Beware Lenovo Users

Marc Rogers (white hat hacker and principal security researcher for Cloudflare) wrote about an interesting problem Lenovo users have.  (see article)

What is not clear is how long Lenovo has been doing this.  The good news is that a friend of Marc’s has created a test to see if your Lenovo laptop is infected.

The short version is this.  Lenovo has partnered with a company named superfish to serve up ads to and steal data from your laptop.  They do this by creating a man in the middle attack inside your laptop – submitting fake SSL certificates to your bank (or any other site) and reflecting the data back to you.  If you look at the SSL certificate, which no one does, it is signed by Superfish, not your bank.

They did this by installing a SSL signing certificate in the certificate store that has God power and use that to generate certificates on the fly for any web site that you visit.  That requires that the password for this certificate is hard coded into the software on your laptop and that password is Komodia – for every laptop they sell.  Komodia is the name of a company that makes SSL software.  Not so secure.

The site that Marc’s friend created to test for the Superfish malware is:

https://filippo.io/Badfish

If you are infected, Lenovo has created instructions for removing the superfish software, the link for which is in Marc’s blog post above.  However, that removal does not remove the God like certificate in the computer and Marc has additional instructions to do that.

A smarter move, given we have no idea what other ‘bugs’ are hidden in the software, would be to wipe the disk and reinstall the software from a known good version of Windows (NOT the one that came with the laptop) and then reinstall all the applications and finally restore your data.

China has been getting rid of Cisco network gear because they say that they can’t trust it.

It is time for the U.S. to get rid of Lenovo computers for the same reason.  If you want to understand how really dangerous what Lenovo did is, you will need to read Marc’s blog, but for those of you who are not techies, trust me (and Marc) – it is pretty serious.

But here is the real question – they got caught doing this.  What else are the Chinese doing?  I took Lenovo off my buy list as soon as IBM sold it to the Chinese.  I get to be vindicated now – we have real evidence.

If you need help, feel free to contact me.

Mitch

Facebooktwitterredditlinkedinmailby feather

Russian Hacker Caught

Alleged Russian hacker Validimir Drinkman, 34, was arraigned yesterday on hacking into 16 companies including The NASDAQ stock exchange, 7-11, J.C. Penney, Dow Jones, Heartland Payment Systems and others and stealing 160 million credit card numbers (see article).  The attacks go as far back as 2005.   Brian Krebs provides an inventory of some of the companies he is charged with attacking (see article).

The attack occurred several years ago and some of their companies were attacked again after this attack, but what is interesting is that Drinkman is sitting in a cell in New Jersey.

He, along with 4 conspirators, was indicted in the U.S. in 2009.  The indictment was unsealed in 2013.  He and one of his co-conspirators was arrested in the Netherlands,  Drinkman was just extradited last week;  The other conspirator who was arrested with him is already in Federal custody.

So how did they catch him and how did they get him to New Jersey?  Forbes had a piece that said he used encryption.  If you ask the police, that makes it impossible for them.  Apparently not always because they have chat logs of him bragging with his friends.

Bragging usually gets you in trouble.

His bigger mistake was setting foot on Dutch soil.  None of the articles I found explained why he was there, but the U.S. and The Netherlands are mostly friendly, so getting him charged, arrested and extradited from there was bureaucratic, but relatively simple.  If he had stayed in Moscow, he would still be a free person.

While capturing these guys is still the exception, there have been a few high profile wins for the feds lately, which indicates to me that they are applying more resources to going after these guys.  Similar to the early 20th century, when the U.S. Marshall Service and later the FBI started going after bank robbers and more of them were apprehended, the feds are finally going after hackers.  Hopefully this is the start of a good trend.

He is scheduled to go on trial this spring assuming there are no delays.  He says he is innocent and wants to go home to Moscow.  I wouldn’t bet on that happening any time soon.  If convicted, he faces up to 70 years in the pokey.  Stay tuned.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Why Cybersecurity Is An Imperative

I often quote the statistic that Experian promotes that 60 percent of small and medium businesses that suffer a cyber security breach go out of business within 6 months.  That is a pretty sobering number.

However, First Data reports two amazing statistics –

First, they say that 90 percent of the data breaches impact small merchants and second, that 70% of small business owners go out of business within 6 months (see article).   The quote, reporting from a convention for independent grocery stores goes on to say that these businesses need to take action now.

Whether either number is exact or not, the number is very high and the risk to the business owner and investors is also very high.

The first step to addressing the problem is to do a risk assessment and see where the biggest exposure is.  And, it is likely you will need to hire a professional to deal with the situation,

 

Mitch

Facebooktwitterredditlinkedinmailby feather

10 States Going After Anthem After Data Breach

Reuters is reporting that 10 states, led by Connecticut, have sent a letter to Anthem complaining that the company is moving too slowly in notifying consumers of the data breach that affected up to 80 million customers and employees (see article).  The states are assuming that Anthem know precisely who’s data was taken and they may not know that yet.

I hadn’t really thought about it, but this breach is really quite different than having your credit card stolen in the Target breach.

In the Target case, under federal law, your maximum liability for fraudulent charges is $50 and many credit cards waive even that.

It is a bit of a pain, you call the credit card company, maybe you sign a form, they close the card, issue you a new one, remove the charge and you are done.

One advantage of using credit cards over debit cards if you can is that in the case of a credit card, you are arguing over a bill.  In the case of a debit card, the money is no longer in your bank account.

However, in the case of Anthem, you may have a right to sue Anthem if that data is used to say open a fake account in your name, but you would have to prove that you were damaged and prove that it was Anthem’s fault.  Even if you are successful, it could take years to go through the courts.

The states are saying that Anthem must commit to reimbursing people for any losses associated with the breach between the time of the breach and the time that the company provides access to credit monitoring services.

Ignoring that those services are far from bullet proof and ignoring the fact that there is a delay between when they make that service available to you and when you actually sign up for it and it becomes active, the states are not saying that Anthem should assume responsibility for what happens to you after you sign up for credit monitoring services.

And, as I said before, since the effects of this kind of fraud can last for years, unlike credit card fraud which can be shut off by issuing a new card, people will be dealing with this for years.

And, apparently, legally, Anthem may have to pay a fine, but if you are damaged, you are going to have to sue them to try and be made whole.

That means, if you are a current or former Anthem customer or employee,  that you should be checking your credit report frequently for any bogus accounts that might be set up

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Verizon Customers Hit With Bogus Phone Orders

A Denver TV station is reporting that they have received over 70 reports of Verizon customers who have been targeted by hackers who have masqueraded as them and ordered new iPhones shipped to out of state addresses.

Verizon claims that they have not been breached and that could be true.  It could be as simple as people guessing these customer’s passwords or resetting the passwords and then ordering phones.

For the customers, it is a very time consuming task to undo the damage and some of the customers reported that their phone plans were changed and they are having problems getting their plans restored to the old plans because they were grandfathered in.

If you are a Verizon customer, I recommend you watch your account for unauthorized changes.

Mitch

Facebooktwitterredditlinkedinmailby feather

NSA Hacking Of Disk Drives Revealed

It’s not been a great year for the NSA.  First Snowden and all press they have gotten as a result of the leaked documents that seem to come out every month.

Now a Russian security researcher, Gene Kaspersky, that I wrote about recently (see post) revealed that they have detected malware in the firmware of disk drives from Seagate, Western Digital, Toshiba and other top manufacturers (see article).

Kaspersky found the malware in PCs in 30 countries including Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets, they say, include banks, energy companies, nuclear research, media and activists.

Whether some hackers are aware of and taking advantage of this malware also is unknown.

While Kaspersky did not name the U.S. as the source, they said it was closely related to Stuxnet and a former NSA employee confirmed to Reuters that Kaspersky was correct in his attribution.

Because this runs in the firmware of the disk drive, it is difficult to see, difficult to remove and likely could see whatever it wanted.  It would get loaded every time the computer boots, so defeating it would be impossible short of crushing the disk.  Depending on how the software works, it likely would defeat disk encryption.

Like some other spying programs, the NSA, assuming it actually was the NSA, used it judiciously – only activating it on high value targets.

Kaspersky said that it would have been almost impossible to engineer this malware without access to the source code, which all of the manufacturers claim they did not provide to the NSA.

All of the manufacturers said that they have really good security. Since the malware is there and has been there since around 2000, either the manufacturers are fooling themselves or ……, you decide.

Sometimes the government asks to review source code for products they plan to buy to look for security bugs.  If this happened, it is a very small step that this code got to the NSA.  Alternatively, they could get hired as a developer and steal the code.

These risks would be identified in an enterprise risk assessment engagement and then the company would need to make some decisions regarding mitigation.

Assuming this is all accurate, I am sure that the NSA is not very happy tonight, although the Russians, Chinese and others are likely very happy.

Here is likely another problem for U.S. Tech Vendors.  China is rapidly discarding all Cisco networking gear in the country because they fear U.S. spying.  Now countries will work to remove all U.S. Computers and disk drives for the same reason.  Between cloud services, network equipment and now PCs, this could potentially cost U.S. tech companies tens of billions of dollars a year.  Of course it would be foolish to think that other countries are not doing the same thing, which is why China, for example, is manufacturing it’s own network equipment to replace the Cisco gear it is throwing away.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed