts are going to need to figure all this stuff out. Which is a problem for judges that have zero understanding of technology. Even those judges who have their assistants print out their emails for them.

Of course, in Amazon’s case, they have lots of money and lots of lawyers, so they might be able to tie this up in appeals for the next decade, but at some point, we have to figure this out.

Credit: Professor Eric Goldman

Security News for the Week Ending May 6, 2022

Tomorrow is the one-year anniversary of the Colonial Pipeline attack. The government has done more to improve cybersecurity in the last year than it had done in the last 10 years. But there is still a lot more to do.

Jury Finds Norton/Lifelock Infringed on Two Columbia University Patents

Even in the world of cybersecurity, patent infringement is a problem. A jury decided that Norton’s use of emulators to detect malicious behavior violated patents owned by Columbia. Norton says they will stop using the technology and appeal the verdict. Among the Norton products affected are Norton Security and Symantec Endpoint Protection. Since the infringement was deemed to be willful, the judge could triple the $185 million judgement. The suit goes back to 2013. Credit: Data Breach Today

Data Broker Stops Selling Location Data of Planned Parenthood Visitors One Day After Being Outed

Yesterday I read a piece that one of the security trade magazines bought data on visitors to all Planned Parenthood visitors, including where they went after (home) and where they came from before (work). They paid $160. I think the company, SafeGraph, decided the incredibly negative PR wasn’t worth $160, so today they decided to stop selling it. That doesn’t mean other greedy data brokers will do the same – In the U.S. there is nothing illegal about it. Credit: Motherboard by Vice

Cryptocurrency Projects Are As Secure As a Screen Door

In just four days hackers stole over $100 million in cryptocurrency. Who pays for that? Fei Protocol lost $77 million, Saddle Finance $10 million, Deus Finance $13 million and Bored Apes $6 million. There is no government insurance for cryptocurrency owners. Credit: Metacurity

Ukrainians Figure Out How to Beat Russia – Shut Off its Booze

Ukraine’s army of hackers have figured out how to hit Russia where it hurts. Russia requires the booze industry to use a government run portal call EGAIS. Hackers have kept it out of commission, so stores can’t “receive” alcohol, factories can’t accept tanks of alcohol, and distributors can’t ship or receive products. As a result, factories are reducing or stopping production. Interesting attack. Credit: Bleeping Computer

Spain Admits It Hacked Some of its Politician’s Phones

After a week of public reporting that some Spanish politician’s phones had been hacked using the Pegasus spyware, a leading Catalan separatist politician said that Spain’s top intelligence official said that her agency did, in fact, hack some opposing politician’s phones. But, she said, it was all legal. Reports say that the court orders were for far fewer people than Citizen Labs found infected, so who hacked the rest of the phones? If you are high profile in any way you should assume your phone is not secure. Even secure message apps like Signal or iMessage would not be secure since the phone itself is compromised. This follows the disclosure, earlier in the week, that Spain’s Prime Minister and Defense Minister’s phones were both infected with Pegasus spyware by someone. Pegasus is so stealthy that even the government’s cyber sleuths did not detect it until the facts were reported in the media. Credit: ABC News

Treasury Sanctions Cryptocurrency Mixer BLENDER

Mixers are apps that are designed to obfuscate cryptocurrency transactions, to make them harder to track. I am not sure that sanctioning one of the hundreds of these mixers will really help, but I guess it can’t hurt. Credit: The Register

Can Automakers Get Ahead of Cyber Crooks?

Cars have huge attack surfaces. And getting bigger every year.

One source says the average car has 30-50 computers and luxury cars have a hundred (personally, I think that is low). Add to that 60 to 100 sensors. Some cars have a hundred million lines of code in them.

How do you make that 100 percent secure? That is a pretty daunting task.

But then you have another complexity.

I own two cars that were built in 2006. They were probably designed a few years before that.

Do you think any car maker is going to patch cars that are 15 to 20 years old?

This week a researcher revealed that Honda, in some of its “older” cars did not use encryption in it’s door unlock and remote start feature, so all a hacker had to do was be close enough to record the sequence and he or she could play it back at will. And yes, they used the same sequence every time for a car.

What was Honda’s response?

Those are old cars (they date back to 2015 and newer). We’re not going to fix it.

Who knows what it would even take to fix it. Nothing says that you can just load new software into those cars. There is probably hardware that would need to be replaced and new engineering.

Who is going to pay for that?

How do you even figure out who owns those cars now? There is no requirement to tell the manufacturer that you just bought a used car from someone.

Honda is not alone. Tesla had a similar problem last year. They had to download new software and then convince owners to buy new key fobs.

There was a 60 Minutes segment a couple of years ago where some researchers took over a Jeep, controlling the steering and brakes, while it was driving down the highway at 60 minutes an hour – from miles away.

In another attack, researchers were able to disable the charging function of the Combined Charging System due to security flaws by disrupting the communications between the charger and the vehicle.

This is only going to get worse before it gets better. It is very hard to build truly secure systems.

How do we pay for that and how do we retrofit hundreds of millions of old cars on the road.

One thing working in our favor –

Manufacturers are horrible about standardizing these things so even two cars from the same brand might have completely different innards. On the other hand, sometimes, two models from different brands – say Chevy and Cadillac – are actually the same car with different finishes. It is hard to tell what is different and what is the same, so hackers have to decide whether it is really worth the effort.

What works against us is that car makers buy a lot of stuff – think about how many car makers bought Taketa airbags. Remember the ones that were defective. So if you can sabotage the supply chain, well, that makes things easier.

That is not at all clear. Credit: Threatpost and CEI

Cybersecurity News for the Week Ending March 25, 2022

FCC Publishes Notice of Inquiry on Digital Redlining

The recently passed jobs act gave the FCC two years to adopt rules that will “facilitate equal access to broadband internet access service.” Congress says that these rules should prevent “digital discrimination … based on income level, race, ethnicity, color, religion, or national origin”. The FCC is asking, publicly, an awful lot of questions. Stay tuned for what happens next. Comments are due by May 16th. Credit: Wiley Law

EU and US Sign New Data Transfer Deal

The EU and US signed a deal to replace Privacy Shield today, in Brussels. We have not seen the details of the deal and Max Shrems, who killed the last two versions of the deal in court says his group will review it in detail for compliance with EU law, so this is not over yet, but it is a good sign for US businesses who are looking for some certainty when it comes to data transfers. Credit: Security Week

Hackers Unlock and Remote Start Honda Civics for $300 in Parts

Nobody told Honda that sending security information from the fob to the car unencrypted or sending the same information each and every time to unlock or start the car is a problem. If you are worried about your Honda being stolen, the only thing you can do is, well, not much. The article says you can put your key fob in Faraday bag, but reality is, that doesn’t help at all. Credit: The Register

Google Trains Employees to CC: Attorneys to Claim Privilege

In the face of the massive anti-trust lawsuit between the feds, 14 attorneys general and Google, the government is asking the judge to sanction Google for arbitrarily CC:ing lawyers on sketchy emails and ask for an opinion. Google’s attorneys understand this is a scam and don’t respond. Google even trains its employees to do this. We shall see what the judge decides. Credit: Ars Technica

Cybersecurity News for the Week Ending March 18, 2022

Incident and Ransomware Reporting Requirement in Just Passed Spending Bill

President Biden signed a bill that requires critical infrastructure operators to report significant cyber incidents to CISA within 72 hours after they reasonably believe an incident has occurred and within 24 hours of making a ransomware payment. The ransomware reporting requirement applies even if it is not connected to a covered incident. Critical infrastructure and federal agencies that do not report on time may be subpoenaed. Failure to comply with the subpoena risks contempt of court. Credit: CSO Online and The Record

Germany Warns Against Using Kaspersky Products

Germany’s Office of Information Security is warning users to find alternatives as the antivirus company could be required to spy for Mother Russia. Kaspersky says, of course, that won’t happen. And I believe in the Easter Bunny too. The U.S. government banned Kaspersky’s software in government offices in 2017, but there are plenty of companies that still use it. I agree with Germany. Credit: SC Magazine

Deep Fake Videos Enters Ukraine Invasion

No doubt you have heard about deep fake videos where a video seems to be of someone, usually famous, saying something or doing something that they never did. Often these videos are pornographic in nature, but a new video is part of the Russian invasion of Ukraine. The video is of Ukraine’s President Zelenskyy saying that he was surrendering to Russia. He never said that and he did not surrender. Even so, a lot of people saw the video because the hackers hacked a Ukrainian TV channel and broadcast it. The new world of war. Credit: Metacurity

Hacking is a Business

Just like other modern businesses, the hacking business is optimizing its processes. Google’s Threat Analysis Group exposed a new Initial Access Broker, related to Russian hacking gangs, whom they are calling Exotic Lily. All these folks do is figure out how to break into your organization. They don’t steal anything or do any damage. They do, however, sell that access to the highest bidder and those folks do the crime. Credit: The Hacker News

Russia Jamming GPSS and Satellites, Imperiling Airplanes, etc.

The EU Aviation Safety Agency and CISA say someone is jamming satellite navigation systems in eastern Europe, including parts of Finland, Cyprus, Turkey, Lebanon and Israel, among others. Depending on the situation, a plane that is using the satellite for navigation might go in the wrong direction or fly into a war zone. Planes trying to land could crash into the ground or be forced to land at a different airport. Aviation authorities are telling pilots to make sure that backup navigation tools are working. Credit: Threatpost