Category Archives: Safety

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Covid. Vaccines. Privacy.

We definitely live in interesting times.

The virus is surging and at the same time morphing.

Two different vaccines have been approved for emergency use. More are on the way.

The country is discovering that actually getting vaccines in people’s arms is harder than talking about it.

AND, there is talk of you having to install an app on your phone to prove that you have been vaccinated in order to get on a plane, enter some venues or visit some countries. Which vaccine. How many does. What dates.

The makers of these apps promise that your data is secure.

Maybe it is safe. To be honest, I don’t know.

Unlocking your phone and giving it to some stranger in a foreign country to prove you have been vaccinated doesn’t seem like a great strategy to me.

The process works by generating a QR code and displaying it. Maybe that can be done with the phone still locked.

And of course, everyone has their own smartphone. Everywhere in the world. Including your grandma.

Of course, there are going to be multiple apps. I am sure they will all be compatible. And certainly no one is going to say that they only accept app ‘X’ and not the one that you already have installed.

Finally, I am sure that there won’t be a black market for fake credentials and all of the apps will be hacker proof.

I wonder if there is going to be a service that you can pay for to fake whatever QR code you want.

Granted this qualifies as a “first world problem”, but we will watch what happens and report back over the next several months. Credit: CNN

SBoM is NOT a Four Letter Word

I have been ranting about Software Bills of Material or SBoM for a while. This week I have two examples of why this is important – even critical.

The first story is about a TCP/IP network stack and the vulnerability is called Amnesia:33. It impacts four open source libraries – uIP, FNET, picoTCP and Nut/Net. Contrary to some opinions, these open source, free TCP libraries are not only NOT bug-free, they are vulnerable to remote code execution, denial of service, information leaks and DNS cache poisoning.

The impact of these vulnerabilities depends on how the device is used, whether it is publicly visible and other factors.

The code is used, THEY THINK, by at least 150 different vendors on an unknown number of products. The researchers at Forescout think that at least a million devices are impacted, but that, along with the number of vendors impacted is mostly a guess. The vendor count is likely much higher as these were vendors they were able to identify.

Since these vendors (and most others) do not have a Software Bill of Materials process – EVEN INTERNALLY TO THE COMPANIES -, most vendors are scrambling to figure out which products and which product versions use the impacted software. Credit: Forescout Research

In many cases, the IoT and IIoT devices are out of warranty and will never be patched and since the companies and people who bought these devices do not have a Software Bill of Material which would, at least, tell them if they have an affected device, so that they could decide if they want to replace the vulnerable devices, the hackers will have a field day.

The second case is for Gnu TLS. Gnu TLS is a free, open source TLS (HTTPS) library that has been around for 17 years and is used in a lot of software. It turns out that GnuTLS 3.6.x before 3.6.14 uses “incorrect cryptography”, which is a nice way to say that the crypto can be trivially bypassed.

So now all you have to do is figure out which of the hundreds of software products in your organization use this library. A few of the well known products that use GnuTLS are apt; cadaver, which is WebDAV, essentially; cURL; Wget; Git; GNOME; CenterIM; Exim; WeeChat; MariaDB; Mandos; Mutt; Wireshark; Rsyslog; slrn; Lynx; CUPS; gnoMint; GNU Emacs; Slapd; Samba; the Synology DiskStation Manager; OpenConnect; and a whole bunch of various VNC implementations.

So since everyone received a Software Bill of Material (SBoM) with the very most recent version of each product you use and that list is in a standardized form that you can import into a spreadsheet or database, it is each to determine which products use GnuTLS 3.6.x where x is less than 14.

Obviously, I am being sarcastic here. I know of no manufacturers that provide computer readable SBoMs to their customers, but there is help in the wings.

The federal government is working on an SBoM standard. While you say that might not help you, consider this. NIST is required to define standards for IoT and IIoT that the government buys. It is likely that SBoM will be one of those requirements. If a company like, say, Wireshark from the list above wants to continue to be able to offer their hardware to the government, they would have to provide an SBoM, assuming NIST goes this route. If they provide an SBoM to the government then you should be able to get a copy too. Credit: Security Now

These are only two examples from this month alone of the problem. The problem is massive and most companies are not prepared to deal with it.

Companies should create a SBoM plan, understanding that this is going to be a work in progress for a while. The first place to start is with ALL internally developed and custom third party software. Getting the information for these products should be easy. Something is definitely better than nothing and even a partial SBoM for a product is better than no SBoM.

If you need assistance, please contact us.

Sharing Passwords – Everyone Does It

Do you know the password to your spouse’s computer?

What about his or her social media accounts?

His or her email accounts?

Not married, just friends, maybe with benefits – what about his or her passwords?

We will get to work passwords in a minute.

ExpressVPN asked 1,500 American adults in an exclusive but not married relationship about their password sharing habits.

Couples, they say, share a variety of passwords and, most commonly, within the first six months of dating. What could possibly go wrong?

Here is what ExpressVPN found:

The most commonly shared passwords are for video streaming (78%).

Followed by mobile devices – nothing sensitive on your phone I am sure (64%).

Then comes music streaming (58%).

47% share social media passwords and 38% share email passwords.

Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).

Given that half of Americans who marry get divorced and lots of people don’t even get married any more, the idea of sharing passwords might have some “long term” problems – as in when one of you moves on.

Now lets move to work passwords. Everyone has their own userid and password, but in many companies, the way that account setup is done, so does IT and sometimes, even your boss knows. Sometimes, even your coworkers, even if that is against company policy.

FYI, if something bad happens and you want to prosecute the employee, if you are one of the above companies, you better have some really good evidence (it is possible, but hard).

In many companies, employees, especially within a department, share passwords to some cloud services, such as those that charge by the user.

And IT often has “system” passwords – ones that “have to” be shared.

And don’t forget passwords to Internet of Things devices like, for example, your Alexa.

Lets say that at some point the magic fades.

If you are not married you split. If you are married you get divorced. If you are employed, you leave, voluntarily or otherwise. If you are a vendor to a company, the company changes vendors.

In any of these cases, do you know what passwords are at risk? In many cases, the answer is no.

If the separation is “less than friendly” – whether work or personal – can you change the at risk passwords quickly?

Do you know if the other person has downloaded your data – business or personal – before the split?

Everyone wants to assume that people are honest and that bad things won’t happen but the percentage of employees, for example, who take data with them when they leave is high. In 2015 Biscom did a survey. 87% of employees took data with them that they created and 28% took data that others created. While these numbers are old, they are probably still in the ballpark.

Most companies don’t change passwords when employees leave because it is logistically challenging, but especially with IT folks, if they are disgruntled, they can and have done major damage. Likewise scorned lovers have done their share of damage too. All you need to do is check out the news from time to time.

Like I said, no one wants to think that relationships, business or personal, will end and even fewer think that they will end badly.

To quote Maya Angelou: “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”

Just a suggestion.

Credit: ZDnet

Security News for the Week Ending October 2, 2020

False Claims Act Means Big Fines

I had heard about the Department of Justice going after companies for misrepresenting things in federal contracts. I remember that Cisco paid a fine of less than $10 million, so I didn’t think it really meant much. But in a press release, the DoJ says that they recovered over $3 BILLION last year. That includes health care fraud, procurement fraud and other fraud. But 2019 was not an anomaly. In 2018 they recovered $2.8 billion; in 2017 they recovered $3.5 billion and in 2016, it was $4.9 billion. That is a lot of money, so if you are thinking about misrepresenting things in a government contract, you might want to reconsider. Read the details here.

911 Service in Multiple States Goes Down

Issues were reported by police departments in counties across Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington. Initially, it was thought that it was related to an outage at Microsoft at the same time. Many of the 911 dispatch centers were able to recover in less than an hour, but that turns out not to be the case; see yesterday’s blog post. Credit: ZDNet

DoJ Wins Case Against Snowden to Seize His Money

This has nothing to do with whether he is guilty of whatever. This is a simple contract dispute. If you go to work for the government and get a security clearance, you agree to let the government clear certain publications and speeches you make to make sure that you are not disclosing classified information. The Supremes have said in the past that the government can seize the proceeds from these illegal speeches and publications. In Snowden’s case, that is about $5 million. It is not clear that Snowden expected to keep the money; he knew the rules. Of course, if the money is in Russia with Edward, well, good luck. Credit: The Register

Still the Best Reason NOT to Buy Huawei Equipment

The White House has claimed that Chinese telecom provider Huawei is a national security risk – a tool of the Chinese government. That may be, I don’t know. But the Brits have been much more honest and open about things. The Brits have been evaluating Huawei’s software and they say that it is as secure against intruders as a screen door. Huawei says that these bugs prove that they are being honest. Not sure about that. Maybe they mean that they are too stupid to design backdoors for the Chinese government. Credit: The Register

Samsung has a Deal for You

Samsung has an interesting deal. They say to their advertisers that they will display an ad to an owner of one of their TVs, every time it is turned on and there is nothing the owner can do about it. They say this is about 400 times a month per TV. They use something called Automatic Content Recognition to understand whether you watch sports or movies (and what kind) or whatever and tune the ads to that. They do not tell you before you buy the TV that you are agreeing to that. Of course, if you have a dumb TV, that is not a problem, but that is not the direction the planet is going in. Perhaps buy a different brand. Credit: The Register

Universal Health Services Hit By Ransomware – 250 Hospitals Affected

UHS, which runs hundreds of hospitals and clinics, including behavioral health and addiction care and which has concentrations of facilities in California, Texas, Nevada and Florida has taken its systems offline. While they have not said what is going on, the scuttlebutt is that is the Ryuk strain of ransomware. Just what a hospital needs right now. They have shifted to paper based processes, although they say their electronic medical record system was not affected (it may just be offline right now but not encrypted). Utter chaos is probably rampant. Lawsuits to follow if people die. Credit: Security Week

Is Your Computer Spying on You?

It is pretty interesting what you find when you rummage around your computer.

Most computers these days have cameras and microphones. Do you know which applications can access your camera? What about your microphone? I didn’t. In fact, I didn’t even know where to look to find the answer to that question. When I looked, I was surprised what I found.

Both of these device controls can be found in the Windows SETTINGS app.

In settings, click on CAMERA to see this:

From this screen, you can see which apps, on my computer, had access to my camera. I understand why Skype needs access to my camera (maybe – depends if you are a Skype user), but why does the 3D Viewer need it? I am not even sure what that is. Microsoft Photos? I ONLY use it to look at pictures. Disable all of those items that you do not want to give access to your camera. You can always turn it back on if you want to.

Now move onto your microphone. It is on the same screen, just further down.

Again, there are apps that I don’t even know what they are that have access to my microphone. What is the feedback hub anyway?

Note that Microsoft’s Cortana is disabled. That is because I don’t use it. If you do use it, it needs to be on.

It is unlikely that these apps are evil, but they do increase the attack surface.

Every app has the possibility of being compromised or having bugs that allow hackers to take over the apps and take control your devices.

You have probably seen people that put tape or little slides over their cameras. That pretty effectively stops people from seeing things that they should not see.

There is no equivalent way to stop apps from hearing what is going on. Tape does not solve this problem.

In some cases there is a way to handle this.

After using a laptop for many years, last year I switched to a desktop. I wanted to have a more powerful computer – multiple disk drives, an amazing amount of memory, etc.

One thing that happened as a result of that was that I no longer had a built in camera. My camera sits on top of my monitor and plugs into a USB port.

For me – and this won’t work for everyone – I unplug my camera when I am not on a video conference. That camera, an inexpensive Logitech unit, is also my computer’s microphone. When I unplug the camera, the microphone is unplugged as well.

Highly effective. I don’t know how to hack a camera or microphone that are not connected and not powered on. Consider that.

Just food for thought.