Category Archives: Safety

Security Risks of Firmware

As software makers start to take security more seriously, hackers are becoming more creative.

When Apple and Microsoft started doing a better job of finding and patching bugs in their operating systems more quickly, hackers started looking at other applications installed on users’ computers.

As the makers of the other software installed on computers started taking security seriously, hackers again moved on.

What is the new target? FIRMWARE!

What is firmware you say?

Is it the layer that silently runs virtually everything today.

Your car? A typical modern car has 100 or more computers, each one running firmware and many of which have been used to attack your car. Unless you drive something like a Tesla, you probably have not patched your car lately.

What about your refrigerator?

Dishwasher?

Smart speaker?

Internet modem or router?

TV?

It is amazing what has firmware in it these days.

So what are the worries?

  1. Firmware updates

Device makers are constantly on the lookout for bugs and often patch their devices frequently.

Some vendors, who are not security focused, DO NOT offer patches. That doesn’t mean that their devices don’t have bugs or are not vulnerable to being attacked. It just means that the vendors don’t see the revenue stream in offering patches.

Sometimes vendors are very good about patching their devices. Apple is one example of a vendor that does a good job in patching, including Apple smart speakers.

But when was the last time you received a patch for your smart TV or refrigerator? My dishwasher had to be patched last year. Apparently, ones that were not patched, on occasion, caught on fire. That is where the virtual universe meets the physical universe.

Most devices that you own (a) contain firmware, (b) have bugs and (c) are never patched from when they leave the factory to when they reach the landfill.

Worse yet, some of these bugs are security problems, like the recent Intel secure enclave bug, and are NOT POSSIBLE to patch. Apple has a similar problem with their boot ROM that can’t be patched either.

#2 Configuring firmware

Most so-called smart devices are connected to the Internet, including most cars built in the last 5 years.

On the other hand, most purchasers are not trained well enough to securely configure these devices. They don’t understand the security implications of the configuration decisions they make. Lets face it – the most popular passwords are password and 123456. That ought to tell you something.

Vendors typically configure their security features to reduce use frustration and eliminate the need for customers to call their help lines which costs the manufacturers a lot of money. One or two calls eliminates the entire profit the vendor made from selling you that thing.

How many times have we heard about misconfigured web services like Amazon or Google which led to a breach. These are services that are usually managed by professionals. If they can’t do it right, imagine what consumers do.

#3 Firmware security awareness

The firmware on all of these devices control what is called the CIA triad —

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

We’ve got to figure out a way to make sure that people understand that this is a risk that they alone are responsible for, even though the company that they bought the device from never said so.

Oh yeah. THE MANUFACTURER DOES NOT HAVE ANY LIABILITY WHEN YOU DO IT WRONG. YOU ARE ON YOUR OWN.

This article is a start in that process. Credit: Help Net Security

Facebooktwitterredditlinkedinmailby feather

Phone Scams Gone Wild

It used to be that when the phone rang, it was someone with an African accent telling you that he was from Windows technical support calling you because your computer was infected. You hung up.

Scammers have gotten much smarter. Unfortunately. Here are two recent examples.

This guy got taken for $10,000. Mitch (him, not me, thank goodness) got a call a couple of Fridays ago from someone claiming to be from his bank saying there was fraud detected on his bank card. The callerid had the same number as was printed on the back of his card. He logged into his account and did, in fact, see several fraudulent charges going back several weeks (NOTE 1 – see tips below). They were relatively small – under $100 each. But there were also two withdrawals from cash machines in Florida for $800 each (NOTE 2).

He figured that if this was a scam, the caller would have asked him for information, which she did not (NOTE 3). She said they would reverse the charges and send him a new card (NOTE 4). He thanked her and hung up.

This was part of the hook in the scam.

The next day he got another call about suspected fraud on his bank account. He thought this is weird, so he called his bank on another phone and asked if they were talking to him. They said yes. This is known as a man in the middle attack (or woman in the middle. These scams often use women because, after all, women aren’t crooks, right?). The hacker calls the bank pretending to be you, then they call you pretending to be the bank and magic, they have everything they need to do the fraud.

Mitch said that the bank, in the past, might send him a one time code via not-very-secure text message, so when the attacker asked him to give him the text message code (which the bank had asked the attacker for, he gave it to her. Again they said they would fix it.

Over the weekend he looked at his account and saw no more activity and figured it was handled. Not so.

On Monday Mitch saw a $9,800 outgoing wire posted to his account (NOTE 5). He was now out over $10,000.

To add some intrigue, the destination of the wire was an online-only bank in Mitch’s name. The bank figured it was a Mitch to Mitch transfer, so they figured it was okay. Banks are required by law to “know your customer” or KYC. For online banks, “know” is a relative term and until the feds start fining those banks millions of dollars, this fraud will continue.

Obviously, at some time his debit card and maybe PIN (NOTE 6) was compromised and the rest was an elaborate social engineering scheme.

The bank did give him back his money (under federal law CONSUMERS but **NOT** BUSINESSES are giving the benefit of the doubt and will usually, but not always and sometimes are a fair bit of screaming, will get their money back). Businesses are assumed to know what they are doing and don’t get a free pass.

So what about all the notes. Okay, here goes.

NOTE 1 – All decent banks can send you a text message (better than an email because you are more likely to look at it quickly) every time your card or bank account is used. If your bank can’t do this simple anti-fraud measure, find a new bank. BTW, this includes credit cards too. Usually there are a lot of options in terms of what/when/how much, but in my opinion, opt for being over notified. That way, the first fraudulent transaction that cleared, Mitch would have said “hey wait, I didn’t use my card” and he would have called the bank, they would have killed the card and maybe this would not have happened. If, after Mitch did all of this, a second fraudulent transaction happened, Mitch would have known that not only was his card compromised, but so was his account.

NOTE 2 – $800 withdrawal from a cash machine. Banks will let you specify how much cash you want to be allowed to withdraw per day from the ATM. I do not EVER withdraw $800 in one day from an ATM. That limit is too high. Set your limit at $50 above the max you want to risk losing. You can always go into the branch and withdraw more in some weird circumstance. Also, your spouse’s card has a separate and likely equal (could be different) limit, so if you set the limit low, you can get your spouse to get more cash. Again, if you had followed NOTE 1 above, you would have known about the $800 cash withdrawal as soon as it happened.

Side note. I got a text alert a while back and immediately called my wife. Wasn’t her. I called the bank, in this case it was Wells and they did a great job. WHILE I WAS ON THE PHONE WITH FRAUD and he was working diligently to kill the card, he saw three more transactions attempting to be authorized. He was able to “decline” those charges, kill the card and issue a new one via overnight mail. Problem solved.

Your choice is convenience in not having to deal with those text messages or a pain in the ^%$# trying to get your money back. YOUR CHOICE.

NOTE 3: Banks also often choose convenience over security. Since the hacker spoofed Mitch’s callerid, the bank’s security mechanism got scammed. They would rather eat a few billion dollars in losses which you pay for in fees than annoy you. They figured the call was coming from Mitch, so why bother using the security protocol. I’m not fond of that strategy.

NOTE 4: The bank said they would send him a new card. Since there was fraud on the card – as well as fraud on the phone – they should have said they were going to kill the card. Apparently they didn’t say that. That should have been a flag to Mitch. When there was a supposed additional fraudulent charge the next day, that really should have been a red flag to Mitch again. If they say the card was disabled, you can easily test it by trying to make an online transaction. If it is a hacker saying the card is disabled, you will be able to complete the transaction. Big red flag. It should be declined. If it is not, call your bank yourself.

NOTE 5: That $9,800 outgoing wire. You should be able to tell your bank that you do not want to allow outgoing wires ONLINE or you want to set the limit to $500 or whatever. Sometimes you will have to make a stink, but banks can do almost anything. Also, that wire should have generated an alert (see Note 1).

NOTE 6: Some people insist on using their PIN when they buy gas or go to the grocery store. I am not sure why. Maybe they like dealing with the nice people in the fraud department. The only place you should ever use your PIN is at the ATM. Period. End of conversation. There is NO reason to use your PIN anywhere else. If you don’t use your PIN then your PIN can’t be compromised and your bank account emptied out.

In this case, Mitch got his money back. That doesn’t always happen and it doesn’t always happen quickly. The quicker you notify your bank about fraud, the more likely it is that you will get your money back. In the case of businesses, this is super critical because with wire fraud, money usually only stays in the first bank account for a few minutes. Literally.

Credit: Brian Krebs

I said at the beginning that I had two examples, but this post is already too long. Here is the link to the other example.

All I can say is be proactive or deal with the results.

If you have questions, please reach out to me. I am happy to help you protect yourself. AND, share this post with your family.

Facebooktwitterredditlinkedinmailby feather

EARN-IT Act – Only Outlaws Will Have Strong Encryption

O P I N I O N

Full disclosure:  it will be obvious which side of the conversation I am on pretty quickly.

The FBI has been trying to ban end to end encryption – any encryption that they can’t break at will – for decades now.  They charged Phil Zimmerman with crimes and almost convicted back in the 90s.  The battle is still going on.

For years the FBI has been using the flag of national security to try and ban encryption, but it hasn’t worked.  Part of the Patriot Act which was implemented after 9-11 required telephone providers to provide metadata of all phone calls to the NSA so that they could search for terrorists.  After a while it was required that the phone companies themselves store the data.  Currently that provision has expired.  In part because it was revealed that the government spent $100 million on the program and it only generated two leads;  one of which didn’t pan out.  The other of which they already knew about.

So now the FBI and their friends are trying a different tactic.  If terrorism didn’t work, how about waving the banner of kiddie porn.  After all, EVERYONE is against kiddie porn.  Of course, I am not aware of anyone who is pro terrorism.

On the foundation of kiddie porn was built a bill, sponsored by Senator Lindsay Graham (R-SC) and supported by a few other Senators who want to appear to be strong against kiddie porn (it looks good on campaign posters, of course).

The bill, called EARN-IT, basically says that online service providers will lose protections that they currently have against being sued for content that their customers create (yes, really) if they do not implement some security standards that have not been defined.  And won’t be until years after the bill would become law.  That’s right the bill would impose requirements that won’t be defined for years after this bill would become law.

The plan is that the bill would create a commission that would make recommendations to the Attorney General and some others and the AG could accept those recommendations or change them any way he wants.  Of course, AB Barr is strongly against encryption, so we understand what will happen here.  Then, if service providers don’t implement these undefined rules, they will lose their immunity from being sued for content that they didn’t create.

BUT WE HAVE TO PROTECT THE KIDS.

Of course we don’t know if this bill will pass – given today’s politics it is a crap shoot.

But people need to understand the goal of the bill.  It is to ban any communications that the government can’t read.  TO PROTECT THE KIDS.

Surely you want to protect the kids.  Oh you don’t?  You probably shouldn’t be in office.  There is no way any politician could possibly win that battle because the public doesn’t have the patience to understand a deeply technical conversation.

Large companies like Google and Facebook **MIGHT** possibly be willing to fight the government and they have deep enough pockets to do that, but almost no one else does.  As a result, everyone else will have to create a back door so the feds can read everything that you do online.

But think about this for a minute.

Crooks don’t generally follow the law.  That’s why we call them criminals.  So they will use software that comes from some other country that doesn’t have a backdoor.  Of course that will stop the feds from reading the communications of the people that they are trying to stop.  BUT IT IS ABOUT THE KIDS.  EVERYONE WANTS TO PROTECT THE KIDS.

Of course, as soon as you put a backdoor in the communications, China will demand that providers give them the keys.  So will Russia and a whole bunch of other unsavory characters.

Does anyone really think that Facebook (or whoever) is going to stand up to China and say OK, if you want our encryption keys, we won’t do business in your country.  Fat chance.  They will say that they had to because the follow the laws in the countries that they are in and since a quarter of the world’s population is in China, guess who will get the encryption keys.  I seem to recall something in the news that people are unhappy that Zoom encryption keys wound up in China last week.  Well if this law passes, those keys will be in China and a bunch of other places forever.

Signal, the encrypted messaging app that is used by tens of millions of people including politicians, said that they will stop doing business in the United States if this bill becomes law.  They can’t afford the risk.  Everyone else is in it to make a buck so if they have to compromise everyone’s privacy and it gets some people killed in unsavory parts of the world, then it is okay.  They didn’t have a choice.

Of course the bad guys in countries like Russia and China and 50 others will use software without encryption backdoors, so we won’t be able to read their stuff anyway.

Note:  AG Barr doesn’t like calling backdoors BACKDOORS.  That term is so unsavory.  He prefers a much more sanitized term – lawful access.  Because if it is lawful, then it is okay.  BECAUSE IT IS ABOUT THE KIDS.

Of course, the people who are into kiddie porn will just use other encryption methods that don’t have backdoors, but the stupid ones will not and they might get caught.  Then the feds can say look how wonderful we are.  Of course the pros won’t get caught.

And even if they don’t catch anyone significant, they will make U.S. software companies less competitive in the world marketplace.  After all, will companies in other countries want to secure their sensitive information with encryption that the U.S. can read.  Entire countries have already banned ZOOM for just that reason.  The good news is that this will create an opportunity for companies in other countries to take business and jobs away from the U.S.  That is a sub-objective, right?

On the other hand, other countries like this idea, so some of them could follow in the U.S.’s footsteps.

Probably the most infuriating part of the bill to me (my opinion of course) is that the Congress is abdicating its responsibility by creating this commission instead of specifying the standards.  THAT WAY WHEN THE COMMISSION BANS ENCRYPTION THEY CAN SAY “IT WASN’T ME;  IT WAS THEM”.  Plausible deniability.

If this is such a good idea, define the rules now.  Debate them.  And put them into the law.

Of course if they did that, they couldn’t hide behind that smokescreen.

The bill as it is written now even has some poison pill provisions in it.  If the commission doesn’t approve some rules within a specified time period, the online service providers lose their immunity automatically and if that happens, there is nothing that they can do to get it back because there are no approved rules to follow to “earn” their protections back.

Don’t get me wrong.  I am not a fan of kiddie porn, but the reality here is that this has nothing at all to do with protecting the children and everything about getting back at the Silicon Valley companies that the current administration does not like.

For more information on the bill, check out Bruce Schneier’s column, Bitcoin magazine, The Register and the EFF.

Facebooktwitterredditlinkedinmailby feather

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

FBI: Building Digital Defense with Browsers

As more of our computing world lives inside a browser, the risk goes up.

As we move to Work From Home, the risk goes up again because we no longer have corporate infrastructure to chop off the top few layers of attacks.  Also many of us have kids that either share our computer or share our network.

The FBI has launched an initiative to protect political campaigns and voters from foreign influence campaigns and cyber attacks called Protected Voices.

The Portland office of the FBI adapted some of the recommendations from that program into recommendations for everyone.

Before I give you the list, let me warn you that it is going to expose that always issue – security or convenience – PICK JUST ONE!

Here are the FBI’s recommendations:

Note: How you implement these will be browser and system specific

  • Disable AUTOFILL
  • Disable remember passwords
  • Disable browsing history

Disabling these features makes it more difficult for malware on your system to steal sensitive data

  • Do not accept cookies from third parties

Note that some browsers do this by default.  Doing this reduces the ability of third parties to track you and aggregate your browsing habits.  And sell them.

  • Clear browsing history when you close your browser or use incognito mode

Note that this means that you actually have to close your browse.  Again, this reduces your fingerprint and makes it more difficult for advertisers (and hackers) to track you.

  • Block ad tracking
  • Enable do not track (there has to be at least one site on the web that honors this)

There are a number of good ad blockers.  Apple and Firefox have built in ad blocking.  Not only does this make it harder to track you but it stops malware laden ads from running on your system.

  • Disable browser data collection

All browsers like your digital exhaust;  that is why they collect it, but it is none of their business.

  • Make sure that if a web site wants your digital certificate, you have to approve each request

Your digital certificate *IS* your signature.   Protect it.

  • Disable caching

Caching makes browsing faster, but apps and web pages can find out what is in the cache and figure out what you are doing and where you have been.

  • Enable browser features to block malicious, deceptive and dangerous content.  Different browsers do this in different ways; some more privacy friendly than others.

What is true about all of these features is that they will have some impact on your browsing experience.  You don’t have to implement all of them, but each one makes things a little more difficult for the bad guys.

It is your call.

Source: FBI

Facebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending March 20, 2020

Senate Kicks the Can Down The Road Again With FISA Renewal

Last week it looked like Congress was going to renew the parts of the Foreign Intelligence Surveillance Act that DID EXPIRE last weekend.  But Congress being Congress, they didn’t.  On Monday the Senate agreed to kick the can down the  road for 77  days.  Now the House has to agree.  In the meantime, I am not sure what the NSA is doing about those expired provisions and they only plan to kick the can down the road on two of the three expired provisions.  In fairness, Trump wants to reign in the Intelligence Community since he doesn’t trust them and never has.  This could work to the advantage of the privacy advocates.  Source: Reuters

Covid-19 Web Site President Said Google Would Bring Online Monday is Online But Not Like he Said

Google/Alphabet subsidiary Verily launched its Project Baseline Coronavirus website, but it is not national, it only covers two counties in the San Francisco Bay area.  It was supposed to allow people to make appointments to get tested, but the few slots that were available filled up instantly.  Only people living in those two counties are even allowed to use the site.

Google says that they are working on a nationwide INFORMATION ONLY site and it will be released sometime in the future.  Source: Bleeping Computer

Open Source Vulnerabilities Surge in 2019

Some people say that open source software is more secure.

Reality is a little different than that.

In 2019 DISCLOSED open source vulnerabilities surged from 4,000 to 6,000 last year.  The good news is that the open source community is good about fixing the vulnerabilities once they are found.  85% of the vulnerabilities  have a fix once they are responsibly disclosed.

Bottom line, make sure that you have an effective open source software patching program to keep your company safe. Source: Help Net Security

U.S. Census Figures Coronavirus Will Be Over in Two Weeks

The Census, that every 10 year event, was supposed to start this week.  But there is kind of an issue.  I think there is some kind of virus going around.  Part of how the Census works is that Census workers go around collecting information from people.  Given the current situation, (a) Census workers are probably not going to be willing to risk their health for a few bucks, (b) people that they visit are likely not going to let them in the door or (c) some other less than nice thing might happen.

So what did the geniuses at the Census  bureau decide to do?  They decided that they are going to send out Census workers in 13 days on April 1st. WHAT, EXACTLY, DO THEY EXPECT TO BE DIFFERENT IN 13 DAYS?

Ya gotta wonder about those folks in Washington.  Source: Reuters

OCR Lifts Penalties For Telehealth Use During Covid-19

Its all hands on deck.  HIPAA has a number of provisions that allow a healthcare provider to bypass certain HIPAA rules.  A pandemic is not one of those options.  Of course since the Feds make the rules, they can change them.  In light of the current situation, HHS says that they will not penalize Covered Entities for using telehealth providers who are not fully HIPAA compliant.  They are not saying using those providers is legal;  they are just saying, given the circumstances, they are not going to go after providers who do so.  This will allow providers to use apps like Facetime or Google Chat to diagnose patients instead making them come into the office and potentially infect dozens of other people.  It seems like a reasonable trade off.  Source: HealthIT Security

Facebooktwitterredditlinkedinmailby feather