Category Archives: Security Practices

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.

 

 

Facebooktwitterredditlinkedinmailby feather

Well THAT Didn’t Take Long

Last Week Microsoft Announced Microsoft Azure Sentinel, a cloud based Security Information and Event Management System (SIEM) and a Threat Hunting and Analysis Service called Microsoft Threat Experts.

As Ray and I discussed on a recent video, available on Youtube, the best outcome of that announcement is if Google and Amazon make a similar announcement.

Well guess what?

One of those two made an announcement this week at RSA.

Google’s Chronicle Backstory is a direct competitor to Azure Sentinel.  Chronicle is Google’s security arm.

Chronicle says that they have tested Backstory on organizations up to 500,000 users.  For a year,  THAT is big data.

Based on work that Google’s Threat Analysis Group used internally, this system is designed to allow a company to store petabytes of data in the Google cloud,analyze it and detect threat patterns.

The tools leverage Google’s Virus Total, which analyzes millions of malware samples, probably every day,  and includes a dashboard called Nirvana.

Google says that you can upload your data –  DNS traffic, Netflow data from your firewalls, endpoint logs, proxy data, etc. and it will be indexed and analyzed.  Google SAYS that your data will remain private, but Google doesn’t have a great track record in that department.  Of course, this is a different Alphabet company, Chronicle, and they will not be ad supported.

One thing that Google did at launch that Microsoft has not done, except vaguely, is announce what they call an Index Partner program – companies that have agreed to integrate with Backstory.  They are demonstrating Carbon Black (an endpoint security product) and their integration with Backstory.  They will be demoing Backstory at booth 2251 at RSA this week.

CAVEAT:  Both of these technologies are young;  neither has announced pricing.

Still this is nothing short of wonderful for the user community.

Maybe Amazon will be next.  Surely, even with Mr. Bezos’ current personal distractions, he didn’t miss this one-two punch.

Stay tuned – closely tuned.  This is good for you and me.

Source: Medium

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

eCommerce Sites Hacked by Their Ads

The Magecart malware has stolen credit card information from such high profile web sites as British Airways,  Ticketmaster and Newegg.

The malware works by inserting a little bit of code – usually Javascript – into the page(s) of a web site that collects credit card information.  When a customer visits that page the  malware collects the credit card data, usually encrypts it and then sends it on to the attacker.

Sometimes the hackers break into the target website and insert the code but other times they compromise software libraries that web site developers use.

Now there is a new version of the Magecart malware.

Instead of infecting the website, this version infects the advertisements that run on those websites.

The ads get inserted when the web page is delivered and the malware is unleashed.  The credit cards are stolen in the same manner as the other attacks.

The reason that this is attractive to hackers is that if you can infect the advertising software you will be able to attack hundreds, thousands or even more web sites at once.  To a hacker, that is nirvana.

What is depressing to the merchant is that the attack is not under their control because they don’t have any visibility into the ads that are shown  on their websites.  For more details on how the attack works, visit the link at the end of this post.

So what is a merchant to do?

There are some things that you can do.

If you run a web server, most data transfers should be as a result of responding to an inbound request from a potential customer.  

When the hacker sends the credit card data to its collection machine, it is initiating an outbound session that isn’t based on a customer request.  Those should be blocked or at least scrutinized.

Also you can look at the metrics of how much data you send in response to a customer request.  If the hacker is moving data in large blocks, that might be a tip off.

The hackers could send the data to a server in the US or at Amazon, but they also might send the data to a server offshore.  Unless your business is international, you should block those off shore connections and if your off shore business is limited – say to Europe – then block connections to Africa and Asia.

Finally, check your code and query the ad networks that you use.  Everyone should be sensitive to the issue and if you don’t get an answer that you like, there are other ad networks.

Information for this post came from Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather