Telcos Not Doing Good at Preventing SIM Swap Attacks

A SIM is the (usually) hardware card that gives your phone its “personality”.  The SIM is tied to the carrier and contains all the information that the phone needs to talk to your carrier.

As users SLOOOOWLY migrate to using text messages as an extra layer of authentication for logging in to a variety of online accounts, hackers need to figure out how to compromise that.

One way to do that is to tell your carrier that you have a new SIM (typically a new phone).  If the hacker is successful, then all of the text messages (which may include password reset messages for things like your email or your bank account) are destined for you will go to the hacker, along with all of the money in your bank account.

In theory phone carriers are not supposed to do a “SIM swap” unless they know the request is coming from you.

But they want to be customer friendly and that is sometimes a challenge when it comes to security.

Recently some Princeton researchers did a test of five major phone carriers – AT&T, T-Mobile US, Tracfone, US Mobile and Verizon – and wrote a study regarding the carrier’s authentication procedures.  The results were:

  • AT&T – 10 out of 10 fraudulent swaps successful
  • T-Mobile US – 10 out of 10 fraudulent swaps successful
  • Tracfone – 6 out of 10 fraudulent swaps successful
  • US Mobile – 3 out of 10 fraudulent swaps successful
  • Verizon – 10 out of 10 fraudulent swaps successful

The problem is that the carriers want to make the process simple for their staff so they ask for secret information only you would know – like you address or email or date of birth.  Not so secret.

Sometimes they will try to send a one time password to your phone but if you say that your phone isn’t working, they often give up.

You may remember that Jack Dorsey, the CEO of Twitter, got his own Twitter account hacked following a SIM swap.  Source: The Register

If that doesn’t work, they bribe some phone company employees to give them remote access into the phone company systems so that they don’t have to bother trying to trick other employees – they can do the SIM swap themselves. They just enable RDP into the bribed employee’s workstation.  Source: Motherboard

Several Congress-critters have written to the FCC’s chairman Ajit Pai suggesting that he do his job and actually regulate the carriers.  Don’t count of the FCC doing anything useful.

One thing that you can do is ask the carriers what other security measures they have like passwords and PINs and other measures.

Of course you can lobby your Congress-critters to pass a law forcing the FCC to do what it should do.  Of course the carriers don’t want to have to do any more work than they have to, so they will probably drop bags of cash in Congress to get them not to pass such a law (I guess I am a bit pessimistic that DC will actually do anything helpful).

Ultimately, it is important that yoou be vigilant because that is much less painful that trying to regain control of stolen accounts or getting your money back from your bank.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

And You Think YOU Have a Problem Finding Cybersecurity Talent

If you have tried to hire any cybersecurity talent recently, you know that experienced folks are hard to find, hard to keep and expensive.  That is why we offer the virtual Chief Information Security Officer program.

But if you are the federal government and you have hundreds of agencies and millions of employees – not to mention adversaries that are working overtime to hack you – you need “a few good people”.  Actually quite a few.

The federal government doesn’t have a great pay scale either, so in order to motivate people, they have to be aligned with the mission.

But the federal government doesn’t seem to have much of a mission when it comes to cybersecurity.  We can’t even seem to agree on whether the Russians interfered with the last presidential election.

So what does that mean for the feds?

It means that senior cybersecurity people are leaving.  Key people.

Jeanette Manfra, who is currently the Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency (how’s that for a title?) is leaving CISA to join Google.  At Google, she is going to head up the Office of the CISO to help customers improve their security.

She is not alone.

Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in and is now Director of Data Governance at Google.

Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, joined Google as an executive for Public Sector Cloud at Google.

Rob Joyce, was forced out of his role at the White House as Cybersecurity Coordinator at the National Security Council by former National Security Advisor John Bolton.  Rob, at least, went back to the NSA where he is appreciated.  Now the White House has no one in that role and some people are saying that we may be back in the same situation as we were in 2014 when the Russians hacked the White House.  Cyber is not a priority for this administration.

Joe Schatz resigned as White House CISO to join technology consulting firm TechCentrics.

In October 2019, Dimitrios Vastakis, Branch Chief of the White House Computer Network Defense and staff member of Office of the Chief Information Security Officer (OCISO) at the White House released a scathing resignation memo saying that OCISO staff are “systematically being targeted for removal from the Office of the Administration (OA) through various means.”

One of the key issues with all of these senior folks leaving is that all of the tribal knowledge is going with them.  Even if you can replace these folks – and the evidence seems to indicate that either this administration doesn’t want to or can’t – there is no way to replace their knowledge of the workings of all of these federal systems.

Back in 2016 then acting director of OPM Beth Cobert said  “…federal agencies’ lack of cybersecurity and IT talent is a major resource constraint that impacts their ability to protect information and assets.”

Another person who left, Michael Daniel, former special assistant to the president and cybersecurity coordinator at the White House, said “Hiring and retaining cybersecurity professionals is difficult for the federal government under normal circumstances, because supply remains low and demand high across our entire economy,

President Trump did sign an EO last May to try and address the cybersecurity staffing gap estimated at 300,000.

I don’t know where that number came from.  Maybe this is in the federal government alone.  I have seen estimates of a nationwide shortage of over 3 million by next year.  If the feds want 10% of that, they are going to have to work very hard and create an environment that is agile and receptive – something no government agency is good at doing in the best of times.

I hope the government is successful at turning this around, but I am a bit skeptical of their ability to do that.   I guess we shall see.  Source: MSSP Alerts

 

Facebooktwitterredditlinkedinmailby feather

Phishing Campaign Takes Different Tactic With Similar Outcome

When phishers attack users, they typically try to steal your credentials – your userid and password.  If you are one of the small percentage of users that religiously use two factor authentication (Google says that 90% of GMail users do not use two factor authentication), these password thefts do not help a hacker unless they can figure out a way to compromise that second factor too.  Since the vast majority of people don’t use two factor, if the hackers do get your password, then they are in and can steal your data.

But what if – just sayin – that you change your password?

I know.  I know.  You are saying that you haven’t changed your email password in 37 years.  But just say that you do.  Maybe you think the password was compromised.  That means that the hacker has lost access to your information.

Hackers have come up with another technique that will actually survive you changing your password.

Here is how it works.

The hacker gets you to click on a link and the link takes you to the legitimate Microsoft (or Google) login page.  With one tweak.

If you  look at the URL, there is a redirect with a request for permissions.

You enter your credentials and you are redirected to a hacker’s site which now asks for permissions to access your mail and contacts, etc.

If you accept this (and you might because you just came from the real [Microsoft or Google] login screen), the hacker now has access to your stuff.

Even if you change your password the hacker will still have access to your stuff.

The only way to turn this off would be to look at your permissions page to see what apps or websites you have granted access to your stuff.

This means that  you have to be VERY CAREFUL when you see a permissions request screen to look at the URL that is asking.  Of course, you may or may not understand the URL.  In this case it was an Office 365 attack and the hacker’s domain was Officemtr.com .  That is close enough that it probably seems legit.

Which the hacker is counting on.

Consider yourself warned.  Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Are Smart Cars Safe Cars?

Here is the punch line.

Automotive cybersecurity incidents doubled in 2018 and are up 605% since 2016.  That doesn’t seem that safe to me.

Here are some statistics from Upstreams 2019 automotive cybersecurity report:

  • 330 million vehicles are already connection and top brands in the US say that they will only sell connected vehicles this year.  If true, one attack vector might be to design a hack to disable all smart vehicles in a specific area.
  • Smart vehicles will benefit from 5G cellular, if and when it becomes widely available in the US because 4G speeds in the US tend to be very variable and often horribly slow.
  • Since 2016, the number of annual incidents has increased by 605%
  • Incidents more than doubled in 2019 compared to 2018.
  • 57% of incidents were criminal in nature – disruption, theft and ransoms.  The rest were researchers trying to stay ahead of the bad guys.
  • The three most common attacks are keyless entry, backend systems and mobile apps.  Remember, if you choose not to install your car maker’s mobile app and register your vehicle, you are leaving your car open to attack if a bad actor registers your car instead.
  • One third of all incidents resulted in the theft of a vehicle or a break-in.
  • One third of the attacks included taking over some of the car’s function.
  • 82% of the attacks in 2019 did not require physical access to the car.

Car makers understand these security issues and are working to improve their security, but the basis of all smart cars is software and we know that software always works perfectly.

Users like the features, so they will continue to ask for them but they might also want to ask their insurance agent if their insurance covers these new types of attacks.

Also recommended is to talk to your legislator to make sure that laws take into consideration that the risks of smart cars.  For example, if you are in an accident and you say that you lost the ability to control your vehicle as we saw on 60 Minutes a couple of years ago, will the police believe you?  Or hold you responsible?  What if someone else is hurt as a result of that?  In today’s level of sophistication, it is going to be hard to prove that it wasn’t your fault.

Source: HelpNet Security

 

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed