Weekly Security News for the Week Ending March 20, 2020

Senate Kicks the Can Down The Road Again With FISA Renewal

Last week it looked like Congress was going to renew the parts of the Foreign Intelligence Surveillance Act that DID EXPIRE last weekend.  But Congress being Congress, they didn’t.  On Monday the Senate agreed to kick the can down the  road for 77  days.  Now the House has to agree.  In the meantime, I am not sure what the NSA is doing about those expired provisions and they only plan to kick the can down the road on two of the three expired provisions.  In fairness, Trump wants to reign in the Intelligence Community since he doesn’t trust them and never has.  This could work to the advantage of the privacy advocates.  Source: Reuters

Covid-19 Web Site President Said Google Would Bring Online Monday is Online But Not Like he Said

Google/Alphabet subsidiary Verily launched its Project Baseline Coronavirus website, but it is not national, it only covers two counties in the San Francisco Bay area.  It was supposed to allow people to make appointments to get tested, but the few slots that were available filled up instantly.  Only people living in those two counties are even allowed to use the site.

Google says that they are working on a nationwide INFORMATION ONLY site and it will be released sometime in the future.  Source: Bleeping Computer

Open Source Vulnerabilities Surge in 2019

Some people say that open source software is more secure.

Reality is a little different than that.

In 2019 DISCLOSED open source vulnerabilities surged from 4,000 to 6,000 last year.  The good news is that the open source community is good about fixing the vulnerabilities once they are found.  85% of the vulnerabilities  have a fix once they are responsibly disclosed.

Bottom line, make sure that you have an effective open source software patching program to keep your company safe. Source: Help Net Security

U.S. Census Figures Coronavirus Will Be Over in Two Weeks

The Census, that every 10 year event, was supposed to start this week.  But there is kind of an issue.  I think there is some kind of virus going around.  Part of how the Census works is that Census workers go around collecting information from people.  Given the current situation, (a) Census workers are probably not going to be willing to risk their health for a few bucks, (b) people that they visit are likely not going to let them in the door or (c) some other less than nice thing might happen.

So what did the geniuses at the Census  bureau decide to do?  They decided that they are going to send out Census workers in 13 days on April 1st. WHAT, EXACTLY, DO THEY EXPECT TO BE DIFFERENT IN 13 DAYS?

Ya gotta wonder about those folks in Washington.  Source: Reuters

OCR Lifts Penalties For Telehealth Use During Covid-19

Its all hands on deck.  HIPAA has a number of provisions that allow a healthcare provider to bypass certain HIPAA rules.  A pandemic is not one of those options.  Of course since the Feds make the rules, they can change them.  In light of the current situation, HHS says that they will not penalize Covered Entities for using telehealth providers who are not fully HIPAA compliant.  They are not saying using those providers is legal;  they are just saying, given the circumstances, they are not going to go after providers who do so.  This will allow providers to use apps like Facetime or Google Chat to diagnose patients instead making them come into the office and potentially infect dozens of other people.  It seems like a reasonable trade off.  Source: HealthIT Security

Facebooktwitterredditlinkedinmailby feather

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Facebooktwitterredditlinkedinmailby feather

Working from Home Security Challenges / Coronavirus

The bad guys did not waste any time using the Coronavirus pandemic to attack folks who are suddenly Working From Home (WFH) or Studying From Home (SFH).  Here is some information to help those of you who are WFH to navigate the perilous path.

Given that many WFH programs were created out of nothing in almost zero time or scaled up from zero to 60, it is no surprise that there might be a security hole or two.

This applies not only to employees working from home but also to students attending school from home.

First of all, hackers are pumping out tons of malicious emails themed around Coronavirus.  The malicious emails are compromising systems with password stealing malware and remote access back door software, among other goodies.  And don’t forget that old favorite – ransomware.  More on that later in this post.

Given how stressed people are, they are likely to forget their security training.

Another challenge for WFH/SFH – making sure that all devices are fully patched.  That is going to fall more on the end user now.  Companies who have fully automated that are in better shape, but lots of organizations are not set up for that.  THIS INCLUDES PHONES AND TABLETS!

Another problem is home and public WiFi.  At work, the company can control the setup of company WiFi, but at home it is a bit of the wild west.

For example, when was the last time you patched your WiFi server and your Internet router, modem or firewall?

When did you last have a security expert check the security configuration of those devices?

If your company uses older, in the office systems, they likely do not work very well for remote workers.  There is no quick fix for this.  It is fixable, but the fix requires new hardware and employee training.

Companies who are in regulated industries such as healthcare, finance or defense have additional problems.  How do you continue to comply with the security laws and regulations that these industries have to comply with?  In fact, in many of these industries employees are not allow to work remotely by regulation or law.

To make matters worse, in many cases, IT doesn’t have the right tools to securely assist workers who are no longer at the office.  If an employee uses a virtual private network (VPN) to connect to their work network, it usually makes it even more difficult for IT to securely connect back to them in order to provide tech support.  Even in cases where it does work technically, many times the company has not bought the right support tools to make this possible.

Of course employees who are using their mobile devices more open up yet another attack vector.  Many phones and tablets are horribly out of date when it comes to security patches.  Many phone manufacturers do a crappy job or releasing patches and for older phones – say more than 2 years old – many times the manufacturer says they are no longer supported and leave the user wide open to a whole raft of attacks.

Companies need to conduct a risk assessment of the remote work environment to make sure that they understand what new risks the company is accepting.

Companies need to consider whether they even have enough security software licenses such as VPN connections.  Employees will create unsafe workarounds if the company can’t provide them tools that are secure.

Here is a screenshot of a malicious email.  It pretends to be from the CDC, but the email address in the red box shows that this is not the real CDC.  The URL in the second red box looks like it is from the CDC, but if you hover over it, it turns out that it is not.

Cybercriminals sent this coronavirus phishing email, which was designed to look like it came from the U.S. Centers for Disease Control and Prevention. Courtesy of Kapersky.

The spam emails might claim to provide information on the Coronavirus or perhaps provide a way for people to contribute to those who need help.  Unfortunately, the only one these people are helping are themselves.

KnowBe4 published a picture of an email containing a QR bar code asking for donations (see below).  If you want to make the folks in China or North Korea rich, you should donate.

coronavirus_donation-1

This piece of spam, also from KnowBe4, asks you to watch a Coronavirus video.

covid19_spam-scam-1a

It promises secret information that the government isn’t telling you.  If you buy their book for $37.00.

That is actually good because some of them tell you that you need to update your software in order to view this secret video.  In fact the update is software that infects your computer, steals your passwords, empties your bank account, encrypts all of your data or some combination of the above.

In the following email, if you just click on the link, some  dude will tell you everything you need to know about the Coronavirus and how to stay alive.  NOT!

coronavirus_info-1a

Suffice it to say, this is a bit of a mess and it is not likely to get any better soon.

Companies will, unfortunately in this time of uncertainty, need to up their security spending.  The alternative might be a bit of a train wreck.

If you do need help or have security questions.  Please reach out to us.  After all, we are staying home to stay safe :).

Information for this post came from Threatpost, GCN, the US Secret Service and KnowBe4.

Facebooktwitterredditlinkedinmailby feather

Cyberspace Solarium Commission Warns of “Catastrophic Cyberattack”

The U.S. Federal Cyberspace Solarium Commission issued its long awaited report last week and warned of a “catastrophic attack that leaves the nation in tatters”.  While right now everyone is worried about Covid-19, this represents a longer term problem that won’t be fixed in a few months.

The report creates a vivid hypothetical attack and is written from the point of view of an unnamed U.S. legislator.

Kind of like with Covid-19, in this hypothetical attack “everything went so wrong, so fast”.

In the narrative, the Potomac River is polluted by toxic chemicals from  treatment plants that were hacked, an attack on the city’s floodwater management system leaves an oily sludge in the front of the Lincoln Memorial, the debris of drones litters the city after they were hijacked and crashed into crowds like torpedoes and finally there is a toxic rail accident in Baltimore after the control system was compromised.

The report also provides a slew of recommendations – many of which will be hard to swallow.

For example, to better secure Internet of Things devices, the report suggests moving away from a “first to market” philosophy to one with better security.  I predict that will only happen if laws hold companies financially liable for their insecurity – something that has already started in California.

In fact, the report recommends that final goods assemblers be held responsible for damages as a result of cybersecurity incidents.

It makes suggestions around changing Sarbanes Oxley to include more cybersecurity requirements.

Another recommendation is for the government to clean up its own act.  Currently there are a lot of cooks in the federal government’s cybersecurity kitchen and that is creating a lot of confusion.

It also suggests that Congress reorganize its committees that really don’t deal well with cybersecurity.  I think we need to reorganize the Congress people and find some who understand the problem, but that is a separate issue.

The report goes on and makes a lot more recommendations, but now it is up to the federal government to actually act.  The alternative is the response we currently have to Covid-19, which is, in my opinion, a bit of a train wreck in slow motion.

One way or other, these cyberattacks will continue and increase, as we are already seeing during the Covid-19 pandemic.  During this pandemic, hospital and government systems are being hit by cyberattacks, slowing response and distracting first responders from their mission.  Source: Verdict

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending March 13, 2020

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks

AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research.

Known as “Take A Way,” the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD’s Bulldozer micro-architecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. Source: The Hacker News

And… AMD is Not Alone This Week  – Intel has Unpatchable Flaw

And the “chip wars” continue.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The flaw, if exploited (only theoretical this week) would allow hackers to extract the root encryption key in the Intel Mangement Engine – which is the same for all chips in a particular processor family.  That potentially would nullify all DRM and all whole disk encryption, among other things.  Source: The Hacker News

President Signs Bill To Help Rural Telecom Carriers Replace Chinese Equipment

The President signed the Secure and Trusted Communications Networks Act this week.  The bill mandates that US telecom carriers rip and replace any “suspect foreign network equipment”.  It requires the FCC to set up a compensation fund to help rural telecom carriers do this;  the bigger carriers are on their own – which will likely be reflected in your bill as a fee or surcharge.

Carriers have to provide a list of equipment and estimated costs to replace it by April 22.  Sometime after that, we will have a better estimate of the cost.

For some reason which is not clear to me, the bill will not cover the cost of replacing equipment purchased after August 14, 2018.  It appears that telcos do not need to replace new Chinese equipment.

The requests and status of replacement activities will be posted on the FCC’s website.

The law authorizes the FCC to spend $1 billion in this year’s budget to do this.

The bill also allows companies that won spectrum bids in the last auction to abandon their builds and get their money back for the spectrum if they determine that they can’t build out what they promised without using suspect gear.

It would also appear that if the telco buys or has bought Chinese gear without a government subsidy, they can continue to use it.  Source: Engadget

Microsoft Says: 99.9% of Compromised Accounts did NOT use Multi-Factor Authentication

Microsoft tracks 30 billion login events every day.

They say that roughly 0.5% of all accounts get compromised every month.  That translated to around 1.2 million accounts compromised in January.

THEY ALSO SAY THAT AROUND 99% OF ALL ATTACKS TARGET LEGACY PROTOCOLS, SO, IF THOSE PROTOCOLS CAN BE DISABLED AND MULTI-FACTOR AUTHENTICATION IS TURNED ON, SUCCESSFUL ATTACKS GO TO NEARLY ZERO.

THEY ALSO SAY THAT MULTI-FACTOR AUTHENTICATION BLOCKS 99.9% OF ALL ATTACKS.  Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Microsoft Working to Reduce Spam Emails

DMARC is a technology that is designed to reduce the amount of spam that makes it into your mailbox.  It provides an email’s recipient with instructions on how to validate a sender’s email.

Unfortunately, it is a voluntary standard for both the sender and the receiver and if the sender doesn’t have DMARC setup then there is nothing for the receiver to test.

In addition, if the policy tag is set to none, then the recipient is supposed to do nothing, even if the DMARC tests fail.

Microsoft is working on adding a feature to Office 365’s Advanced Threat Protection that will automatically block sender domains that failed the DMARC test.

Currently, the antispam rule allows administrators to allow domains regardless of the domain’s reputation.

This new feature will override the allow and block all domains that fail DMARC.

THE RULE IS PLANNED TO BE ADDED AROUND THIS APRIL.

Initially, email that fails will be marked as spam and handled according to the spam rules.

This will be coupled with another feature to block malicious content regardless of custom configurations, unless manually overridden.

Here is the problem.

Even if you are not an Advanced Threat Protection (ATP) customer.

Even if you are not an Office 365 customer.

Even if you don’t use Microsoft tools.

This WILL affect you.

If the company you are sending an email TO is  using Office 365 ATP and they follow the recommended default configuration, if your configuration fails, your email will go into the junk box.

Your mission, should you decide to accept it – actually whether you decide to accept or not – is to make sure that your DMARC configuration is set up correctly.

Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed