Category Archives: Safety

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing

 

Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer

 

The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet

 

Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC Magazine

Facebooktwitterredditlinkedinmailby feather

Are Smart Cars Safe Cars?

Here is the punch line.

Automotive cybersecurity incidents doubled in 2018 and are up 605% since 2016.  That doesn’t seem that safe to me.

Here are some statistics from Upstreams 2019 automotive cybersecurity report:

  • 330 million vehicles are already connection and top brands in the US say that they will only sell connected vehicles this year.  If true, one attack vector might be to design a hack to disable all smart vehicles in a specific area.
  • Smart vehicles will benefit from 5G cellular, if and when it becomes widely available in the US because 4G speeds in the US tend to be very variable and often horribly slow.
  • Since 2016, the number of annual incidents has increased by 605%
  • Incidents more than doubled in 2019 compared to 2018.
  • 57% of incidents were criminal in nature – disruption, theft and ransoms.  The rest were researchers trying to stay ahead of the bad guys.
  • The three most common attacks are keyless entry, backend systems and mobile apps.  Remember, if you choose not to install your car maker’s mobile app and register your vehicle, you are leaving your car open to attack if a bad actor registers your car instead.
  • One third of all incidents resulted in the theft of a vehicle or a break-in.
  • One third of the attacks included taking over some of the car’s function.
  • 82% of the attacks in 2019 did not require physical access to the car.

Car makers understand these security issues and are working to improve their security, but the basis of all smart cars is software and we know that software always works perfectly.

Users like the features, so they will continue to ask for them but they might also want to ask their insurance agent if their insurance covers these new types of attacks.

Also recommended is to talk to your legislator to make sure that laws take into consideration that the risks of smart cars.  For example, if you are in an accident and you say that you lost the ability to control your vehicle as we saw on 60 Minutes a couple of years ago, will the police believe you?  Or hold you responsible?  What if someone else is hurt as a result of that?  In today’s level of sophistication, it is going to be hard to prove that it wasn’t your fault.

Source: HelpNet Security

 

Facebooktwitterredditlinkedinmailby feather

What Do You Think About a National ID Number?

No, I am not kidding.  Currently, your Social Security Number is effectively a national identifier. Except when it is not allowed to be used.

In many healthcare situations, they use first and last name plus birth date.  Apparently, however, that is more than a bit error prone.  This has led to treatment errors and medication errors.

When HIPAA was enacted, it mandated the creation of a Universal Patient Identifier (UPI).  That has been stymied by a ban that has been put into the annual funding bills every year that bans the government from spending any money to do this.

So, instead, we use the Social Security Number as a de facto universal identifier.

Rep. Ron Paul initially and now Sen. Rand Paul have said that a national identifier is a threat to personal privacy.  In a sense that is hard to argue with.  On the other hand, Using the Social Security Number as a universal identifier for healthcare not only compromises medical information when there is a breach, but also a person’s financial information.

Some people say that stricter penalties for breaches, identity theft and other related crimes would reduce the abuse, but I am skeptical.  After all, the war on drugs, which tried exactly that, is certainly stopping drug sales and use.

This year the House removed the ban from the funding bill but the Senate left it in.

Some places are using biometrics to help identify patients, but the use of biometrics represents a whole other raft of problems.

There is not a simple solution, but continuing to use your Social Security Number as a universal identifier is NOT the answer.

For more details, see the article in Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

Facebooktwitterredditlinkedinmailby feather

From Unsecure to Less Unsecure

Text messages, as many people know are not very secure.  If you are asking where we are meeting for lunch, you probably don’t care.  But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security.  While it does help some, it would be  a lot better if SMS messages were secure.

Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.

Enter RCS or Rich Communications Services.  RCS eliminates a lot of these shortcomings.  Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.

But the way the carriers are implementing it is not very secure as researchers are starting to point out.

While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.

So what are the carriers doing wrong?

SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December.  Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.

The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself.  This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard.  Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.

One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured.  In that case, there is no security, meaning any app can request the configuration and have access to your text messages.

Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses.  To try all the possible numbers takes about five minutes.

The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.

Which is good for users.

Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem.  Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure.  Source:  Vice

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather