Category Archives: Safety

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

Facebooktwitterredditlinkedinmailby feather

From Unsecure to Less Unsecure

Text messages, as many people know are not very secure.  If you are asking where we are meeting for lunch, you probably don’t care.  But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security.  While it does help some, it would be  a lot better if SMS messages were secure.

Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.

Enter RCS or Rich Communications Services.  RCS eliminates a lot of these shortcomings.  Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.

But the way the carriers are implementing it is not very secure as researchers are starting to point out.

While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.

So what are the carriers doing wrong?

SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December.  Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.

The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself.  This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard.  Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.

One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured.  In that case, there is no security, meaning any app can request the configuration and have access to your text messages.

Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses.  To try all the possible numbers takes about five minutes.

The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.

Which is good for users.

Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem.  Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure.  Source:  Vice

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather

Advertisers Still Want to Know Who You Are, What You Are Doing

As more users install ad blocking software and browsers such as Firefox and Safari start blocking some ad trackers by default, advertisers decided to come up with a new solution to track everything you do.

This new technique is a bit technical, but I will try to keep it high level.

Typically, the company tracking you is a separate company from the company who’s website you are visiting because not only do people want to know what you are doing on their website, but also what you are doing on every other website in the world.  This logic is what created the third party ad tracking business.

But browsers can tell, if you are visiting ABC.COM, if that web page makes a request for some data from XYZ.COM – a third party.

Those requests come in many forms.  It could directly load data from or save data to that third party.

Or it could save a “cookie” from that third party with information associated with the site you are visiting so the ad tracking company can track you everywhere.

As people have become smart to this and taken anti-tracking measures, advertisers tried Adobe Flash cookies.  That didn’t work well because many people (like me) think Flash is insecure and even Adobe is killing it in December 2020.

So the ad trackers came up with a new idea.

If ABC.COM wants to track you, the ad tracking company asks ABC to create a new subdomain, say trackyou.abc.com and point that subdomain to the tracking service.  Since the core part of trackyou.abc.com is still abc.com, it doesn’t look to the browser like there are any third parties.  But since the tracking company runs trackyou.abc.com, they can collect whatever data they want.

It turns out that it is possible, with some work, to block this if you use Firefox, but not with any other browser.  Most browser makers are in the business of selling your data, so they are a bit conflicted.

In fact, a Google search provides lots of articles on how to do this yourself.

Advertisers are just trying to make a buck, not do you in (mostly).   Source:  The Register

 

Facebooktwitterredditlinkedinmailby feather

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Coworking and Shared Work Spaces Are A Security and Privacy Nightmare

Coworking and shared office spaces are the new normal.  WeWork, one of the coworking space brands, is now, apparently, the largest office space tenant in the United States.

Who are in these coworking spaces are startups and small branches (often 1 or 2 people) of larger companies, among others.

Most of these folks have a strong need for Internet access and these coworking spaces offer WiFi.  Probably good WiFi, but WiFi.  And WiFi is basically a party line, at least for now.

Look for WiFi 6 with WPA 3 over the next couple of years – assuming the place that you are getting your WiFi from upgrades all of their hardware and software.  And YOU do also.

A couple of years ago a guy moved into a WeWork office in Manhattan and was concerned about security given his business, so he did a scan.  What did he find but hundreds of unprotected devices and many sensitive documents.

When he asked WeWork if they knew about it, the answer was yes.

Four years later, nothing has changed.

Fundamentally, it is a matter of money.  And convenience.

But, if you are concerned about security, you need to think about whether you are OK with living in a bit of a glass house.

For WeWork in particular, this comes at a bad time because they are trying to do  – off and on  – an initial public offering and the bad press from publications like Fast Company on this security and privacy issue don’t exactly inspire investor confidence.

Fundamentally, using the Internet at a WeWork office or one of their competitors is about as safe as using the WiFi at a coffee shop that is owned by the mob  and is in a bad part of town.  Except that you are running your business here.

In their defense, WeWork does offer some more secure options (although you might be able to do it yourself for less).  A VLAN costs an extra $95 a month plus a setup fee and a private office network costs $195 a month.  That might double the cost of a one person shared space (a dedicated desk costs between $275 and $600 a month, depending on the location).

And clearly they do not promote the fact that you are operating in a bit of a sewer if you do not choose one of the more expensive options.  The up sell here is not part of their business model.

For users of shared office spaces, like WeWork (but likely anywhere else too, so this is not a WeWork bug), they need to consider if they are dealing with anything private or whether they care whether their computer is open to hackers.  If not, proceed as usual.

If not, then you need to consider your options, make some choices and spend some money.  Sorry.  Source: CNet.

Facebooktwitterredditlinkedinmailby feather