Security News for the Week Ending October 16, 2020

5 Eyes Ask For Crypto Backdoor – Again

Law enforcement does not like it if they cannot snoop whenever they want. It has been a problem since encryption started to be used by the masses. The CIA, for example, even went to go so far as to BUY the Swiss encryption company Crypto AG, insert backdoors into their hardware and sell it to both our allies and our adversaries for decades before circumstances changed and made that hardware less important. They didn’t tell our allies that we were snooping on them. Part of the game.

So it is no surprise that when consumer products contain decent crypto, these same folks are not happy and they have been fighting the battle ever since.

Now they are saying that these companies should allow them to snoop on everyone – which they will do responsibly, of course – is a matter of public safety and protecting children.

And, of course, unlike the TSA, NSA, CIA and others before them who lost control of those secrets, these secret backdoors that companies should provide will not get into the wild. Trust us! credit: SCMagazine

Apple Releases New 5G Phones That Use Non-Existent 5G Service

Okay, this is not a cybersecurity issue, but it is a hot button for me. You can now buy an iPhone 12 Max with Apple care for $1700+ with 5G support.

I guess if you want to spend your money and help the economy, go for it, but if you think that you will be able to surf the web on your phone 10 times faster than today as they claim, you can. But you will have to wait around 10 years.

The problem is that none of the carriers have FAST 5G infrastructure. Verizon, does have some fast 5G – it covers about one percent of the US population. So, if you want to have a new iPhone and be one of the cool kids, go for it. Just don’t expect to surf the web any faster than you do today. Credit: Cybernews

Microsoft Takes Down TrickBot Network

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.  There is a concern that the bot network, which has connections to Russia and has compromised at least a million computers may be used in an attempt by Russia to impact the U.S. Presidential elections.

That takedown lasted two days. The network is back operational again, causing mischief. This just points to the challenge of permanently stopping hackers who are living in unfriendly countries like Russia. Even with the best efforts of Microsoft and Cyber Command, it only stopped them for 2 days. Credit: ZDNet and Security Week.

And You Thought TSA was the Only Non-Secure Part of Flying? Wrong!

The aviation industry uses a system called ACAS internationally or TCAS in the U.S. It is a collision avoidance system which tells a pilot that there is another plane nearby and tells each pilot how to avoid a collision (up, down, left, right, fast, slow, etc.). Except that TCAS has no security in it and it can be spoofed by a bad guy to crash the plane. There is a new version coming out soon called ACAS X and it too can be fooled. So much for the basics of security. Credit: The Register

800,000 Sonicwall Appliances Can be Hacked by a Kid

The patch, which affects 800,000 Internet facing VPN servers, was released on Monday. The details were disclosed two days later, on Wednesday. In its simplest form, a kid can either crash the device or just make it not respond to commands. Worst case, a more skilled hacker may be able to execute arbitrary code, including bypassing login requirements. Sonicwall says that they are not AWARE OF any customers impacted YET. If I was running a Sonicwall appliance, I would treat this as an emergency and patch it as soon as possible. Credit: ZDNet

FCC Says Maybe We Should Regulate Social Media

The President signed an executive order a few months ago asking the FCC to look at whether social media companies like Twitter should lose their “section 230 immunity” if they are biased in their editing. It also asks the FCC to propose regulations regarding this. That was about six months ago.

I suspect that the FCC staff attorneys looked pretty hard to find anything in section 230 that gave them the authority to implement regulations like this. Note that the FCC does not regulate social media companies. There is nothing in the law that gives them that authority.

In fact, when Ajit Pai, the current chairman of the FCC came into office, he decided that the FCC didn’t even have authority to regulate Internet providers at all and so he decided to rescind the net neutrality regulations that were approved before he got there but had not yet gone into effect.

FCC Chairman Ajit Pai And FTC Chairman Joseph Simons Testify To Senate Appropriations Committee Hearing On Their Dept.’s Budget
Ajit Pai, Chairman of the FCC

To me, it seems like a pretty big leap to say that we don’t have the authority to regulate Internet providers at all to say that in spite of that, we need to regulate social media companies.

Not terribly surprisingly, this announcement comes one day before Twitter and Facebook are set to testify before a House committee.

Pai does say a lot of things that I think are completely valid.

He says that these companies make a whole bunch of “algorithmic decisions” that the public customers of those companies have almost no visibility into. I think that is correct.

He also says that consumers have no insight into privacy issues on how their data is used. Also true.

He says that the public deserves to know more and these companies need to provide more transparency. Hard to argue with.

On the other hand, Pai, with the stroke of a pen, removed these exact same controls that were set to go into effect on Internet providers. Can he have it both ways?

These social media companies are between a rock and a hard place. If they remove content they are said to be biased. If they leave content up, they are said to be pandering to extremists (and also to their advertising click counts).

All of this could be useful, however, if the House and Senate could, for once, do the job for which they are being paid, and pass legislation that addresses some of these issues. Removing section 230 immunity is one of those things that fall into the category of “be careful what you wish for”.

It certainly seems odd that Pai decided to make this announcement a couple of weeks before the election and on the eve of Twitter and Facebook testifying. It does not seem terribly “expeditiously” as the President asked Pai to do 5 months ago in his EO. Part of that is because an EO does not have the force of law. It is more like your boss sending you a memo to do something. Your boss might get made or he might even fire you, but that is about, for the most part, where it ends.

Also remember that Pai writing about the subject in his blog after 5 months is a whole lot different than him and the commission actually doing anything or even proposing anything or even saying they are going to start looking at anything. In fact, it is not clear what it means at all. Credit: The Verge

Guess What Vendors are NOT Doing – Leaving it to You

Orca Security scanned more than 2,200 virtual appliance images – the same ones that your company probably uses every day. The images represented over 500 vendors. They were found on the marketplaces at Amazon, Microsoft, Google and others. They included both open source and commercial (licensed) software.

Orca created a scoring system that ran from 0 to 100. Companies (or images, actually) lost points for:

* Unsupported or no longer supported operating systems

* Contained 1 or more high profile vulnerabilities (from a list of 17 that they created)

* Contained 1 or more vulnerabilities with a CVSS score of 9 of higher (critical)

* Contained 1 or more vulnerabilities with a CVSS score between 7 and 9

Grades ran from A+ (really cool) to F (not so cool). Just like school.

They got an instant F if they:

– Used an unsupported operating system

– Had 4 of the 16 high-profile vulnerabilities

– Had 20 or more flaws with a CVSS score of 9 or higher

– Had 100 or more flaws with a CVSS score between 7 and 9

– or had more than 400 unique vulnerabilities

That seems pretty freaking generous to me. I’d cut those thresholds way down. 19 flaws with a CVSS score of 9 or higher is okay? I don’t think so.

Still, that was the threshold.

So what was the result?

15% graded an F

16% graded a D

25% graded a C

12% received a B

and 24% got an A; 8% got an A+

That means that less than half got above a C and 30% got a D or F. Less than 10% got a gold star.

In total, Orca’s scanning identified 401,571 vulnerabilities across 2,218 appliances.

Almost half had not been updated by the vendor in the last year and only 2.8% had been updated in the last month.

This test includes both security and non-security product vendors, but security vendors only scored a low B, on average.

There are more details in the article, but the bottom line, is that you really can’t trust vendors when it comes to security. That is not great news. Some hardened security appliances did score well, but again, how do you know when you install an image that you got from the vendors store?

First thought is to ask the vendor. Second thought is that you have to scan the virtual appliance before you connect it to the Internet.

Great. Something else for my to-do list. Credit: CSO Online

Sharing Passwords – Everyone Does It

Do you know the password to your spouse’s computer?

What about his or her social media accounts?

His or her email accounts?

Not married, just friends, maybe with benefits – what about his or her passwords?

We will get to work passwords in a minute.

ExpressVPN asked 1,500 American adults in an exclusive but not married relationship about their password sharing habits.

Couples, they say, share a variety of passwords and, most commonly, within the first six months of dating. What could possibly go wrong?

Here is what ExpressVPN found:

The most commonly shared passwords are for video streaming (78%).

Followed by mobile devices – nothing sensitive on your phone I am sure (64%).

Then comes music streaming (58%).

47% share social media passwords and 38% share email passwords.

Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).

Given that half of Americans who marry get divorced and lots of people don’t even get married any more, the idea of sharing passwords might have some “long term” problems – as in when one of you moves on.

Now lets move to work passwords. Everyone has their own userid and password, but in many companies, the way that account setup is done, so does IT and sometimes, even your boss knows. Sometimes, even your coworkers, even if that is against company policy.

FYI, if something bad happens and you want to prosecute the employee, if you are one of the above companies, you better have some really good evidence (it is possible, but hard).

In many companies, employees, especially within a department, share passwords to some cloud services, such as those that charge by the user.

And IT often has “system” passwords – ones that “have to” be shared.

And don’t forget passwords to Internet of Things devices like, for example, your Alexa.

Lets say that at some point the magic fades.

If you are not married you split. If you are married you get divorced. If you are employed, you leave, voluntarily or otherwise. If you are a vendor to a company, the company changes vendors.

In any of these cases, do you know what passwords are at risk? In many cases, the answer is no.

If the separation is “less than friendly” – whether work or personal – can you change the at risk passwords quickly?

Do you know if the other person has downloaded your data – business or personal – before the split?

Everyone wants to assume that people are honest and that bad things won’t happen but the percentage of employees, for example, who take data with them when they leave is high. In 2015 Biscom did a survey. 87% of employees took data with them that they created and 28% took data that others created. While these numbers are old, they are probably still in the ballpark.

Most companies don’t change passwords when employees leave because it is logistically challenging, but especially with IT folks, if they are disgruntled, they can and have done major damage. Likewise scorned lovers have done their share of damage too. All you need to do is check out the news from time to time.

Like I said, no one wants to think that relationships, business or personal, will end and even fewer think that they will end badly.

To quote Maya Angelou: “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”

Just a suggestion.

Credit: ZDnet

Is It Okay to Pay a Ransomware Demand?

The FBI has said for years that paying a ransomware ransom was a bad idea. It encourages the bad guys and funds their bad guy activities.

But last week the decision became harder when the Treasury department said that they were going to add ransomware organizations that are connected to terrorist organizations to the list of companies that Americans are not allowed to do business with, called the Specially Designated Nationals or SDN. This list is managed by OFAC, the Office of Foreign Assets Control.

By doing this, it makes paying ransom to these organizations a federal crime, punishable by up to 20 years in jail and/or a $1 million fine or civil penalties of up to $55,000.

The penalties can be levied against companies trying to get their systems back, law firms, insurance companies, banks, security service providers or anyone else who is in the food chain between the hackers and the victims.

While most people understand that paying ransom is not a good idea, if the choice is between paying the ransom or watching your firm close, many companies hold their noses and pay the ransom. A recent survey of 5,000 IT pros found that 26% did pay a ransom; virtually all of them got their data back. Company execs have to keep its customers, employees, investors and the general public. Not an easy call to make.

One of the challenges if you do plan to pay the ransom and do not want to spend the next 20 years as a guest of Uncle Sam (which is unlikely, but possible), is how do you figure out whether the particular hacker that you are paying is on the Specially Designated Nationals list. After all, they don’t exactly give you their Social Security Number to look up.

Another challenge that executives face is ransomware 2.0 – the version of ransomware where the hackers steal your data and threaten to publish or sell your information if you don’t pay the ransom. There is no good defense against this form of ransomware.

Most insurance policies have a clause that says that they will not facilitate a crime, so if it is determined that paying the ransom may be a crime, most insurance companies will decline to do that.

However, that doesn’t get the insurance company off the hook – they still need to make you whole, even if doing so if more expensive for them.

Now would be a good time to talk to your insurance provider and ask them how they plan to handle this situation. In the case of OFAC, even if you break the law unintentionally, you are still guilty. The burden of proof is on you.

The feds would like you to share the information about ransoms that you paid, but for many companies, the main purpose of paying the ransom is to keep things quiet. Even if doing so is illegal, which most of the time, it is (illegal). Telling the FBI that you paid a ransom and didn’t notify either the authorities or the victims does not seem like a plan that would be viewed favorably by law enforcement.

We are seeing a lot of attacks against healthcare. Forcing hospitals, for example, to shut down or divert ambulances can cause patients to die. In addition, even if the hospital can continue to operate, its operations will always almost cause care to patients to be degraded, even though the hospitals will say everything is fine – because they do not want to be sued. All of this in the time of the worst pandemic in 100 years.

Unfortunately, other than keeping the hackers out, there are no good answers. I recommend working hard to keep the hackers out. Credit: The Record

Apple Joins Intel and Others in the Buggy Silicon Club

Intel and, to a lesser extent, AMD and ARM have been collecting a lot of attention in the last year or so for bugs in their silicon. As everyone tries to tweak every last drop of performance out of their systems or do new and creative things, the risk of a problem increases.

But Apple has been a member of the club before and now it is being reintroduced as a club member.

Apple’s T2 security chip, a repurposed Apple A10 processor, is used in all Macs between 2018 and now. The chip controls the Touch ID and also provides the basis for encrypted storage and secure boot. Not something that you want to be buggy.

The good news is that the attacker needs physical access (think evil maid attack) to the Mac for the attack to work. Given that, the attacker could gain root access and allow the hacker to wreak havoc. The hacker could brute force the Mac’s encrypted file system, FileVault 2 and load arbitrary code.

The researcher contacted Apple multiple times with no response. He also reached out to some Apple pubs, but again no one bit.

I assume that if the claim was bogus, Apple would have stomped all over him quickly.

Alternatively, if there is no fix to this, like there is no fix to the earlier Apple silicon issue called Checkm8, then they might hope it goes away.

JTAG, the industry standard debug port that most hardware has, appears to be the problem here. Many times vendors leave it enabled when they ship devices, hoping no one notices but making it easier to troubleshoot problems. Security says it should be functionally destroyed prior to ship so that there is no way to re-enable it.

This bug is very unlikely to be exploited except in targeted attacks because in addition to requiring physical access to exploit the JTAG “feature” and using the Checkm8 bug, it also loops in another bug called Blackbird.

My guess is that like Checkm8, this bug is unpatchable.

Unlike my PC. I just got shiny new microcode this week for mine. Apple’s design does not allow for that.

Right now, until someone figures out how to exploit this remotely, the risk is low, but keep your eye on your devices. Credit: Threatpost

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed