Category Archives: Safety

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Coworking and Shared Work Spaces Are A Security and Privacy Nightmare

Coworking and shared office spaces are the new normal.  WeWork, one of the coworking space brands, is now, apparently, the largest office space tenant in the United States.

Who are in these coworking spaces are startups and small branches (often 1 or 2 people) of larger companies, among others.

Most of these folks have a strong need for Internet access and these coworking spaces offer WiFi.  Probably good WiFi, but WiFi.  And WiFi is basically a party line, at least for now.

Look for WiFi 6 with WPA 3 over the next couple of years – assuming the place that you are getting your WiFi from upgrades all of their hardware and software.  And YOU do also.

A couple of years ago a guy moved into a WeWork office in Manhattan and was concerned about security given his business, so he did a scan.  What did he find but hundreds of unprotected devices and many sensitive documents.

When he asked WeWork if they knew about it, the answer was yes.

Four years later, nothing has changed.

Fundamentally, it is a matter of money.  And convenience.

But, if you are concerned about security, you need to think about whether you are OK with living in a bit of a glass house.

For WeWork in particular, this comes at a bad time because they are trying to do  – off and on  – an initial public offering and the bad press from publications like Fast Company on this security and privacy issue don’t exactly inspire investor confidence.

Fundamentally, using the Internet at a WeWork office or one of their competitors is about as safe as using the WiFi at a coffee shop that is owned by the mob  and is in a bad part of town.  Except that you are running your business here.

In their defense, WeWork does offer some more secure options (although you might be able to do it yourself for less).  A VLAN costs an extra $95 a month plus a setup fee and a private office network costs $195 a month.  That might double the cost of a one person shared space (a dedicated desk costs between $275 and $600 a month, depending on the location).

And clearly they do not promote the fact that you are operating in a bit of a sewer if you do not choose one of the more expensive options.  The up sell here is not part of their business model.

For users of shared office spaces, like WeWork (but likely anywhere else too, so this is not a WeWork bug), they need to consider if they are dealing with anything private or whether they care whether their computer is open to hackers.  If not, proceed as usual.

If not, then you need to consider your options, make some choices and spend some money.  Sorry.  Source: CNet.

Facebooktwitterredditlinkedinmailby feather

Windows 10 Offers New Anti-Ransomware Feature

Back in May Microsoft released Windows 10 Build 1903, AKA the May 2019 update.  Suffice it to say, Microsoft has had more than its share of problems with 1903, so if you are not there yet, I would not install it.  It is quite embarrassing for Microsoft that more than 90 days after the release, it is still not ready for prime time.

However, one they get things figured out, they have got a new feature in 1903 that seems very cool and that is an anti-ransomware feature.

Given how pervasive ransomware has become, anything that you can do the reduce the attack surface seems like a good idea.

One feature that I am not going to talk about today called Windows Sandbox, which is a lightweight virtual machine that you can use to run untrusted software.  More on that another day.  (FYI, none of my machines have updated themselves to 1903.  I threw caution to the wind and forced an update on one machine.  Have my fingers crossed).

In the meantime, I am going to talk about Ransomware Protection.

This feature comes in two parts and, FYI, as is usually the case with new features, this feature comes DISABLED by default.

Part one is called CONTROLLED FOLDER ACCESS.  If Controlled Folder Access is turned on, all changes to any folders that you specify will be blocked, unless you specifically allow it.  This means that if some malware tries to write to, say, your Windows folder, it will be stopped cold.

Part two is called RANSOMWARE DATA RECOVERY.  This backs up your files to One Drive so that you can recover an older version from Microsoft’s cloud.

To turn on Ransomware Protection, click on START and then type WINDOWS SECURITY in the search box.

Security app

Then click on VIRUS & THREAT PROTECTION.

Security app

Scroll down to ransomware protection.

Ransomware

And click on manage ransomware protection.

Enable ransomware

Turn on Controlled Folder Access and also log in to One Drive.

Ransomware protection enabled

You can now configure Controlled Folder Access.

Given this is somewhat complicated, you may want to ask your IT person to help you with this.

In the end, however, this seems like a great feature.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Wireless Home Security – Good Theater, Bad Security

Alarm companies like wireless alarm sensors because they cost less to install and are prettier since there are no wires.  They are also remarkably less secure.

It is useful to understand that you neighborhood junkie might not be able to pull off the attack, but any serious burglar would not have a problem.

In this particular case, a lawyer who has an interest in security was able to buy a signal jammer for $2 that disabled the SimpliSafe alarm system in his house.

While the alarm company disputed his claim with statements like “this is not practical in real life:, the lawyer stands by his claim.

To me, the attack is obvious.  If you can jam the signal, the alarm will not go through.

SimpliSafe says that they will detect what they call interference and the lawyer agreed that it did, but only sometimes.  He also said that the interference never actually triggered an alarm.

People often purchase an alarm for peace of mind, but if the alarm is jammable, is the peace of mind justified.

If you really care about your personal security, demand that all of the sensors are hardwired to the control panel.  If the alarm company can’t or won’t do that, find a different company.

Of course, if the alarm is just for appearances, a wireless system will be just fine.

The second half of the problem is the communication between the alarm and the monitoring station.  Some alarms use your internet; others use a cell modem.

The Internet based alarm is easy to defeat as the wire for your internet connection is typically exposed in a plastic box outside your house for the convenience of your internet provider.  All it takes is a wirecutter to defeat it.  For cell based alarms, a cell jammer does the trick.

In general, you want two different communications paths back to the monitoring station.

All of this depends on how serious you are about your alarm system protecting you.  Most consumer alarms are really designed to lull you into thinking you are secure and it works because most people don’t have the security knowledge to understand what the weaknesses are.

To watch a video of the hack, additional recommendations on being safer and more details of the attack, go to the article on the Verge.

Facebooktwitterredditlinkedinmailby feather

Is The Encryption Debate Over?

Attorney General Barr said that he wants an encryption back door and if it compromises your privacy, well, we are not talking about protecting nuclear launch codes.  So we  know where he stands.

What came as a bit of a surprise is that Facebook says that they are going to build a back door into WhatsApp.  Not sure why.  Where is the pressure?  Who has the compromising pictures? Likely it is just greed.  They want to be able to operate in every country and since there are a number – a small number right now – that won’t let them operate without allowing those governments to spy on their users, the simple answer is to cave.

Here is what Facebook says they are going to do.  They are not going to, technically, insert a back door.  They might even claim this is a service to their users.

Think about this for a moment.  Right now WhatsApp cannot read your messages so they can’t target ads at you.  If they did know what you are saying, they could use or sell that data to advertisers.  That is just one possible use.

They are going to modify their app to do “content moderation”.  Content moderation is a covert word for censorship.  If China, for example, doesn’t want anyone to say anything bad about Xi, the moderation software will look for people saying bad things about him and stop it.

Since this happens on the user’s device, the encryption is not an issue because the user can decrypt stuff on their device.

Then, to make sure that the government will allow them to operate, they will send any banned content to a central moderation facility (AKA the government censors) to figure out who the local goon squad should come visit.

Obviously, the country can tell Facebook what they want them to look for.

Now say that you decide that you don’t like that and you switch to Signal.

The government could go to Signal and say “if you don’t want to be blocked you have to do content moderation.  It has nothing to do with your encryption.  Don’t say you can’t do it, because Facebook is doing it”.  At that point, privacy is pretty much done with.

It is *possible* that Signal, since it is not a commercial profit making company, might say go for it, block us.  That is not great for Signal, but, it might be better than compromising their principles.  Who knows.

Any government, no matter how repressive, now has a way to demand that software vendors give the their back door.

Facebook won’t say when this will be deployed – assuming it is not already deployed.  Why?  Because it might cause their customers to leave and that would, kind of, defeat the purpose.  I can already see the handwriting on the wall, so I am working to migrate away from WhatsApp and delete the application.

The total end game here could be to force Apple and Google to add “content moderation” to the operating system.  That is really what the repressive regimes like China and other repressive regimes (including, apparently, the US) would like to happen.

Stay tuned.  It is not clear how this is going to come down, but we certainly have a roadmap.

Source: Forbes.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 26, 2019

Equifax Agrees to Pay UP TO $700 Million to Settle Breach Lawsuits

First – the settlement hasn’t been agreed to by the court yet, so this is all speculation.

Of the $700 million pot, at least $300 million is set aside to pay damages to consumers.  Another $100 million plus is to pay for credit monitoring.

There are lots of details.  For the most part, unless you can prove damages and prove that those damages were caused by the Equifax breach and not some other breach, you probably will not get paid much.  You can get paid up to $250 if you file a claim and without proof.  Everything past that requires proof.   With 150 million victims and a $300 million pot, that averages to $2 a person.

BUT there is one thing you should do and that is get the free credit monitoring.    Go to EQUIFAXBREACHSETTLEMENT.COM and wait until it says that the court has approved it.  Note this is not a site owned by Equifax and given what a mess they are, this is good.  Read more details here.

The Next NSA Hacker Gets 9 Years

Harold Martin, the NSA contractor (employed by Booz, like Edward Snowden) was sentenced to 9 years for stealing 50 terabytes of data over the course of his 22 year NSA career.  The leak is something like 5 times the size of the Snowden leak.  He didn’t sell it;  he just liked data.  He had so much he had to store in in sheds in his back yard.  Many of the documents were clearly marked SECRET AND TOP SECRET.

The fact that he was able to steal hundreds of thousands of documentss doesn’t say much for NSA security, which is sad.  Source: Nextgov.

Huawei – Bad – Not Bad – Bad?!

President Trump said that Huawei is a national security threat and needs to be banned and then he said that maybe we can trade that threat for a better deal with China on trade.

Now it is coming out that Huawei helped North Korea build out their current wireless network.  The equipment was shipped into North Korea by Chinese state owned Panda International.  This has been going on since 2006 at least.  Huawei is likely continuing to provide technical support to North Korea.

This seems like a national security threat and not a bargaining chip for the President to toss in to get a trade deal that he wants, but what do I know.  Source: Fox News.

 

AG  Barr Says He Wants Encryption Back Door And Why do You Need Privacy – Just Suck it Up.

Attorney General William Barr said this week that if tech companies don’t provide a back door into consumer encryption,  they will pass a law forcing it.  And while this will allow hackers and Chinese spies to compromise US systems, it is worthwhile.

He said that they might wait for some terrorist event that kills lots of people and blame it on encryption (whether that is true or not).

He did seem to exclude “custom” encryption used by large business enterprises, whoever that might include.

Barr said that bad guys are using crypto to commit crimes what the police can’t investigate.  If that were true we would expect that crime would be going up.  If it is a really bad problem, it would be going way up.

Only problem is that the statistics say crime is going down.

You may remember that Juniper added such a back door, likely at the request of the NSA and it worked great until word got out about it and hackers had a field day.

This conversation is not over.  Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather