Warning For Symantec Customers

As I have reported before, Symantec has had problems with its server SSL certificate business for years and was on double-super probation.  Symantec bought its certificate business mostly from Verisign in 2010 for about 1.2 billion dollars.  It also bought the certificate businesses of Thawte, Equifax and others

Last month it sold that business to Digicert, a move that was designed to preserve its equity.  It sold that business for $950 million plus a minority stake in Digicert.

But now the other shoe is dropping.

The reason Symantec was in trouble was that the browser vendors didn’t trust the security of the certificates that were issued before June 2016.

OK, so what is there to do.

First, each browser maker does its own thing.  Except, Chrome has the largest share of the browser market, so what Chrome does is more important than what anyone else does and, for the most part, everyone will follow what Chrome does in this case.

As of December 1 of this year, Chrome will no longer trust any NEW certificates issued by Symantec after this date.  That means that if your web server uses a Symantec certificate issued on December 2, when a user visits that site, Chrome will pop up a warning saying that the site is not to be trusted.

Starting with Chrome version 66 which should be released around April 1, 2018, no Symantec certificate issued before June 1, 2016 will be trusted.

Finally, When Chrome 70 is released in October 2018, NO Symantec certificates will be trusted at all.

So, for those of you webmasters that bought Symante certificates – for certificates bought before June 2016, you have until early next year to replace those server certificates and for those of you who bought Symantec certificates after June 2016, you have until late 2018 to replace your certificates.

Since most people buy certificates that last one, two or three years, some of this will be solved by attrition, but we were examining one certificate today that expires TEN years in the future.

If you don’t know what vendor your certificates came from please reach out to us and we will be happy to assist you.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

Equifax – The Gift That Keeps On Giving

Update: Sep 15, 2017 – Equifax’s Chief Information Officer (CIO) and Chief Security Officer (CSO) “retired” (AKA were fired) today, effective immediately, according to USA Today.  Hopefully, the Board will ask the CEO to “retire” soon as well.

CIO Susan Mauldin and CSO David Webb are taking the heat for not installing one patch, out of the thousands that they likely install every month, that allowed the hackers to .  Webb received $2.6 million in compensation last year.

The company has appointed an interim CIO and interim CSO at the same time.  Given the dozens of investigations and dozens of lawsuits, the company is going to need to have as many resources available to testify as possible.

One complication firing them presents is that the company no longer has any where near the control over what they might say in court or to investigators.  In fact, to cover their own behinds, they might throw the CEO under the bus saying that they told the CEO that they didn’t have enough staff or money to do the job right and were not given more resources.  It is possible that their retirement package might have conditions on it, but if it says that they must lie to Congress, that probably would not be enforceable.

It’s gonna be interesting before it is all over.

Last week the news was about the 143 million people who’s data was compromised.

This week it is how Equifax is handling the breach.

First it was terms of service that seemed to require consumers to enter data for credit monitoring on a domain that wasn’t even owned by Equifax and give up their right to sue Equifax in exchange for a few bucks worth of free credit monitoring.  They changed their mind after the New York Attorney General said that he would go after them if they tried that.

Then it was the fact that the site that users were flocking to in the aftermath of the breach was vulnerable to a cross site scripting vulnerability that would allow hackers to extract all of the data the the consumers were providing.

Next it came out that Equifax Argentina’s employee web site that was used by Equifax employees to manage credit complaints had an admin account with a userid of admin and a password of admin.  That site has subsequently been taken offline after that bit of news was made public.

Then, of course, there are the 50 or lawsuits that have been filed against them.  So far.  Including one multi-BILLION dollar suit.

Next Senators Wyden and Hatch are asking a lot of embarrassing questions of Equifax like do you have a Chief Information Security Officer (apparently not) and exactly how many full time security professionals do you have on staff.  The Senators seem to understand the potential long term impact on healthcare fraud, tax return fraud and entitlement fraud, all of which the Federal government – and by association you – will get to foot the bill for.

Then it was reported that Equifax spent at least $500,000 in the months leading up to announcing the breach, lobbying Congress to change the regulations so that they wouldn’t have to notify consumers in case of a breach and limiting the legal liability of credit reporting companies.

Of course there was that slight “optics” problem of Equifax execs selling over a million dollars worth of stock between the date the breach was discovered and the date the breach was announced.

And finally, White House Spokesperson Sarah Huckabee Sanders said that the President, who was elected on a platform of removing regulations, would be looking extensively into whether additional regulation is needed to protect user data.  Of course, no one knows if Congress will actually do anything, but still that is a BIGLY about face for the prez.

All in all, not a great week for Equifax.

 

Information for this post came from ZDNet, CNetUSAToday, Vanity Fair and CNN.

Facebooktwitterredditlinkedinmailby feather

The Unpatchable Bug In All Modern Cars

We have seen a number of hacks of cars including the hack of a Jeep driving down the highway at 60 miles an hour – from miles away – on 60 Minutes, but now researchers have come up with a new attack – one that cannot be patched.

The CAN bus or Controller Area Network bus, is the main communications highway in all cars built, at least, in the last 25 years.  The standard, designed in 1983 and in use since 1989 has not really changed very much since then.

In 1983 no one really worried about hackers so the bus has no security, no authentication and no encryption.

Today, almost every single car and light truck is controlled by the CAN buses in it.

Researchers from Trend Micro, Politecnico di Milano and Linklayer Labs discovered that you can overwhelm the bus with error messages.

Right now, today, the attack requires local access to your car.  That was the case with the Jeep attack – until attackers figured out how to do it remotely.

The attack injects error messages onto the bus which can, eventually, cause devices like the anti-lock brake controller or the airbag system to go offline and deactivate.  Since almost all car functions from the brakes to the engine control are computerized and attached to one of the CAN buses, if you can cause those devices to go offline, you will disable those functions.

Worse yet, without redesigning the CAN bus protocol, there is very limited remediation that car manufacturers can make.  On top of that, it is UNLIKELY that any cars currently on the road will ever be fixed because this is not a bug – it is, basically,  a feature.

SO, next time you get into your car… Well, I am not what you can do.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Facebooktwitterredditlinkedinmailby feather

Making Sense of the Equifax Breach

Earlier this week Equifax, the credit reporting giant, announced that hackers wandered inside their systems between May and July of this year.  143 million records were compromised.  In addition to that, credit card numbers on 200,000 people were compromised and personal identifying information on 182,000 people were also released.

Information compromised includes names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license information.

Equifax said that the hackers got in by compromising a web application.

The did say that they are going to notify certain people who are affected and also are offering their own credit monitoring service to anyone who wants it, whether they were affected by the breach or not.

Beyond that, Equifax has not said much.

Ultimately, there are going to be a lot of investigations – the states, the feds, Congress, the CFPB and out of them we may find some answers, but if we do, it will be a long time coming.

143 million represents pretty much anyone in the United States that has any credit in their name.

Equifax is offering people a year’s free credit monitoring, but your Social Security number doesn’t expire in twelve months.  All that means is that the hackers will wait a year before they start exploiting your data.

There are some things that you can do.

  1. First, Federal law allows you to get a free credit report from each of the three national credit bureaus once a year.  If you spread that out, you can get a copy of one of your credit reports every four months for the rest of your life for free.  You should do that.   You can do this by going to a web site set up for this purpose.  WARNING:  There are lots of sites that are designed to look like the free government coordinated web site.  The site to go to is AnnualCreditReport.com .   You can also call 877-322-8228 to obtain one.  In addition to the free annual report there are several other situations in which you can get a free report in addition to the annual report, such as if you are turned down for credit due to the contents of your credit report.  Some states also allow you a free annual credit report (like Colorado) in addition to the free Federal report, so if you live in one of those states, you could get a free credit report every other month.
  2. Check your bank statements regularly.
  3. Sign up for your bank’s free text messaging service.  The features vary but most of them will text you if there is a deposit or withdrawal to your account.
  4. Sign up for the free text messaging service for each of your credit cards.  You will get a message every time the card is used.
  5. Monitor your medical bills and insurance information to make sure that someone is not obtaining health care pretending to be you.
  6. If you get a notice from the IRS, do not ignore it.  It is possible that someone used your information to file a fraudulent tax return or something like that.
  7. Consider signing up for Equifax’s free credit monitoring service.  You can do that by visiting www. EquifaxSecurity2017.com .  Note that there is a clause in their terms of service that forces you to arbitrate disputes.  After a “visit” from the New York Attorney General, Equifax issued an announcement that those terms did not apply to the breach, but only to people who bought the paid version of their service.  If you do go to that site, you will be put in queue to sign up (they could not handle 143 million people signing up in one day).  One source reported that you have to provide them with a credit card which they will bill after the free period is up if you don’t cancel.  If this is true, I WOULD NOT sign up.  You can pretty much do most of what they do with more effort by yourself and the principle of having to give them a credit card after they screwed up – well it kinda, sorta upsets me.
  8. Issue a credit freeze.  This is free and asking one bureau to do it will affect all three bureaus automatically, but there is a downside.  If you want to open an account like when you buy cell phone service, they do a credit check and if you have a freeze in place, that will fail.  In that case, you have to remove the freeze, for which they charge you and then put it back in place.

One thing that makes this breach more interesting is that three Equifax  executives sold stock in recent days.  These sales were outside normal scheduled sales that are reported to the SEC in advance.  The three are:

  • CFO John Gamble – $946,000
  •  Rodolfo Ploder – $250,000
  • Joseph Loughran – $584,000

These sales were not scheduled and occurred within 2-3 days after the breach was discovered but before it was announced.  I am sure that this will be part of at least some of the investigations.

Normally, when there is a breach, you know that you have given a business your credit information.  For example, after the Target breach, you could rest easy if you didn’t have a Target credit or loyalty card and you never used your credit card at a Target store.  In this case, you are not the customer.  The banks and stores that issue credit are Equifax’s customer.  You never gave Equifax your information.  This means that you have no business relationship with Equifax.  It is an unusual deal.

It also means that, unlike the Target breach, you cannot close your account in a show of disapproval.  You can’t take your business to another company because you are not their customer.

Since there are only three major national credit bureaus, businesses will likely continue to do business with them.

What is likely is major lawsuits and regulatory fines.  That is probable.  In fact, the first lawsuit has already been filed.

But this is not the first time a breach at a credit bureau has happened.  You may remember the T-Mobile breach from 2015.  That was at Experian.  And there have been others.  Not many, but some.

It is just a mess.  Stay tuned for details.

Information for this post came from CNN,  The Chicago Tribune,  The Washington Post,  The LA Times, Bloomberg,

Facebooktwitterredditlinkedinmailby feather

Who Turned Off The Lights?

The security firm Symantec is reporting that hackers have compromised energy companies in the U.S.  and Europe.

Well that sounds bad enough, but we have to ask the question “what do you mean when you say compromised?”

The answer is a little bit complicated.  For most energy companies, in a bid to make it tougher for hackers, isolate their operations network – the one that controls power generation and distribution – from the administrative network – the one where users get email and browse the web and such.

Except that life is never that clean.  The power companies, as part of their business, need to get data out of their operational network to manage the business, upgrade software and many other things, so the two networks are not really completely separate – but they do try hard.

Well, according to Symantec, in this case, when they mean compromised, they mean that the hackers were into the network far enough that they could turn off your lights.

Symantec says that the group that they are calling Dragonfly is attacking energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry equipment providers.  Companies who were compromised were located in the United States, France, Spain, Italy, Germany, Turkey and Poland.

Assuming these hackers could really “flip the switches”, it would seem like they could do a LOT of damage.  And, depending on what they actually did, it could take a little time or a long time to fix.

Symantec says that this group is likely state sponsored.  Which state they aren’t saying, but I’m betting on Russia.

Symantec provides a lot of details on how the attack works, so if you are interested  go to the Symantec link below for more information.

You may remember that hackers – likely Russians – actually did turn off the lights in Ukraine in the dead of winter in 2015 and 2016.  It is not that far a stretch to think that hackers could do that to the U.S. energy industry.

Homeland Security has been working with the energy industry for the last several years to try and mitigate this threat and they probably have made some headway, but making headway and saying hackers can’t turn off the lights are two very different things.

Of course Homeland Security does not want the American public to panic, so they are going to try very hard to spin things into “this is not a problem;  we have it covered”.  If you believe that line, I have some land I want to sell you in the Florida Keys.

Unfortunately, there really isn’t a lot for the average bear to do.  You can’t fuss at the power company.  Well, you can, but they will likely call you a nut case.

Being knowledgeable on the situation and providing input when possible is a reasonable course of action.  Panicking is not.

I wish I had a better answer, but I don’t.

Information for this post came from Symantec and Wired.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed