Security News Bites for the Week Ending Oct. 5, 2018

Web Page Load Times Double Due to Trackers

Trackers, those microscopic bits of pixie dust that web pages and advertisers insert into web pages to track our activities, make a significant negative contribution to user experience.

Full disclosure – this study was done by Ghostery, who makes software – free software – that blocks these trackers.

Ghostery looked at the page load time of the top 500 US web sites as defined by Alexa and discovered that it took, on average, 10 seconds longer to load with trackers enabled than when blocked by Ghostery.

The 10 slowest of the top 500 sites loaded 10x faster without trackers, saving users 84 seconds on average.

Obviously you could run their free software to reduce your page load times and I have run it for years.  It is amazing how many trackers can exist on one web page.  Source: Ghostery

Feds Issue Alert Regarding Remote Deskup Protocol

Sometimes it takes the feds a little while to realize what we have known for years.  Remote Desktop Protocol or RDP is a Microsoft mechanism for remotely logging in to another computer.  Sometimes people (not very wisely) enable this capability over the Internet.

RDP was designed for LAN administrators to remotely access a user’s computer or a server on the same network, so security considerations were never a top priority.  Over the years Microsoft has improved the security of RDP but still – my opinion – it is foolish to enable this so that a hacker in Timbuktu can try to hack into your network.

Finally, after several years of these widespread attacks, the FBI has issued an alert telling people this is not a good practice.  There are ways to secure that RDP connection, the easiest of which is to require remote users to establish a VPN connection first.  Source: Homeland Security.

Adobe Patches 85 Vulnerabilities in Acrobat and Reader

Adobe has released patches for 85 vulnerabilities in Acrobat and Acrobat Reader for both Windows and Mac.  85 is a pretty big number.  Some of the vulnerabilities allow for remote code execution while others allow for information disclosure or privilege elevation.  In other words, an entire buffet of problems.

This points to why it is so critical to understand what apps you have installed and make sure that they are patched quickly.  Every single time patches are released.  On every device in the network.  Desktops.  Laptops.  Servers.  Phones.  Tablets.  Everywhere.  As of today, Adobe says they are not being exploited in the wild – that they know of.  Tomorrow, at a minimum, every foreign intelligence agency in the world will have reverse engineered them and figured out how to use them as a weapon.  That doesn’t count the hackers.  Source:  The Register.

FBI Forces Child Abuse Suspect To Look at His Phone

In August, for the first time ever that we know of, the FBI obtained a warrant to force a person to look at his iPhone X to unlock it using Apple’s face recognition.  A month later he was charged with receiving and possessing child porn.

While no sane person is going to suggest that the judge should not have issued the warrant in this case, it points to the assumption that people have that stuff on their mobile devices is private.  A bad guy could put a gun to your head and that would likely have the same effect as the warrant.

Privacy is a relative term and as long as everyone understands that, we are all good.  Source: Forbes.

DoJ Indicts 7 Russian Hackers;  Odds of Them Standing Trial Are Almost Zero

The Department of Justice announced criminal charges against 7 Russian intelligence operatives this week, charging them with wire fraud, money laundering, identity theft and hacking.

Russia is unlikely to hand them over to the United States to stand trial and unless the Intelligence agents are not very intelligent, they will never visit any country that has an extradition treaty with the U.S.

That being said, a couple Russian criminal hackers (who are likely not as intelligent as GRU officers) have been known to visit countries friendly to us, so it is, technically possible, that they could wind up on trial in the U.S.  Just not very likely.

These indictments add more fuel to the fire that Russia is hacking us, although this is not specifically tied to the elections.  Source: CNN

 

Given that the President has

Facebooktwitterredditlinkedinmailby feather

Visit New Zealand – Fork Over Your Passwords or Risk Being Prosecuted

In what is thought to be the first country to do this, travelers entering New Zealand who do not turn over their phone passwords during searches could be arrested, prosecuted and fined more than $3,000.  This includes citizens and foreigners.

A New Zealand customs spokesperson said that the new fine is an appropriate remedy to balance individual’s privacy and national security.  I am not sure what the balance is here.

In many countries law enforcement can examine your digital devices, but it is up to them to figure out how to hack into them if you don’t unlock them.

I suspect that this will become a bit of a trend.

Once law enforcement has the phone, unlocked, you have to assume that whatever is on the phone – from nude selfies to business trade secrets – has been compromised.  There is no way to know whether that data is secure or not.  Given most government’s security track records, this is probably a sad reality.

In the case of New Zealand, the customs agent has to have some undefined suspicion of wrong doing in order to invoke the new law.

Things that you can do to minimize the pain –

Large companies that are concerned about security are giving their employees burner phones and burner laptops when they travel abroad.

These same companies require employees to get approval for any data files that they load onto these devices.

For private citizens, this applies as well.  Don’t take your laptop and buy a burner phone at Walmart or Best Buy and only load what you need.

Alternatively, store the data that you will need while abroad in the cloud, encrypted, download it while abroad, upload changes before you cross any borders and overwrite the deleted files with software like the free program CCleaner.

If you believe Snowden, intelligence analysts like sexy photographs and swapped them internally like baseball cards.  I would suspect that practice applies to customs agents as well.  If it isn’t there, they cannot do that.

It is likely that you will pass through customs unmolested – in the U.S. last year, customs only searched several tens of thousands of devices compared to the hundreds of millions of travelers –  but if you are concerned, there are some easy and inexpensive steps that you can take.

Source: NY Times.

 

Facebooktwitterredditlinkedinmailby feather

Home Internet Router Hack Steals Banking Credentials

An attack that was originally spotted in August affecting DLink routers has spread to over 100,000 routers including 70 different models.

The attack originally targeted Brazilian banking customers by compromising their internet router, changing the DNS server and pointing them to a bogus, look-alike banking site.  From there, they steal your credentials.

Not satisfied with the catch, the attackers are ramping up their attack.  It looks for default and easy to guess router admin passwords and other router vulnerabilities.

This attack is going to be difficult to stop if people do not deal with it.

What to do?

Make sure that your router’s admin interface is not accessible from the Internet.  It is difficult to secure it, so just make it invisible.

For banking, make sure that you use two factor authentication.  While not impossible, it makes the hacker’s job much harder.

Change default router passwords to ones that are hard to guess.

Finally, make sure that you patch your router regularly or configure it to automatically patch itself.

Make your local hacker work to get into your network.

Source: The Register .

Facebooktwitterredditlinkedinmailby feather

Voice Phishing Scams Are Getting Better

Former WaPo columnist turned security sleuth (after the Washington Post eliminated his position because cyber security was not important) reported on several recent vishing (voice phishing) scams, two of which involved large sums of money.

These are a word to the wise, both personally and for businesses.

In the first case, Matt Haughey, creator of the community blog MetaFilter and a writer at Slack received 3 calls in a row from his credit union.  After ignoring two of them, he answered the third and it was a phishing attack.

The scammer claimed that they had blocked two phony looking charges made in Ohio on his debit card.  She knew and was able to tell him the last four digits on his credit card.

He asked for a replacement card because he was about to travel and the caller said he could keep using his card until he got back, but they would block suspect charges.  The scammer read him his entire home address and then asked for his PIN (so that the caller could empty his bank account).  Also she asked for the CVV2 code on the back of his card (so that she could make phony cards and phony charges).

This information was all she needed to clone the card at an ATM.

When he visited his Credit Union in person, he discovered that he had been had and that his bank account was $2,900 lighter from a charge in Atlanta and $500 more lighter from an ATM withdrawal.  The very nice scammer left him with $300 in the bank.

The second attack was on Cabel Sasser, founder of a Mac and iOS software company called Panic.

Again he received a call, this time claiming to be from the Wells fraud department.    His corporate card had been charged for a $10,000 charge for metal air ducts (how, exactly, do you convert that to cash?).

After he disputed the charge the bank sent him a new card.  That card was hit for a $20,000 bogus charge for custom bathtubs.

He was trying to figure out how this was happening (I have an idea, but if you are curious, you will have to contact me) when he got the bogus fraud department call.

Do you have the card?  What is the CVV2 number?  Key in a new PIN.  Key in your current PIN.  The caller told him the last four of his social to calm his fears.

After $30,000 in fraud, his antennae were up so he told the fraudster he would call the bank back using the number on the card.  Surprise – no new fraud and they didn’t call.

The article goes on to give two more examples.  I regularly get these calls and love to have fun with the scamsters, but I am a little strange.

So what should you do?

#1 – Be aware that these scams are rampant.  The reason they are rampant is that they work very well.

#2  – DO NOT TRUST callerid.  There is no security whatsoever in the callerid system.  I could call you and have it appear that the call was from President Trump.  

#3 – Understand that with all of the breaches, there is virtually no information that is not in the wild.  One thing that I do is lie on security questions.  That definitely makes things harder, but you have to (a) not repeat the lies from company to company and (b) remember what your lie was.  I use my password manager for that.  If it asks what my favorite color is (I don’t have one), I might answer orange one time, blue the next and green the third time.  As long as I record my answers, I am good.  I do understand that this involves a lot of work, so most people are not up for that.

#4 – last, but most important, if you RECEIVE a call from <your bank> , DO NOT ASSUME that it is your bank.  I know that is a stretch, but $30,000 later, Cabel learned that lesson.  

Call back.  Visit your bank in person.  Call the local branch.  If you have a person at the bank that you have a relationship with (a personal banker), call that person.  

This whole scam model works because people are too quick to trust.

I know that is a terrible thing to say, but it is also terrible to get your bank account cleaned out.

All I can say is beware  —- Its out there on a massive scale.  BECAUSE IT WORKS!

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather

Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed