Category Archives: Safety

Most Mobile Finance Apps Are Vulnerable to Breaches

Mobile finance apps are very popular, but are they safe?

A report by security company Intertrust says that 88% of the apps tested failed at least one of the cryptographic tests, meaning that the encryption can be broken, resulting in loss of privacy and possibly loss of your money.

Some of the other findings from this report are:

  • One or more security flaws were found in every app tested
  • 84% of Android apps and 70% of iOS apps have at least one critical or high severity vulnerability
  • 81% of finance apps leak data
  • 49% of payment apps are vulnerable to encryption key extraction
  • Banking apps contain more vulnerabilities than any other type of finance app
  • Nearly three-quarters of high severity threats could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography

What this means is that you use all of those apps at your own risk. Note that the laws have not kept up and it is likely that you use these apps at your own financial peril.

Apps that are provided by your financial institution, as long as it is a federally or state chartered bank, are PROBABLY covered under conventional banking laws, but other apps, what are called FINTECH companies, are much more risky.

This doesn’t mean that the company won’t reimburse you, but you don’t have the law on your side.

If you tell your bank you were the victim of fraud, the law requires the bank, in most cases, to give you back your money first and then, if they choose to, investigate the problem.

When it comes to non-bank finance applications, there are no such laws.

Additionally, some banks have modified their terms of service to state that if you provide your online banking credentials to a third party app, they are no longer responsible for any fraud.

I am not saying don’t use fintech apps, but rather, understand the risk you are accepting, and if that is okay with you, that use the apps.

Credit: Helpnet Security

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register

X-Rated Phishing is up 974% This Year

Attackers have figured out that x-rated phishing attacks are very successful. The number of attacks are up almost by a factor of 10.

In part, it is designed to shock people.

If you open an email or visit a web site and when you do, some x-rated content, most people freak out. THAT IS EXACTLY WHAT THE HACKERS WANT YOU TO DO.

Why? Because freaked out people make mistakes and mistakes tend to help the hackers. There you are, you visited what you thought was a benign web page from a search engine and up pops something totally not suitable for work. What do you do? The first thing most people will do is start clicking on stuff to make it go away. Some people will freeze in panic.

THE WHOLE GOAL IS TO GET YOU TO MAKE IRRATIONAL DECISIONS.

Typically these attacks do all of the normal things that hackers do:

  • Download malware
  • Attempt to get you to enter credit card data
  • Track users to follow up with more attacks

I would add one to that list and that is to try and get you to enter credentials.

The hackers will also be able to collect any data that a normal web site can. FOR EXAMPLE, IF YOU ALLOW YOUR BROWSER TO SAVE INFORMATION LIKE EMAIL ADDRESSES, PHYSICAL ADDRESSES OR WORSE YET, PASSWORDS, THE HACKER WILL BE ABLE TO GET ALL OF THAT INFORMATION.

Sorry, but SECURITY **OR** CONVENIENCE, pick just one.

Agari Cyber Intelligence did a test. The put 8,000 fake accounts (ones with no data but which they owned and which worked) on a phishing site just to see what would happen.

25% of the credentials were tested using automation instantly.

For this test (which may or may not represent the greater Internet), just three families of attacks represented 85% of the attempts. This could mean shared attacks, attacks as a service, that there are just a few attackers or that the sample is not representative.

92% of the accounts were manually breached. 20% were breached in just one hour. 91% were attacked within a week.

While many accounts were only accessed once (which could be due to the attackers not finding anything interesting), many were under persistent attack.

The attackers did things like creating forwarding rules, moved to other applications, attempted to use the accounts to launch other phishing attacks and even used that infrastructure to run other BEC attacks. Credit: Threatpost and KnowBe4

Ransomware vs. Police Departments

As more police departments are being hit by ransomware attacks, there are several issues to consider. Unfortunately, there is not a simple fix to the problem.

First, if the hackers steal data as part of the ransomware attack and then sell or publish it, it could compromise investigations or expose witnesses to physical harm if statements they made in confidence to the police are exposed publicly. After all, the reason the police investigate people is they are suspected of doing bad things.

In addition, people who have been charged with crimes could claim that evidence has been compromised as a result of the hack. It is certainly possible that they could convince a judge that the evidence against them was contaminated and must be discarded.

We have seen cases where the evidence has been completely lost as a result of a cyberattack. Bodycam video, for example, or other digital evidence. If the police don’t pay off the hackers and don’t have sufficient backups or they do pay off the hackers and the hackers are unable to recover the data, that evidence may be lost. Or they recover the data and can’t prove that it has not been changed. These are all things that a good defense attorney will try to convince a judge or jury about.

In those cases, prosecutors may choose to drop the case altogether (because prosecutors keep score and they don’t like losses – aka acquittals. It seems like a petty game, but it is reality). We saw this recently in Stuart, Florida where drug charges against 6 defendant’s were dropped after a ransomware attack.

It is certainly possible that forensic scientists may be able to determine whether evidence has been tampered with, but are they able to convince a judge or jury. Science is one thing, but human beings don’t always follow the science. That investigation likely dependent on log files that may not exist.

Victims and witnesses could become victimized again if their driver’s license, social security number, passport information, financial or medical information was sold on the dark web and used against them.

As we saw in the DC Metro police, the personal and disciplinary information of hundreds of police officers may be made public. This allows disgruntled people and people who just want to sow fear to attack police officers and their families.

During the days and weeks that information systems may be down due to a ransomware attack police cannot quickly retrieve information during traffic stops or during arrests, potentially causing the police to arrest the wrong person or let someone who is wanted go free.

If systems are down when a defendant is scheduled to go to trial, the police or district attorney may not be able to proceed with the case. It is possible that a judge will grant a continuance, but then again, maybe not.

This is more than an inconvenience; it is a public safety issue. And there is no easy fix. Credit: Data Breach Today

Security News for the Week Ending May 21, 2021

Teslas can be Hacked via a DRONE Without any Owner Interaction

Researchers have shown how they can hack a Tesla from a done without the owner even being aware that he or she is being attacked and particularly, without the owner being involved in the takeover of the car. The attack, called TBONE, was reported to Tesla under its bug bounty program. The attacker can open the doors (and therefore steal anything inside), modify configuration items like driving mode, steering and acceleration modes, but the drone can’t (yet) drive the car. The drone has to be within a 300 feet radius of the car to execute the attack. Of course, the attacker could also be sitting in a parked car nearby – doing the attack from a drone is just cooler. As a result, Tesla issued a patch that stopped using the vulnerable component, but, apparently, many other car makers still use it. Credit: Security Week

FBI’s IC3 Logs 1 Million Complaints in 14 Months

The FBI’s Internet Crime Complaint Center (IC3) took SEVEN YEARS to register its first million complains. The most recent million only took 14 months. Obviously, the IC3 is better known now, but this only considers people who go to the effort to file a complaint. This represents a 70% increase in complaints between 2019 and 2020. This is not a great trend. Credit: Dark Reading

Let the Lawsuits Begin – Bitcoin Speculation is, Well, Speculative

Bitcoin is worth somewhere between $1 and $50,000, depending. Depending on what? Depending on the mood of social media. Right now 1 coin is down about $15,000 from a week ago. That is timed to when Elon Musk said that his starting of DogeCoin was a joke. The drop also times with Musk saying that Tesla would no longer accept cryptocurrency for cars. He said they were concerned about all of the energy needed for Bitcoin mining. Assume lawsuits will follow, even though they don’t seem to have any merit. In the meantime, there is billions of dollars lost in speculation. Credit: Vice

Darkside Gets Taken to Hacker’s Court

For Not Paying Other Hackers

Darkside is the hacking group behind the Colonial Pipeline attack. After the attack, they were so toxic that they shut down – after taking all their Bitcoins with them. The problem with that is that they ran a ‘hack as a service’ model, so they owe other hackers lots of money. Therefore, the crooks are turning to the court system. No, not that court system. The hackers own court system. Just part of their business model. The good guys have been tracking this; they even have screen shots. To the hackers, it is just business. Credit: Threatpost

Attack on Florida Water Plant Was Not Its First

The Florida water treatment plant that was hacked earlier this year and nearly poisoned the entire town — that was not the first attempt on the plant. It turns out that a vendor that builds water treatment plants (infrastructure) hosted malicious code that was designed to attack water treatment plants in general. It is not clear that the attacks were successful. It looks like the hackers who had compromised that infrastructure vendor were only in the reconnaissance stage – collecting information about the visitors, but in the time window that the malware was active, 1,000 folks visited that web site. Clearly, the hackers are after the infrastructure. You could threaten to kill people or even destroy the plant. That would probably get them paid off. Credit: The Hacker News

IoT Vulnerabilities Unlimited

I don’t think it is just me. The number of alerts I have been getting over the last few weeks regarding vulnerabilities in very mainstream industrial control system components seems to be out of control.

Here are just a few:

  • April 20th – CISA releases 10 Industrial control system (ICS) advisories. This includes Hitachi/ABB, Rockwell, Delta Industrial, Eaton, Siemens and Mitsubishi. The vulnerabilities are all over the board from out of bounds reads and writes to SQL injections to improper privilege management and other issues.
  • April 15th – CISA releases 2 ICS advisories. These are for Schneider and EIP Stack Group. These vulnerabilities include bad privilege management, incorrect type conversion, stack overflow and other issues.
  • April 13th – CISA releases 12 ICS advisories. This advisory includes a dozen different Siemens products with a laundry list of vulnerabilities including integer overflows, improper authentication and authentication bypass, weak cryptography and other issues.
  • April 13th – This day was a doubleheader. This time 15 advisories. This includes Schneider, Advantect, Jtekt, Siemens Nucleus and other products. The bugs include hard coded encryption keys, out of bounds reads, bad random number generation and other bugs.

But this is just the last week or so. Here are some more this month:

That is just this month so far.

I also have at least 10 advisories from March.

What does that tell you?

Consider what these systems are used for. Some examples –

Electric power plants

Water treatment plants

Sewage plants

Oil refineries

Chemical plants

and a lot more.

Consider the impact of one (or more) of these industries getting hacked.

We are already seeing customers asking more security questions and I predict customers will only get more concerned.

If you are a buyer of industrial control equipment, you should up your vendor due diligence, assuming you have not already done that.

If you are a vendor of industrial control systems, you should anticipate getting more questions from your prospects and existing customers, if that has not already started.

And, if you are a manufacturer, assume the bad news will continue. CISA seems to be receiving new vulnerabilities every day.

The challenge for buyers is how to we make these systems secure. Many are no longer supported and many more are so critical that you are scared to patch them. Not to mention the down time that patching probably entails.

Here is the bad news. Hackers do not care about your problem. If they can cause you pain, if they can cause you downtime, they can ransom you to make the pain go away. And that it what they want. MONEY!

So everyone in the food chain needs to understand that this is not the ICS world from just a few years ago and it will likely get worse before it gets better. Sorry to be the messenger.