Misfortune Cookie bug impacts more than 12 million home and small office routers

While this is not exactly an “Internet Of Things” issue, it points out how long it takes to get things fixed and how the tail of a bug can live on forever.  In the case of the Internet of things, people rarely patch their refrigerator, so that bug will live on until the refrigerator is in a landfill somewhere.

So here is the deal.  Rompager is a piece of software that many device manufacturers use to provide a web interface on some device they sell – in this case an internet router.  The bug, which I will describe in a minute, was introduced in 2002 and the developer found it and patched it in 2005.  This is 2014 – 12 years after the bug was created and 9 years after the bug was patched and Checkpoint Software, the Israeli security firm, found 12 million vulnerable devices in 189 countries still have this buggy software – and likely this is not a complete list.  And they were only looking at routers.

Why is that?  Because device manufacturers don’t bother to update their software unless they have to.  It seems to be working.  People aren’t complaining.  If they upgrade it they might break something, so they leave it alone.

Is it reasonable that the bad guys knew about this bug?  Sure.  They check out patches all the time.  And since your internet router is the “responsibility” of your internet provider, unlike your laptop, you don’t worry about patching it.  In fact, in many cases, your internet provider won’t let you into your router to see if it needs to be patched.

Is it reasonable that the spy guys knew about it?  Sure.  See the paragraph above!

The bug.  Due to this bug, an attacker can send a cookie to your router and make it think the attacker is an administrator on your router and basically do whatever it wants.  The bad news is that even if you turn off web administration from the outside for your router, the router still listens for update requests from your internet provider and this bug will still allow a hacker in.

The only way to stop this is to  upgrade the buggy firmware on your router.

For more details and a list of suspected affected routers, see this article from Security Week

ARGH!

 

Mitch

Facebooktwitterredditlinkedinmailby feather

CERT Alert on the Sony Malware

The U.S. CERT, part of the Department of Homeland Security,  has released an alert describing the malware that took Sony apart pretty effectively.   Without going into a lot of detail, here is the high level overview:

  • The malware takes advantage of Windows SMB (server message block) protocols that are common to all versions of windows
  • The malware worms its way through the target’s network using brute force guessing of Windows share passwords.  It reports back home every 5 minutes with its successes and asks for new instructions
  • It has a listening component that listens on specific ports on the infected machine (probably for commands)
  • It has a backdoor component that handles file transfer, system survey, proxying and can execute arbitrary commands.  It can even open ports on the victim’s host firewall (one reason I don’t like software based firewalls)
  • The malware has a proxy tool that allows it to listen on a particular port and perform a variety of administrative functions for the malware
  • It contains a module to overwrite data on up to 4 disk drives and if the user has local admin privileges, it also overwrites the master boot record so the computer will not boot.
  • It has a network propagation wiper that allows it to worm its way through the network using built in network shares, drop the malware on the new machine and start destroying that machine.

As you can tell from this very brief description, this is a pretty sophisticated piece of software that someone spent a fair amount of time constructing.

Based on what is described in the alert, this malware would do a pretty good job of laying waste to any network it was found on.

The wiper part is what does the actual damage.  The rest is for recon and control.  By overwriting the disk, you make recovery, for all reasonable situations, impossible and the only option left is to rebuild the system from scratch.  This is why Sony told employees not to turn on their computers and not to connect to the company Wi-Fi.

There were reports in the media of security experts (like Kevin Mandia of Mandiant)  saying that there was nothing Sony could have done to protect itself.  Given this analysis and the assumption that someone did something to get it started inside the Sony network (like clicking on a malicious link), I tend to agree with him.

They probably should have seen the data going out. 50 or 100 terabytes of outbound traffic is a lot, even for Sony.  But if these guys were in there for 6 months, then even that might not be obvious.  And, Sony may not do outbound traffic analysis.

Mitch

Facebooktwitterredditlinkedinmailby feather

Hackers hit Second OPM Background Investigations Contractor

According to Washington Technology, hackers have gone after Keypoint Systems, a contractor for The Office of Personnel Management that does background investigations for security clearances.  If anyone has ever had a Department of Defense or other government security clearance, the information that you provide is extremely detailed.  For example, for the DoD, the SF-86 form can be well over 100 pages when completed.  OPM is notifying almost 50,000 people that their information may have been taken.  May have because they don’t really know.  I assume they don’t know because Keypoint did not have sufficient controls in place to tell what the hackers took.  OPM says thay Keypoint is adding more controls as a result of the breach, but beyond that, they are saying very little.

Curiously, USIS, the contractor that OPM used to use and most famous for having performed Edward Snowden’s background investigation, was hacked this year also and the OPM cancelled their contract, causing them to lay off 3,000 employees.  The fact that OPM is handling these two breaches very differently will no doubt get some attention on Capitol Hill.

It is more than a  little disconcerting that two different contractors who handle security clearance investigations for the government this year were hacked.  It says something about the (lack of) security requirements in the contracts that OPM is issuing for vendors.

They are the government so they can get away with a lot more than you or I can.

While it is fun to beat up the government, it is, unfortunately, like taking advantage of someone who is not very good at what they do.

The lesson to be learned here is that you should review whether or not you are effectively vetting the security of subcontractors and vendors that you use.  Do your contracts have specifics regarding security practices, policies and technology?  If what happened to Keypoint and USIS happened to you, it would likely have a large effect on your business.  USIS had to shut down an entire division.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Terrorism Risk Insurance Act

After 9/11, Congress passed TRIA, the terrorism risk insurance act. They did this after insurance companies paid out more than $40 billion in claims from 9/11 and reinsurers – the companies that backstop the insurance companies – withdrew from the market.  When the reinsurance market dried up, insurers stopped covering terrorism claims.

The result of this was that  businesses could not get insurance to cover terrorist attacks like the attack on the World Trade Center.  TRIA was renewed in 2007 and, in the absence of Congressional action, will expire on December 31st – 10 days from now.  Given that Congress is in recess, that is not going to happen.

Some businesses won’t lose their coverage immediately, but some policies have a clause in them that voids the policy in the event of a claim if TRIA is not in effect.  So, while that group of people won’t lose their coverage, if they make a claim, it will be denied, so, in effect, they will lose their coverage.

Industries such as real estate (large commercial buildings), transportation (airlines), utilities (power plants) and others depend on terrorism coverage as part of their business risk mitigation strategy.  Assuming they don’t have any terrorism coverage and something happens, they would have to pay all the costs out of their own pocket.  The good news is that a terrorist attack is pretty unlikely.  So was the Sony attack.

Whether insurance companies will stop offering terrorism coverage like they did in 2002 is unknown. Whether insurance companies will cancel existing policies is also unknown.  If TRIA is not renewed, IF they offer coverage, it will come either at a much higher price or lower coverage limits.

Events like the Super Bowl and the Soccer World Cup have terrorism coverage in the very unlikely event that some wing nut decides to make a statement.  The World Cup almost didn’t play the final game a few years ago due to challenges in getting coverage.

If builders of large commercial projects cannot get terrorism insurance, banks would likely not lend them money – you get the idea.  The potential ripple effect on the economy is significant.

One assumes that when Congress reconvenes in January they will take up the issue of TRIA.  Hopefully, they will come to some sort of agreement that the President is willing to sign.  If not, expect some changes in your commercial liability policy.

What happens between January 1 and when or if TRIA is resurrected is unknown, but those in commercial real estate and other industries are no doubt paying close attention.

Mitch

 

——————————————————————–

References:

The Connecticut Mirror – Senate’s failure to act on terrorism risk insurance roils insurance industry

Bloomberg – The unexpected threat to Super Bowl XLIX

Facebooktwitterredditlinkedinmailby feather

Sony cancels release of The Interview

After the Sony hack attackers threatened movie theatres and movie goers if theatres showed the Sony movie “The Interview”, Sony announced today that it was cancelling the release.

USAToday put the production cost of this movie at near $44 Million, which Sony stands to lose if they do not release this movie, but the risks are too great to both theatre owners and Sony if the movie was released and someone – even a copycat – were to blow up a movie theatre.

While some people complained that Sony was giving in to the attackers – and they are – those are the same people that would sue Sony if something happened, so it is a no win for Sony.

As a side note, the Terrorism Risk Insurance Act – the law that was enacted after 9/11 as a backstop for the insurance industry in case of a multi-hundred-million dollar claim as a result of a terrorist act – was not renewed by Congress and expires on December 31st.  While we do not know if Congress will renew it next year, the expiration of TRIA gives the insurance companies the right to cancel terrorism risk policies on January 1st.  Given that a claim could cause an insurance company to become insolvent, it is certainly possible that insurance companies will cancel policies after the 1st, leaving large building owners and events like the Super Bowl on their own to cover risk from a terrorist act that causes a big claim.

Mitch

Facebooktwitterredditlinkedinmailby feather

Is your small business safe from cyber attacks

In light of the recent cyber incidents, small and medium sized business owners should be looking at their cyber readiness and asking “Am I safe from cyber attacks?”.

Unfortunately, for many businesses, the answer is no.  The Huffington Post wrote an article on the issue and I think that some of the points that they made are worth repeating.

According to the National Cyber Security Alliance, one in five small businesses fall victim to a cyber attack each year.  Of those, 60 percent go out of business within 6 months.

There are likely a few reasons for this.  First, small and medium businesses are likely to not have a cyber risk plan, are less likely to have good security controls, are less likely to focus on good security hygiene and are less likely to have a plan in place if a breach occurs.

Second, small and medium businesses likely don’t have cyber risk insurance and if they do, the limits are inadequate.  The costs of dealing with the breach put them out of business.

Using my poster child as an example, Sony, here is what is being said.  Scale the numbers up or down for your business size, but the results are the same.

The had a cyber and media liability policy but because of previous claims, their current insurer declined to renew it.  They went to Lockton and obtained a $20 Million policy with $10 million in self insurance (meaning Sony pays the first $10 Mil, then insurance covers the next $20 Mil.  Above that Sony is on the hook).

This year, they got a new $10 million policy from AIG and then a month later they hired a different broker, Marsh, to review their options.

They selected a $60 million policy with $5 million in self insurance.

Given Sony’s size, $60 million is WAY undersized and as we are seeing from the events of this month and last, Sony is going to be writing a large check out of their checkbook.

The article reports on a business impact analysis at Sony done in 2008 – hopefully they have done one since, but maybe not – and it reports that various systems have an impact of any where from $2 million a day to $6 million a day for outages.  Almost all systems were down for a week and even if you exclude weekends, the four systems listed in the article, if down, cost Sony over $13 million a day.  Times 5 days for that first week.  That is a $65 million impact.

Those numbers are from 2008 and Sony is likely more dependent on technology now, so those numbers are likely low, possibly very low.

Add to that the cost of remediation, the fact that many of those systems were down for more than a week, the P.R. impact, loss of sales, replacing employees who leave because of the incident, lost ticket revenue, lawsuits and fines and you can quickly see that $60 million is not enough.

The moral of the story is that every business should be doing a cyber risk/business impact analysis and planning exercise on an annual basis and then doing remediation as needed.  Nobody wants to be in that 60% of businesses that fail after a cyber breach.  Plan ahead.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed