Category Archives: Safety

NSA Offers Recommendation to Reduce Cellphone Exhaust

If you didn’t know better you would think the NSA is trying to turn over a new leaf. Credit Anne Neuberger.

A couple of years ago the NSA dissolved the Information Assurance Directorate – the group that helps the good guys. To me, this was an incredibly stupid move on the part of the NSA.

Fast forward to late last year and the NSA reincarnated IAD and called it the Cybersecurity Directorate. Same mission.

But the NSA had a horrible rep that they spent most of their effort on OFFENSIVE cyber and very little on DEFENSIVE cyber.

Anne Neuberger is the new head of the Cybersecurity Directorate and she has been working hard to change that reputation.

Photo of Anne Neuberger
Anne Neuberger

Fast forward to this week. The Cybersecurity Directorate released a memo on reducing the exposure from your cellphone data. What we affectionately call your digital exhaust.

They rightfully say that you cannot eliminate your digital exhaust but you can reduce it. While this article is targeted at government employees, it is useful to anyone who is concerned about their digital footprint.

They explain that just having your phone turned on, even if location tracking and your GPS are off, gives location information to apps, who collect and sell it. Even if you phone is in airplane mode, you could be giving away your location.

The whole idea of telling people how to reduce their footprint goes against the NSA’s offensive mission. Kudos to Anne Neuberger.

The memo also talks about tracking you from your fitness device and other items like this. The feds had a virtual heart attack recently when a bunch of data appeared from, I think, Fitbits, that showed this strange activity pattern in a place where no one should be. Like, perhaps, a secret base run by special operations soldiers. Oops.

So if this is a subject that is of interest to you, check it out.

Even if it is just out of curiosity. Credit NSA via Cyberscoop

Critical Infrastructure Can be Hacked by Anyone

Well that is not a comforting thought.

Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.

Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.

This represents an onshore oil well and it looks like they could change flow from this interface.

This system seems to control five different off-shore wells.

Perhaps you would prefer to control the water supply instead.


Or perhaps you would like to drinking water undrinkable.

If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.

These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.

Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.

In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.

Have any of these companies been fined anything? I don’t think so.

Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?

What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.

Needless to say, this is a bit of a mess and these are only samples of what they were able to do.

One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.

If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.

Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.

And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.

I just hope that it won’t take a Bhopal-style disaster to get their attention.

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Minneapolis City Web Sites Hit by Denial of Service Attacks

Last Thursday, early in the morning, a number of City of Minneapolis web sites were disabled by denial of service attacks. The attacks are short lived and the city was able to restore most of the services within a few hours. It is certainly possible that we will see more cyberattacks as a way to continue civil disobedience. Credit: The Hill

GA Gov. Kemp’s (R) Claims that Dems Hacked his SoS Web Site In 2018 Are False

Two days before the 2018 election, then GA Secretary of State Kemp opened an investigation into what he said was a failed hacking attempt of voter registration systems by the Democratic Party.

Newly released case files from the GBI says that there was no such hacking attempt. The report says that Kemp got confused by an authorized and planned security test by HOMELAND SECURITY with a hack. Kemp’s CIO approved the scan by DHS.

The GBI did say that there were significant security holes in the web site at the time, even though Kemp said that patches to the web site two days before the election were standard practice. No one in their right mind would make changes to critical election systems two days before the election unless it was an emergency. Credit: Atlanta Journal Constitution

Chinese and Iranians Hacking Biden and Trump

Google’s Threat Analysis Group (TAG) warned the campaigns that the were seeing the Chinese targeting Biden and the Iranians targeting Trump. Currently, there is no sign of compromise, but we still have months to go before the election. Not only is there lots of information to steal, but they have the possibility of impacting the election or causing a loss of trust by voters in the process. Credit: SC Magazine

FBI Says Big Business Email Compromise Attacks on the Upswing

The FBI has reports of multiple fraudulent invoice BEC attacks in April and May. In on case hackers used a trusted vendor relationship and a transportation company to steal $1.5 Million. They are reporting multiple incidents in different industries, so caution is advised. Credit: FBI Liaison Information Reports 200605-007, security level GREEN.

Security Risks of Firmware

As software makers start to take security more seriously, hackers are becoming more creative.

When Apple and Microsoft started doing a better job of finding and patching bugs in their operating systems more quickly, hackers started looking at other applications installed on users’ computers.

As the makers of the other software installed on computers started taking security seriously, hackers again moved on.

What is the new target? FIRMWARE!

What is firmware you say?

Is it the layer that silently runs virtually everything today.

Your car? A typical modern car has 100 or more computers, each one running firmware and many of which have been used to attack your car. Unless you drive something like a Tesla, you probably have not patched your car lately.

What about your refrigerator?

Dishwasher?

Smart speaker?

Internet modem or router?

TV?

It is amazing what has firmware in it these days.

So what are the worries?

  1. Firmware updates

Device makers are constantly on the lookout for bugs and often patch their devices frequently.

Some vendors, who are not security focused, DO NOT offer patches. That doesn’t mean that their devices don’t have bugs or are not vulnerable to being attacked. It just means that the vendors don’t see the revenue stream in offering patches.

Sometimes vendors are very good about patching their devices. Apple is one example of a vendor that does a good job in patching, including Apple smart speakers.

But when was the last time you received a patch for your smart TV or refrigerator? My dishwasher had to be patched last year. Apparently, ones that were not patched, on occasion, caught on fire. That is where the virtual universe meets the physical universe.

Most devices that you own (a) contain firmware, (b) have bugs and (c) are never patched from when they leave the factory to when they reach the landfill.

Worse yet, some of these bugs are security problems, like the recent Intel secure enclave bug, and are NOT POSSIBLE to patch. Apple has a similar problem with their boot ROM that can’t be patched either.

#2 Configuring firmware

Most so-called smart devices are connected to the Internet, including most cars built in the last 5 years.

On the other hand, most purchasers are not trained well enough to securely configure these devices. They don’t understand the security implications of the configuration decisions they make. Lets face it – the most popular passwords are password and 123456. That ought to tell you something.

Vendors typically configure their security features to reduce use frustration and eliminate the need for customers to call their help lines which costs the manufacturers a lot of money. One or two calls eliminates the entire profit the vendor made from selling you that thing.

How many times have we heard about misconfigured web services like Amazon or Google which led to a breach. These are services that are usually managed by professionals. If they can’t do it right, imagine what consumers do.

#3 Firmware security awareness

The firmware on all of these devices control what is called the CIA triad —

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

We’ve got to figure out a way to make sure that people understand that this is a risk that they alone are responsible for, even though the company that they bought the device from never said so.

Oh yeah. THE MANUFACTURER DOES NOT HAVE ANY LIABILITY WHEN YOU DO IT WRONG. YOU ARE ON YOUR OWN.

This article is a start in that process. Credit: Help Net Security

Phone Scams Gone Wild

It used to be that when the phone rang, it was someone with an African accent telling you that he was from Windows technical support calling you because your computer was infected. You hung up.

Scammers have gotten much smarter. Unfortunately. Here are two recent examples.

This guy got taken for $10,000. Mitch (him, not me, thank goodness) got a call a couple of Fridays ago from someone claiming to be from his bank saying there was fraud detected on his bank card. The callerid had the same number as was printed on the back of his card. He logged into his account and did, in fact, see several fraudulent charges going back several weeks (NOTE 1 – see tips below). They were relatively small – under $100 each. But there were also two withdrawals from cash machines in Florida for $800 each (NOTE 2).

He figured that if this was a scam, the caller would have asked him for information, which she did not (NOTE 3). She said they would reverse the charges and send him a new card (NOTE 4). He thanked her and hung up.

This was part of the hook in the scam.

The next day he got another call about suspected fraud on his bank account. He thought this is weird, so he called his bank on another phone and asked if they were talking to him. They said yes. This is known as a man in the middle attack (or woman in the middle. These scams often use women because, after all, women aren’t crooks, right?). The hacker calls the bank pretending to be you, then they call you pretending to be the bank and magic, they have everything they need to do the fraud.

Mitch said that the bank, in the past, might send him a one time code via not-very-secure text message, so when the attacker asked him to give him the text message code (which the bank had asked the attacker for, he gave it to her. Again they said they would fix it.

Over the weekend he looked at his account and saw no more activity and figured it was handled. Not so.

On Monday Mitch saw a $9,800 outgoing wire posted to his account (NOTE 5). He was now out over $10,000.

To add some intrigue, the destination of the wire was an online-only bank in Mitch’s name. The bank figured it was a Mitch to Mitch transfer, so they figured it was okay. Banks are required by law to “know your customer” or KYC. For online banks, “know” is a relative term and until the feds start fining those banks millions of dollars, this fraud will continue.

Obviously, at some time his debit card and maybe PIN (NOTE 6) was compromised and the rest was an elaborate social engineering scheme.

The bank did give him back his money (under federal law CONSUMERS but **NOT** BUSINESSES are giving the benefit of the doubt and will usually, but not always and sometimes are a fair bit of screaming, will get their money back). Businesses are assumed to know what they are doing and don’t get a free pass.

So what about all the notes. Okay, here goes.

NOTE 1 – All decent banks can send you a text message (better than an email because you are more likely to look at it quickly) every time your card or bank account is used. If your bank can’t do this simple anti-fraud measure, find a new bank. BTW, this includes credit cards too. Usually there are a lot of options in terms of what/when/how much, but in my opinion, opt for being over notified. That way, the first fraudulent transaction that cleared, Mitch would have said “hey wait, I didn’t use my card” and he would have called the bank, they would have killed the card and maybe this would not have happened. If, after Mitch did all of this, a second fraudulent transaction happened, Mitch would have known that not only was his card compromised, but so was his account.

NOTE 2 – $800 withdrawal from a cash machine. Banks will let you specify how much cash you want to be allowed to withdraw per day from the ATM. I do not EVER withdraw $800 in one day from an ATM. That limit is too high. Set your limit at $50 above the max you want to risk losing. You can always go into the branch and withdraw more in some weird circumstance. Also, your spouse’s card has a separate and likely equal (could be different) limit, so if you set the limit low, you can get your spouse to get more cash. Again, if you had followed NOTE 1 above, you would have known about the $800 cash withdrawal as soon as it happened.

Side note. I got a text alert a while back and immediately called my wife. Wasn’t her. I called the bank, in this case it was Wells and they did a great job. WHILE I WAS ON THE PHONE WITH FRAUD and he was working diligently to kill the card, he saw three more transactions attempting to be authorized. He was able to “decline” those charges, kill the card and issue a new one via overnight mail. Problem solved.

Your choice is convenience in not having to deal with those text messages or a pain in the ^%$# trying to get your money back. YOUR CHOICE.

NOTE 3: Banks also often choose convenience over security. Since the hacker spoofed Mitch’s callerid, the bank’s security mechanism got scammed. They would rather eat a few billion dollars in losses which you pay for in fees than annoy you. They figured the call was coming from Mitch, so why bother using the security protocol. I’m not fond of that strategy.

NOTE 4: The bank said they would send him a new card. Since there was fraud on the card – as well as fraud on the phone – they should have said they were going to kill the card. Apparently they didn’t say that. That should have been a flag to Mitch. When there was a supposed additional fraudulent charge the next day, that really should have been a red flag to Mitch again. If they say the card was disabled, you can easily test it by trying to make an online transaction. If it is a hacker saying the card is disabled, you will be able to complete the transaction. Big red flag. It should be declined. If it is not, call your bank yourself.

NOTE 5: That $9,800 outgoing wire. You should be able to tell your bank that you do not want to allow outgoing wires ONLINE or you want to set the limit to $500 or whatever. Sometimes you will have to make a stink, but banks can do almost anything. Also, that wire should have generated an alert (see Note 1).

NOTE 6: Some people insist on using their PIN when they buy gas or go to the grocery store. I am not sure why. Maybe they like dealing with the nice people in the fraud department. The only place you should ever use your PIN is at the ATM. Period. End of conversation. There is NO reason to use your PIN anywhere else. If you don’t use your PIN then your PIN can’t be compromised and your bank account emptied out.

In this case, Mitch got his money back. That doesn’t always happen and it doesn’t always happen quickly. The quicker you notify your bank about fraud, the more likely it is that you will get your money back. In the case of businesses, this is super critical because with wire fraud, money usually only stays in the first bank account for a few minutes. Literally.

Credit: Brian Krebs

I said at the beginning that I had two examples, but this post is already too long. Here is the link to the other example.

All I can say is be proactive or deal with the results.

If you have questions, please reach out to me. I am happy to help you protect yourself. AND, share this post with your family.