Cybersecurity is for the C-suite, ‘not just the IT crowd’

At least according to Peter Singer, Director of the Center for 21st Century Security and Intelligence at the Brookings Institution.  Writing in Fortune, Singer says many things that won’t make him very popular.   A sampling:

  • 97% of the Fortune 500 companies have been hacked and likely the other 3% too, they just don’t know it.
  • Stop looking to others to solve it for you, stop looking for silver bullet solutions and stop ignoring it.
  • Third and most worrisome to me is the notion that this is for the IT crowd. This is for the nerds to handle. That’s how it’s been treated before: “I don’t understand this stuff so I’m going to hand it over to the techies.” First, that’s an abdication of leadership. Secondly, the IT crowd understands the software and hardware, but they don’t understand the wetware. They don’t understand the humans and the organizations and the ripple effects around them that are equally, and in many cases more, important.
  • We have to move beyond a situation where it’s considered completely acceptable for senior leaders to say “I don’t use email or social media, I have my assistant print out my emails.” And this describes a lot of people from a former Secretary of Defense to a former Secretary of Homeland Security.

It’s a relatively short article;  I recommend it for everyone in the C-suite and on the Board of Directors.

Facebooktwitterredditlinkedinmailby feather

Researchers Find 600,000 Servers Use Duplicate Encryption Key

PC World is reporting that researchers, looking for servers that were susceptible to the FREAK attack, found that some manufacturers have taken a shortcut when it comes to security.

First, FREAK is an attack that allows attackers to force a encryption session between a user and a server to use a very weak 512 bit encryption key.  These keys are unsecure and can be easily hacked.  I won’t go into the details here, but you can search for FREAK attack and find lots of articles.  Manufacturers have started issuing patches for FREAK.

What the attackers did find is a lot of the servers that were susceptible to this attack used the same encryption key.   Out of 2.2 million servers that they found susceptible, 664,000 used duplicated keys.  Mathematically, this could never happen since keys are supposed to be calculated on the fly.  What appears to be happening is that some manufacturers are taking a shortcut and hard coding an encryption key into a particular piece of software or hardware.

The researchers tried to crack the keys and, on a commercial PC, it took them THREE MINUTES to break 90 of the keys.

Do you think that hackers and spies already understand this?

This is another example, like the Lenovo Superfish problem and the SOHO Router problem that I reported on last week of a software supply chain run amok.

This is also why I keep saying the SSL is fatally ill and likely not fixable.  Note that while FREAK is an SSL problem, this is a process problem and not an encryption algorithm problem

It is interesting that we are seeing all of these bugs or features discovered since the Snowden leaks.  Seems to have gotten people interested.

MItch

Facebooktwitterredditlinkedinmailby feather

Ransonware Going After Small Business and Gamers

Dark Reading is reporting that due to the success of Ransomware, the sophistication of the attacks is growing.  As a reminder, ransomware infects a computer and encrypts the files on it.  If you pay the ransom, the attacker will usually give you the key to decrypt your files.  Ransonware is not very particular and can infect any files it has write access to – network shares, Dropbox files, local files.

Ransonware, researchers think, has cost system owners millions of dollars, although I can’t imagine how anyone could put an exact number on that.

Dark Reading talks about two new strains of ransonware. One, called Virlock, infects the files on the machine.  This is so that if the files are shared, the ransonware can infect other machines.  In addition to this new feature, it does the normal encryption of files and locking of the screen.  Virlock also morphs with each infection (called polymorphic malware) to make it harder for anti-malware software to detect it.  It also uses other techniques to hide.

The other new ransonware product, TeslaCrypt, goes after gamers and encrypts the game data files.  Most ransonware targets Office files (Word, Excel and the like) and Pictures.  By going after gamers, they have a whole new market of customers.  Just like businesses are very concerned about losing their Office files, gamers are very concerned about losing the game data.

The only effective protection is effective backups.  As Sony saw when they were attacked, their backups were insufficient.

I speculate from talking with people that most businesses would not recover well from this kind of attack,  It took Sony over two months to rebuild their systems.

For individuals, losing their data would be, at least, annoying, but often not “life threatening”.  For businesses, losing key Office files could put them out of business.

NetworkWorld reported on some typical victims.  One was the Dickinson County Tennessee Sheriff.  Their ransonware encrypted every file created as part of an investigation.  If they lost that data then likely most active cases would be dismissed for lack of evidence.  Another was a suburban Chicago police department, the Midlothian PD was faced with the same problem.  Both departments opted to pay the ransom.

Many people backup to the cloud, which is fine, but a single generation of backups, in the cloud or elsewhere, will likely be infected before the malware is detected.  And for those of you who use realtime backups (like Carbonite), the ransomware will trigger the backup, so making sure that the system is keeping several generations of backups is important.

For businesses, making sure that you can recover from this kind of attack and continue operating while you are recovering is called disaster recovery and business continuity.

Are you prepared or will you be paying the ransom and hoping you get the keys.

P.S. just because they give you the keys does not mean that the ransomware has been removed from your system.  In fact, what it really means is that the attacker has a juicy target for future attacks.  Networkworld wrote that one strain, OphionLocker, remembers it’s victims and does not attack them again.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Max Schrems

That is a name that strikes fear into the hear of Facebook.  He is an Austrian law student and privacy activist (see here and here).

He sued Facebook saying that they violated European privacy laws and that the safe harbor that the EU gave US companies for protecting EU residents information is a sham and violates EU law.

He is behind the group FBClaim.com which has filed a class action lawsuit against Facebook as well as filing other suits against Microsoft and Google.  He likely won’t get a Christmas card from them.  The currently have 25,000 members of the class and could be awarded 500 euros each if they win (500×25,000 = 12.5 million Euros.  That amount of money is pocket change to Zuckerberg, but it sets a precedent.

The interesting part, to me, is that after a bunch of wrangling, Facebook sent him a PDF with most of his information in it.  It contained, among other things:

  • His friends
  • His newsfeed
  • Every photo or page he EVER clicked on
  • All of the advertising he EVER viewed
  • Everyone he had EVER friended or defriended
  • Every event he had EVER been invited to and how he responded
  • Every Poke he EVER received
  • Who else EVER signed on from the same computer as him
  • Email addresses that he had NOT provided FB, but were likely culled from other user’s address books.
  • All of his past messages and chats, including ones with the notation deleted.

People has said that the Internet never forgets – this is kind of proof of that.

While this is not a big surprise for me, it doesn’t necessarily make me happy.  From Facebook’s perspective, who knows what we might need sometime – let’s save it.

The problem is that saving some of this may break European law and shipping to the U.S. where it is likely stored at the NSA (along with Facebook’s servers, I suppose), may break some EU laws.

You can watch the status of the suit at their web site under the UPDATES link

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather

Apple Pay – A Credit Card Thief’s Dream

When I wrote a couple of weeks ago about the issues with Apple Pay security problems (see post), I didn’t really understand the scope of what I was writing about.  Thanks to Brian Krebs (see his post), I now  understand the problem is bigger than I thought.

Let’s assume that you are a crook and you bought a bunch of credit card numbers on the dark web.  How do you monetize this.  One way is to go to some web site and buy some stuff with the stolen credit card numbers that you have.  Now you need someone stupid enough to be your mule to accept the delivery and give you the merchandise.  And that assumes that the merchant does not verify that the delivery address is one that is set up for that card.  That also gives the merchant and credit card company a starting point to track you down.

Alternatively, you could go into a store and use the credit card.  No one asks for ID, and you don’t have to give a name and address, so that should be safe.  Oh, wait, you don’t have a card – just numbers.  You could get the equipment – credit card printer and embosser, mag stripe writer.  The big guys do that, but it is expensive and you have to know how do that.  Also, the price for the information needed to burn a fake card is way more than just the numbers.

You think for a minute.  POOF – APPLE TO THE RESCUE.

You take the stolen credit card numbers and your handy iphone that you bought earlier with another stolen credit card.  You either create a bogus itunes account or buy a hacked one for $8 retail.  You now tie your stolen credit card data to your hot iphone and voila, you have a virtual credit card.  No fuss, no muss, no bother. You can now go into any store that accepts Apple Pay (like the Apple Store) and buy stuff just like you had the real credit card.  You then turn around and sell the stuff for cash.

All of this only works because, as I wrote about in the earlier post, banks don’t do a very good job of validating people prior to linking their account to a phone.   They are so worried about offending a customer and missing out on the Apple Pay hysteria, that they wind up with a very high level of fraud – right now about 6%, which is, as I said in my earlier post, a great way to go broke since the bank’s fees are no where near 6% (more like 2%).

And the bad news is that you don’t even need to be an Apple user to be a victim of this kind of fraud.  If your credit card bank supports Apple Pay, there currently is no way to say that I do not want my cards to be linked to an Apple Pay.

Apple and the banks will eventually figure this out, but in the mean time, the crooks are making a LOT of money.

Mitch

Facebooktwitterredditlinkedinmailby feather

IRS Scam Running Amok

CNN is reporting a tax scam which, while quite old, is apparently still way too effective.  The IRS is reporting that they are getting complaints at the rate of 10,000 to 12,000 new complaints a week.

The scam goes like this.  Someone calls you with a Washington, DC phone number and says you are under investigation;  in danger of losing your home or that the authorities have been notified and will be there in 30 minutes.

The victims report that the caller knows information that they felt only the real IRS would know (or perhaps someone who bought data from the Anthem breach or one like it).

The victims were given specific instructions.  The scammer stayed on the phone as one victim drove around Charlotte for five hours depositing $500 payments into a paypal account set up by the scammer.  The scammer would give the victim store names, street names, etc.

Victims were of all types – a radio host, a minister, old people, immigrants.  Even someone with a PhD.

On occasion, bank tellers and money wiring clerks would convince victims not to do it.

To be clear, the United States Government does not use a Paypal account.  They also will ALWAYS mail you letters – sometimes way too many letters before they would ever take court action.  In theory, IRS agents are not supposed to threaten you.

However, if new cases are showing up at the rate of 10 to 12 thousand new cases a week, this thing has legs.

People hear IRS, arrest, jail and they freak out.  Understandable.

First thing to do is to get a call back number and hang up.  Of course, the scammer is not going to want you to do that.  Do it anyway. If they won’t give you a call back number, that is your first clue.  IF the cops are really on their way, it won’t make a difference.

Next find someone you trust. Maybe a professional like a lawyer or accountant, but if you don’t have one of those or can’t afford one, at least a trusted friend who is not the target of the scam.

You can call the Treasury Department Inspector General for Tax Administration (TIGTA) at 800-366-4484.  They also have a specific web page set up to report this particular scam (link).

Some people have been conned out of as much as $16,000.  Don’t be the next victim.

Mitch

 

 

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed