Own A PC By Giving Them A Blu-Ray Movie

The Register is reporting that there are a couple of ways a hacker can take over a PC just by having you insert a Blu-Ray disc.

The first method exploits a poor software design in PowerDVD, the free DVD player software that is loaded on many PCs.  It allows the hacker to exploit a bug in Java to run an arbitrary executable.

This “feature” will allow a hacker to place an executable on a Blu-Ray disc and have it run on start-up, even if Windows is set to block that.

The other takes advantage of Blu-Ray debug code to do some fancy footwork and it will let a hacker again run an arbitrary executable.

You can stop the first exploit by uninstalling PowerDVD (which I don’t really like much as a DVD player anyway), but I don’t have a way to stop the second exploit.

We have seen that a hacker can own your car with a DVD, so why not your computer?

Maybe you should watch your movies on a DVD player instead.  Sorry! 🙂

Mitch

Facebooktwitterredditlinkedinmailby feather

Fingerprint Instead Of Password – You May Want To Reconsider

I came across an item today that stunned me.  The Wall Street Journal and Findlaw reported on a case from late last year where a Virginia State judge ruled that an arrestee may have to offer up his fingerprint to unlock his phone – the Fifth Amendment does not apply.

Now before everyone goes crazy on me, this is a Virginia state judge and this has not been appealed as far as I know, so it has no implications outside the Commonwealth of Virginia.

As Marcia Hoffman, the well known privacy attorney, formerly with the EFF and now in private practice in San Francisco said in wired, the Fifth Amendment protects testimony.  Fortunately or unfortunately, the founding fathers did not understand about the Internet or DNA or a lot of modern things.  Marcia explained that evidence is only testimonial when it reveals the contents of your mind.  Courts have said for a long time that defendants have to give DNA samples, voice samples, fingerprints, etc. even though any of those might be used to convict someone.

The Supremes, those wonderful old folks in black robes, decided in the 1980s that there is a difference between being forced to give up the key to a safe vs. revealing the combination to a safe.  Strange, but true.  I do believe that the courts have also ruled that if you won’t give up the combination to the safe, they can call a locksmith.  If the safe is locksmith proof, you are golden, otherwise, not so much so.

That doesn’t mean that the cops don’t need a search warrant, but in this case, I am sure that the judge in Virginia would be more than willing to sign one.

Other judges, like one in Colorado, have said that passwords are not protected by the Fifth Amendment either.  In that case, the order was not appealed because the defendant’s ex-husband provided the cops with a list of possible passwords, one of which apparently workd.

So this is a dicey business – encrypt or decrypt at your own peril.

It is only a matter of time before one of these cases gets appealed and we will have a somewhat more consistent interpretation of the Constitution.  For the moment, you just have to toss a coin for your answer.

Of course, with the Apple fingerprint sensor, they should be able to take the fingerprints that they collected when they booked the guy and use them to unlock the phone. 🙂

Mitch

Facebooktwitterredditlinkedinmailby feather

Mandarin Oriental Hotel Group Credit Card Breach

The Mandarin Oriental Hotel Group admitted that their credit card system at an unknown number of their hotels was hacked and credit cards compromised AFTER they were outed by Krebs On Security.  The upscale hotel chain, where rooms at the New York property start at $850 a night, would be a great target for hackers since credit cards are likely to have very high limits.

Krebs is reporting that sources say that the attack started before Christmas 2014, so the time to detect is about 75 days.  That is going to become a metric to determine the effectiveness of a company’s cyber security program – how quickly you detected the hacker, boxed the hacker in and determined what the hacker got.  What the hacker got in this case has not been publicly announced.

What is interesting to me is the wording of their press release below.

Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law.

Of course the hackers broke the law.  Is that supposed to make me feel better that the people who stole my credit card broke the law?  Are they next going to stomp their feet and hold their breath?  We expect hotels to know that hackers are out there and protect us anyway.

We take the protection of customer information very seriously. Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.

This whole paragraph is fluff;  do they think that their competitors are not aware that hotels everywhere are suffering credit card breaches?  Does the fact that breaches are becoming more common mean they have less responsibility?  Or are helpless to do anything to stop them?

Mandarin Oriental moved swiftly to address this issue by working with forensic experts and has removed offending malware. While the Group has leading data security systems in place, this malware is undetectable by all anti-viral systems. Guests can be confident that security protocols are being thoroughly tested at all hotels to protect guest information and prevent a recurrence of such an attack.

This is probably the most honest statement in the press release;  I hope that they are testing their security protocols now – given that they failed.  The better question to ask is when they last tested their security protocols chain wide.  That would be very telling.

While it is fun to beat up on the hotels, in one sense, they are victims.  But in another sense, they are likely accomplices since they most likely did not spend a whole lot of effort in making life hard for the hackers.  The hospitality industry (hotels and restaurants) are hot targets for hackers for many reasons and they must know that.  Still, their controls are inadequate.

From a PR standpoint, they need to try and calm their high end guests.  Those are the people that have the resources to sue them and the staff around them to cancel all future reservations and move to a different hotel chain.

I can whine about their press release, but if it was me that was hacked, I would probably do something very similar. In fact, many of the words are identical from other company’s press releases after a breach.  It will be interesting to see how many cards were compromised.  From the hotel and credit card company’s perspective, getting this under control quickly is important.  While they might be able to steal $400 from my credit card before it is maxed out, they may be able to steal $4,000 or $40,000 from some of these credit cards.  Ouch!

Mitch

Facebooktwitterredditlinkedinmailby feather

Anthem Refused Audit Required As Part Of Contract

The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government.  This news is coming out after Anthem was hacked of some 88 million customer records.

The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.

OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.

I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis.  If we told them to go away, they would have told us to go away as well.

It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances.  It is the difference between private industry and government.

OPM wrote a report on Wellpoint (now Anthem) that said, in part:

Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Given this report, it is totally unimaginable that, in private industry,  they would have been allowed to continue as a supplier.

After the breach, OPM again tried to audit Anthem and they again said no.

And, they continue to collect checks from the government.

This should be interesting fodder for the lawsuit machine.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather

A Different Perspective On Lenovo – It Is A Supply Chain Problem

While everyone is off beating up Lenovo and Lenovo, in turn, is beating up Komodia, I suggest everyone is missing the real problem.

First of all, to make sure that no one is confused, this problem is not limited to Lenovo consumer laptops.  Komodia has over a hundred customers developing software, all of which put your network at the exact same risk.  Lenovo just happened to get caught.

It is also not limited to Komodio.  Privdog, made by AdTrustMedia and sold by Comodo (no relation to Komodia), behaves in a very similar way.  And there are probably many more.

The problem is a supply chain problem.  Lenovo did not check out Superfish’s software very well and Superfish did not check out the library that they licensed from Komodio very well.

I assert that there are millions of developers who use software libraries that have no clue regarding the security practices of the libraries that they use.  Most of the time, the developers check to see that the libraries do what they want them to do – and that is all they check for.

It is a very unusual developer who will do a full scale cyber risk assessment on each and every third party software component that they license.

The result is Lenovo.  We happen to actually be very lucky that we caught this one after only a couple of months.  While we have seen some indications that this might have been exploited, there is only smoke and no fire.

What about the hundreds of thousands or millions of software libraries that other developers, big and small, incorporate into their software – blindly assuming that there are no security holes?

Even good developers typically only audit THEIR code and not the libraries they license.  In part, this is because they usually don’t get the source code to these libraries which makes auditing them very difficult.

As part of a cyber risk assessment, these potential vulnerabilities will be identified so that the organization can make a decision regarding how to mitigate these risks – and there is more than one way.

The alternative is like driving a car with a blindfold on – a scary thought.

And, it is important to understand that while the Lenovo’s of the world are being sued, they can only hope to collect something from Komodio.  Komodio is not even a U.S. company, so if Lenovo wants to go after them, they may have to do it in Israeli courts according to their laws.  And, I have no clue how big they are.  It could be that Komodio is two guys in a garage – I have no idea.

The reputation that gets clobbered is yours, so you need to protect it.  It is very difficult to repair after the fact.

The supply chain problem is not limited to tech or to software.  For example, the U.S. Department Of Defense has discovered many counterfeit parts for weapons and vehicles that were not made to spec and so may put soldiers at risk.  This is a huge problem that will not be easy to solve.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed