Category Archives: Security Practices

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Hackers Infect 500,000 Routers and Growing

Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.

The malware was detected infecting routers from:

  • Linksys
  • MikroTik
  • Netgear
  • TP-Link
  • and QNap storage devices

The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.

On top of that, there is no “patch” that will inoculate a router against the malware.

The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early.  They are continuing to study it.

The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.

Among other things, the malware can, apparently, steal files and also  run commands on your router which could lead to a whole variety of different compromises of your systems.

The FBI says that it has seized a server used by the attackers.  Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices.  Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.

Information for this post came from Ars Technica.

OK, so given that, what do you do?

The article lists some of the routers affected.  Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular.  If you have one of the routers listed in the article, you should raise your alert level.

Rebooting the router WILL NOT remove the malware.  Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset.  Beware if you do that you will lose the router’s configuration and someone will have to reprogram it.  This may involve sending out a service technician to your house or office.  This, right now, is the only known way to disinfect infected routers.

I  recommend putting a separate firewall between your ISP’s router and your internal computers.  This is another level of defense.  Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X.  Note that you will have to have some expertise or hire someone to configure  it.  This will however, give you an extra layer of protection.  And, since you are buying it, your ISP will not have the password to it.

Make sure that you change the default password in your existing router.  One possible way the infection is getting in is via default credentials.

Check to see if there are any patches to your router available from your router manufacturer.  If so, install them and repeat that process every month.

Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.

 

Facebooktwitterredditlinkedinmailby feather

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Not A Great Month for Intel

As if it wasn’t already a bad enough month for Intel, it just got a bit worse.

This is not related to Spectre or Meltdown;  this is an entirely new problem.

Intel processors have a remote management engine called Active Management Technology or AMT.  This allows corporate administrators to remotely take over those computers to manage them.

If the person “taking over” the computer is a good guy, then people don’t consider it a problem;  if it is a hacker “taking over” the computer, then it is a serious problem.

There are around 100 million computers that have been built in the last decade that have Intel’s Active Management Technology installed.

Last May Intel patched some bugs in AMT;  then last November they rushed out some more patches that fixed vulnerabilities that had been around since 2015.  Now there is a new vulnerability.

Except in this case, Intel is saying it is a feature.

This feature-bug was discovered last July and kept quiet until now.

The good news is that it does require physical access to the computer, but only for a minute or two.

All the attacker has to do is reboot the computer, enter the bios and configure the Intel Management Engine BIOS Extension (IMTBx).

The attacker will get a screen like this and can then set their own password.

Once they have done that, the hacker can bypass Bitlocker, Trusted Platform Module IDs and BIOS passwords.

One more time, Intel and PC Manufacturers configured the IMTBx with a single, default stupid password – ADMIN .  Technically, the password is admin – lower case.  Who would ever guess that?

This is one more example of SECURITY or CONVENIENCE, pick one.  Setting the password to admin is easier than making it unique to each machine or forcing people to change it the first time they power on the computer.

The hackers  can then enable remote access and take over the computer from anywhere in the world.

Of course, if the vendor or company changed the default password then this trick won’t work.

AND,  it would not have been a problem if Intel didn’t choose a stupid default password.

Intel tried to shift the blame on this one.  They said that they told OEMs in 2015 and again in 2017 to change the default password and improve security.

So if they thought this was a problem, why didn’t INTEL change that default password ?   Nice try blaming others, but it won’t work.

Also, this particular attack only works one computer at a time, so it would be used for targeted attacks.  Given that Intel announced the problem THREE years ago, you have to assume that the bad guys understand how to exploit this.

There is some good news, however, you can change the default password yourself and stop any attack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.

 

Facebooktwitterredditlinkedinmailby feather

White House Plans To Ban Staffers and Guests From Using Personal Cell Phones

Several months ago the White House floated a trial balloon about banning the use of personal cell phones by staffers in the West Wing due to security concerns.  You may remember that John Kelly was using his personal cell phone for government business and it was owned by hackers for six months before he figured out he had been hacked.

This week the White House said it plans to implement this ban – not only for staffers, but also for guests.  One assumes this does not include the Tweeter-in-Chief, who uses his old, non-secure personal cell phone to tweet.  Perhaps the White House has figured out how to create security patches for President Trump’s old cell phone (I believe it is running Android 4.x; the current version being 7 with 8 in testing).

This generates way too many questions.

Sarah Sanders said, basically, that the White House technology infrastructure is too fragile to handle all these wireless phones.  She did not point to trying to stop staff from using those phones to leak info to the media.  Given that places like Mile High Stadium can support 70,000 plus wireless users during a Broncos game, maybe the White House needs to talk to the Broncos to figure out how to support less than 500 users.

A White House official also said that personal cell phones are not as secure as government issued ones.  Possibly true, but no guarantee. Remember, this is not about using personal phones for government business, but rather using personal phones for personal business.  Which brings up another issue.  If staffers are required to use government phones during the day, will there be a change in the law to accommodate them using their government phones for non government business like coordinating day care or communicating with a spouse or other family members?  Will those conversations somehow be filtered out from FOIA requests and government archive requirements.  Those sound like a challenge to me.

They said that staffers could use their government issued phones for government business.  I don’t think government business includes talking to their spouses, children or parents.  People run  their lives off their cell phones.

They also said that guests cannot use their personal cell phones.  I guess they expect guests to go radio silent since they likely do not have government issued cell phones.

Apparently, this ban does NOT include the press.  Interesting.

It is an interesting problem and given that John Kelly may have been broadcasting sensitive information to hackers or the Chinese for half a year, it is a real problem.

Soldiers who work in places like the Pentagon are used to not having access to cell phones.  Now people who work in the White House will have to deal with similar issues.

The government has been challenged for a while to hire the best and the brightest.  Long hours, low pay, the uncertainty of promotions all compare unfavorably to the private sector.  Government agencies are already feeling this brain drain.  Adding tech restrictions certainly won’t help recruitment.

It is important to understand that the final rules aren’t out yet, so stay tuned for details next week.

Life does not always have neat, clean answers.

Information for this post came from Fox News.

 

Facebooktwitterredditlinkedinmailby feather