Category Archives: Security Practices

Georgia Patches Election Web Site Two Days Before Elections – Calls it Normal

I am not sure who we should be more concerned about – us or them.

The Georgia Secretary of State, who is also running for Governor, has accused the Democrats of unsuccessfully trying to hack the state’s election system and referred it to the FBI.

Propublica is reporting that Kemp, the Secretary of State, quietly patched (it is reported that they rewrote the code on  (How extensive that might be is unclear).  the web site on Sunday after saying the site was secure and had no vulnerabilities.

Kemp said that State Democrats had committed possible cyber crimes after the Dems were notified by someone that he had found gaping security holes in the state’s voter information web site.

A Kemp spokesman denied vulnerabilities existed in the state’s voter lookup site and said that they could not reproduce the problem.

Propublica validated part of the tipster’s claim but other parts did not work after the state made fixes to the web site less than 48 hours before the midterm elections.

On top of all that, on Monday, Kemp’s spokesman claimed that they made changes to the site to support volume, but experts claim that the changes she said were made were, in fact,  not made.

From an operational stability viewpoint you would NEVER make a change that close to a major event for fear of breaking something.  Georgia likely has been testing and retesting their web site and other IT systems for months to make sure that nothing breaks today and to make major changes a day or two before the election likely meant that they did, in fact, find serious problems and felt that they had to fix them.  Minor problems would have been ignored because the very last thing that Kemp would want would be for the site to be down or go down on election day.

The Democrats, for their part, claim they forwarded the information to the FBI, Homeland Security and the State of Georgia by mid-day Saturday.

A more likely explanation for Kemp’s actions is that he is not happy that they reported the problem the the FBI and Homeland Security rather than quietly telling him so he could fix it without telling anyone.  Now he is both embarrassed and has a reputation problem after saying the site is secure.

Welcome to politics in America.  By the way, who knows if the Chinese and Russians were aware of or abused these security holes.  No one is saying.

Information for this post came from Propublica.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Cell Phone Providers Want to Protect You. Really!

I don’t know about you, but I am not inclined to believe that my cell phone provider is the best company to protect my security, but they disagree.  And who knows – maybe it could work.

The basis of Project Verify is that each cell phone has a unique fingerprint that allows the carrier to identify your phone and use that verification to log you in to your favorite (cooperating) web site.

They say that it verifies your identity using information from your SIM card, IP address and account tenure.  They have not released the details yet of how it will work.

One thing that is concerning is that they say that consumers will be able to control the information that they share and consent to how it is used.  It is unclear if that means that the cellular providers want to be the keeper of your data and doling it out appropriately.   Maybe that is not the case – they have not said yet.

What is clear is that what we are doing today is not working.  People pick easy to guess passwords (like Password or 12345678).  They refuse to use two factor authentication because it involves a teeny, tiny bit more work.

So, if this really works it could be a big improvement.

But we do need to remember that hackers are already targeting – pretty successfully – cellular carriers and all this will do is make the cell provider an even bigger target.

Right now cell phone NUMBER theft is big business because if you steal someone’s number you will be able to get their text messages which is what you need to reset passwords.

But as I understand this system, the security is tied to the bits on the SIM card itself, so stealing the number won’t help anymore.

Stay tuned.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

Fiserv Security Flaw Exposes Your Banking Data – Even if You Don’t Bank Online

Sometimes even if you try to be safe, it doesn’t work the way you want.

Fiserv provides banking software to over a third of all banks.  They have 24,000 employees and almost $6 billion in revenue.  Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.

Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules.  The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4.  What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.

The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed).  He reached out to Brian Krebs.  Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.

While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.

After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours.  They deployed the patch to their cloud customers that day and their non-cloud customers that night.

So what does that mean for you?

First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.  

On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.

For your company, how would a security researcher or a user know how to report a security problem?

If it isn’t very simple, you need to fix that.  It could be as simple as a link on the contact us page or something else.

Next, how come when the guy who found it reported it, it did not get escalated to the right group?  Is this a training problem?  How would that work in your company?  Train people.  Report it to the incident response team.  Do not over think it.  JUST REPORT IT.  This is shades of the DNC hack.  We don’t want people to over think it.  Just give the incident response team whatever information you got and let them handle it from there.

Web sites will have bugs.  How you deal with them and how quickly is what can distinguish you from the next guy.

Source: Krebs On Security .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Hackers Infect 500,000 Routers and Growing

Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.

The malware was detected infecting routers from:

  • Linksys
  • MikroTik
  • Netgear
  • TP-Link
  • and QNap storage devices

The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.

On top of that, there is no “patch” that will inoculate a router against the malware.

The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early.  They are continuing to study it.

The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.

Among other things, the malware can, apparently, steal files and also  run commands on your router which could lead to a whole variety of different compromises of your systems.

The FBI says that it has seized a server used by the attackers.  Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices.  Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.

Information for this post came from Ars Technica.

OK, so given that, what do you do?

The article lists some of the routers affected.  Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular.  If you have one of the routers listed in the article, you should raise your alert level.

Rebooting the router WILL NOT remove the malware.  Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset.  Beware if you do that you will lose the router’s configuration and someone will have to reprogram it.  This may involve sending out a service technician to your house or office.  This, right now, is the only known way to disinfect infected routers.

I  recommend putting a separate firewall between your ISP’s router and your internal computers.  This is another level of defense.  Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X.  Note that you will have to have some expertise or hire someone to configure  it.  This will however, give you an extra layer of protection.  And, since you are buying it, your ISP will not have the password to it.

Make sure that you change the default password in your existing router.  One possible way the infection is getting in is via default credentials.

Check to see if there are any patches to your router available from your router manufacturer.  If so, install them and repeat that process every month.

Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.

 

Facebooktwitterredditlinkedinmailby feather

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather