Category Archives: Security Practices

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

eCommerce Sites Hacked by Their Ads

The Magecart malware has stolen credit card information from such high profile web sites as British Airways,  Ticketmaster and Newegg.

The malware works by inserting a little bit of code – usually Javascript – into the page(s) of a web site that collects credit card information.  When a customer visits that page the  malware collects the credit card data, usually encrypts it and then sends it on to the attacker.

Sometimes the hackers break into the target website and insert the code but other times they compromise software libraries that web site developers use.

Now there is a new version of the Magecart malware.

Instead of infecting the website, this version infects the advertisements that run on those websites.

The ads get inserted when the web page is delivered and the malware is unleashed.  The credit cards are stolen in the same manner as the other attacks.

The reason that this is attractive to hackers is that if you can infect the advertising software you will be able to attack hundreds, thousands or even more web sites at once.  To a hacker, that is nirvana.

What is depressing to the merchant is that the attack is not under their control because they don’t have any visibility into the ads that are shown  on their websites.  For more details on how the attack works, visit the link at the end of this post.

So what is a merchant to do?

There are some things that you can do.

If you run a web server, most data transfers should be as a result of responding to an inbound request from a potential customer.  

When the hacker sends the credit card data to its collection machine, it is initiating an outbound session that isn’t based on a customer request.  Those should be blocked or at least scrutinized.

Also you can look at the metrics of how much data you send in response to a customer request.  If the hacker is moving data in large blocks, that might be a tip off.

The hackers could send the data to a server in the US or at Amazon, but they also might send the data to a server offshore.  Unless your business is international, you should block those off shore connections and if your off shore business is limited – say to Europe – then block connections to Africa and Asia.

Finally, check your code and query the ad networks that you use.  Everyone should be sensitive to the issue and if you don’t get an answer that you like, there are other ad networks.

Information for this post came from Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather

Georgia Patches Election Web Site Two Days Before Elections – Calls it Normal

I am not sure who we should be more concerned about – us or them.

The Georgia Secretary of State, who is also running for Governor, has accused the Democrats of unsuccessfully trying to hack the state’s election system and referred it to the FBI.

Propublica is reporting that Kemp, the Secretary of State, quietly patched (it is reported that they rewrote the code on  (How extensive that might be is unclear).  the web site on Sunday after saying the site was secure and had no vulnerabilities.

Kemp said that State Democrats had committed possible cyber crimes after the Dems were notified by someone that he had found gaping security holes in the state’s voter information web site.

A Kemp spokesman denied vulnerabilities existed in the state’s voter lookup site and said that they could not reproduce the problem.

Propublica validated part of the tipster’s claim but other parts did not work after the state made fixes to the web site less than 48 hours before the midterm elections.

On top of all that, on Monday, Kemp’s spokesman claimed that they made changes to the site to support volume, but experts claim that the changes she said were made were, in fact,  not made.

From an operational stability viewpoint you would NEVER make a change that close to a major event for fear of breaking something.  Georgia likely has been testing and retesting their web site and other IT systems for months to make sure that nothing breaks today and to make major changes a day or two before the election likely meant that they did, in fact, find serious problems and felt that they had to fix them.  Minor problems would have been ignored because the very last thing that Kemp would want would be for the site to be down or go down on election day.

The Democrats, for their part, claim they forwarded the information to the FBI, Homeland Security and the State of Georgia by mid-day Saturday.

A more likely explanation for Kemp’s actions is that he is not happy that they reported the problem the the FBI and Homeland Security rather than quietly telling him so he could fix it without telling anyone.  Now he is both embarrassed and has a reputation problem after saying the site is secure.

Welcome to politics in America.  By the way, who knows if the Chinese and Russians were aware of or abused these security holes.  No one is saying.

Information for this post came from Propublica.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Cell Phone Providers Want to Protect You. Really!

I don’t know about you, but I am not inclined to believe that my cell phone provider is the best company to protect my security, but they disagree.  And who knows – maybe it could work.

The basis of Project Verify is that each cell phone has a unique fingerprint that allows the carrier to identify your phone and use that verification to log you in to your favorite (cooperating) web site.

They say that it verifies your identity using information from your SIM card, IP address and account tenure.  They have not released the details yet of how it will work.

One thing that is concerning is that they say that consumers will be able to control the information that they share and consent to how it is used.  It is unclear if that means that the cellular providers want to be the keeper of your data and doling it out appropriately.   Maybe that is not the case – they have not said yet.

What is clear is that what we are doing today is not working.  People pick easy to guess passwords (like Password or 12345678).  They refuse to use two factor authentication because it involves a teeny, tiny bit more work.

So, if this really works it could be a big improvement.

But we do need to remember that hackers are already targeting – pretty successfully – cellular carriers and all this will do is make the cell provider an even bigger target.

Right now cell phone NUMBER theft is big business because if you steal someone’s number you will be able to get their text messages which is what you need to reset passwords.

But as I understand this system, the security is tied to the bits on the SIM card itself, so stealing the number won’t help anymore.

Stay tuned.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

Fiserv Security Flaw Exposes Your Banking Data – Even if You Don’t Bank Online

Sometimes even if you try to be safe, it doesn’t work the way you want.

Fiserv provides banking software to over a third of all banks.  They have 24,000 employees and almost $6 billion in revenue.  Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.

Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules.  The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4.  What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.

The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed).  He reached out to Brian Krebs.  Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.

While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.

After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours.  They deployed the patch to their cloud customers that day and their non-cloud customers that night.

So what does that mean for you?

First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.  

On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.

For your company, how would a security researcher or a user know how to report a security problem?

If it isn’t very simple, you need to fix that.  It could be as simple as a link on the contact us page or something else.

Next, how come when the guy who found it reported it, it did not get escalated to the right group?  Is this a training problem?  How would that work in your company?  Train people.  Report it to the incident response team.  Do not over think it.  JUST REPORT IT.  This is shades of the DNC hack.  We don’t want people to over think it.  Just give the incident response team whatever information you got and let them handle it from there.

Web sites will have bugs.  How you deal with them and how quickly is what can distinguish you from the next guy.

Source: Krebs On Security .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather