Category Archives: Security Practices

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Not A Great Month for Intel

As if it wasn’t already a bad enough month for Intel, it just got a bit worse.

This is not related to Spectre or Meltdown;  this is an entirely new problem.

Intel processors have a remote management engine called Active Management Technology or AMT.  This allows corporate administrators to remotely take over those computers to manage them.

If the person “taking over” the computer is a good guy, then people don’t consider it a problem;  if it is a hacker “taking over” the computer, then it is a serious problem.

There are around 100 million computers that have been built in the last decade that have Intel’s Active Management Technology installed.

Last May Intel patched some bugs in AMT;  then last November they rushed out some more patches that fixed vulnerabilities that had been around since 2015.  Now there is a new vulnerability.

Except in this case, Intel is saying it is a feature.

This feature-bug was discovered last July and kept quiet until now.

The good news is that it does require physical access to the computer, but only for a minute or two.

All the attacker has to do is reboot the computer, enter the bios and configure the Intel Management Engine BIOS Extension (IMTBx).

The attacker will get a screen like this and can then set their own password.

Once they have done that, the hacker can bypass Bitlocker, Trusted Platform Module IDs and BIOS passwords.

One more time, Intel and PC Manufacturers configured the IMTBx with a single, default stupid password – ADMIN .  Technically, the password is admin – lower case.  Who would ever guess that?

This is one more example of SECURITY or CONVENIENCE, pick one.  Setting the password to admin is easier than making it unique to each machine or forcing people to change it the first time they power on the computer.

The hackers  can then enable remote access and take over the computer from anywhere in the world.

Of course, if the vendor or company changed the default password then this trick won’t work.

AND,  it would not have been a problem if Intel didn’t choose a stupid default password.

Intel tried to shift the blame on this one.  They said that they told OEMs in 2015 and again in 2017 to change the default password and improve security.

So if they thought this was a problem, why didn’t INTEL change that default password ?   Nice try blaming others, but it won’t work.

Also, this particular attack only works one computer at a time, so it would be used for targeted attacks.  Given that Intel announced the problem THREE years ago, you have to assume that the bad guys understand how to exploit this.

There is some good news, however, you can change the default password yourself and stop any attack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.

 

Facebooktwitterredditlinkedinmailby feather

White House Plans To Ban Staffers and Guests From Using Personal Cell Phones

Several months ago the White House floated a trial balloon about banning the use of personal cell phones by staffers in the West Wing due to security concerns.  You may remember that John Kelly was using his personal cell phone for government business and it was owned by hackers for six months before he figured out he had been hacked.

This week the White House said it plans to implement this ban – not only for staffers, but also for guests.  One assumes this does not include the Tweeter-in-Chief, who uses his old, non-secure personal cell phone to tweet.  Perhaps the White House has figured out how to create security patches for President Trump’s old cell phone (I believe it is running Android 4.x; the current version being 7 with 8 in testing).

This generates way too many questions.

Sarah Sanders said, basically, that the White House technology infrastructure is too fragile to handle all these wireless phones.  She did not point to trying to stop staff from using those phones to leak info to the media.  Given that places like Mile High Stadium can support 70,000 plus wireless users during a Broncos game, maybe the White House needs to talk to the Broncos to figure out how to support less than 500 users.

A White House official also said that personal cell phones are not as secure as government issued ones.  Possibly true, but no guarantee. Remember, this is not about using personal phones for government business, but rather using personal phones for personal business.  Which brings up another issue.  If staffers are required to use government phones during the day, will there be a change in the law to accommodate them using their government phones for non government business like coordinating day care or communicating with a spouse or other family members?  Will those conversations somehow be filtered out from FOIA requests and government archive requirements.  Those sound like a challenge to me.

They said that staffers could use their government issued phones for government business.  I don’t think government business includes talking to their spouses, children or parents.  People run  their lives off their cell phones.

They also said that guests cannot use their personal cell phones.  I guess they expect guests to go radio silent since they likely do not have government issued cell phones.

Apparently, this ban does NOT include the press.  Interesting.

It is an interesting problem and given that John Kelly may have been broadcasting sensitive information to hackers or the Chinese for half a year, it is a real problem.

Soldiers who work in places like the Pentagon are used to not having access to cell phones.  Now people who work in the White House will have to deal with similar issues.

The government has been challenged for a while to hire the best and the brightest.  Long hours, low pay, the uncertainty of promotions all compare unfavorably to the private sector.  Government agencies are already feeling this brain drain.  Adding tech restrictions certainly won’t help recruitment.

It is important to understand that the final rules aren’t out yet, so stay tuned for details next week.

Life does not always have neat, clean answers.

Information for this post came from Fox News.

 

Facebooktwitterredditlinkedinmailby feather

White House Considering Banning Personal Cell Phones

In a move that the White House says is for security, John Kelly is considering banning personal cell phones.

On one hand, you can’t blame them.  After all, Kelly’s own personal cell phone was hacked for six months before they figured it out.

On a self serving theme, it is possible that it might cut down on leaks, but I doubt that would really make much of a difference.  If they are going to talk to the press, they will do it off the White House grounds.

From the staff’s perspective, they work somewhat insane hours and being cut off from their families for that long would be, at least for me, a reason to find a different job.  Given the pressures of the job, it is probably hard to find good people anyway and if you add another barrier, it just makes finding people harder.

If a staffer uses a government issued phone to talk to their family and friends, the question comes up about open records and how much would be exposed.  Also, government issued phones can’t do text messages and most families live on those.  I assume you could not install snap chat or telegram or signal on a government phone.  It just seems like a mess.

Government phones can’t access GMail;  I am sure no White House staffers use that.

In addition,  government officials for years have gotten into trouble for using personal phones and personal emails for government business (think Hillary Clinton or Collin Powell, for example), so banning personal phones helps fix that problem, MAYBE.  On the other hand, they also get in trouble for using government phones and emails for personal business.

Now, if this rule goes through, you just made things even harder.  If someone told you that you couldn’t access your personal phone, text messages, social media or personal email for say, 12-18 hours a day, would you take the job?  I suspect a lot of people would not.

It is fair to assume that foreign powers would love to tap into govies’ phones, so there is no easy answer.

Stay tuned for more details.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather

A Warning About Two Factor Authentication

I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.

The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone.  Without understanding the implications, the user cancelled that cell phone and lost control of the phone number.  When that happened, the user lost the ability to sign into the account protected by that phone number.

This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it.  I have to admit, I have used it.  Typically they send an email to the registered email address and you can reset your password.  If a hacker gets into your email they too can reset any password, which is why I say that it too easy.

The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.

Lets say you protect your bank account with two factor.  Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number.  MAYBE.  Worst case, you can go into that same bank and close your account, take your money and open a new account.

But what if the account is Facebook.  There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone.  Of course, possibly, losing access to Facebook might give you a lot of time back in your day.

OK, so now I scared you out of using two factor authentication.  Let me see if I can make you OK with two factor.

First, if the web site allows it, you should create a backup authentication option.  For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email.  If they allow that, then make sure that you set that up.  That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email.  DO NOT make the phone number the same phone number that you get your text messages from.  Remember that the issue is that you lost control of that phone number.  Use a home phone or work phone or spouse’s phone or just something different.

Next, make sure that you keep track of what those second methods are.  Sometimes a web site will display an option showing you how you can receive the second factor.  If it does, pay attention and make sure that you still have access to it.

Do not release your phone number unless you are sure that anything that you are using it for has been accounted for.  If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.

Talk to your phone carrier and add a password to your mobile phone account.  While hackers can sometimes social engineer their way around that, it makes it more difficult.  That will reduce the odds that you will lose access to that phone number.

Finally, ask the vendor what their policy is for resetting two factor authentication.  Even Google has a method to do this.  It is a bit of a pain and it can take a couple of days, but it is possible.

As two factor becomes more popular, vendors are going to have to deal with this  new reality, but it will take some time.

Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable.  As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.

I know, something else to worry about.  I think as long as you set up two different methods to receive that second factor, you are pretty safe.  Just keep it in mind.

 

Facebooktwitterredditlinkedinmailby feather