Security News for the Week Ending October 4, 2019

Just a Wee Bit Over the Top

There is a nut job who bought an old cold war era bunker in Germany and turned it into a “bullet-proof” hosting center similar to what we see in Russia and elsewhere – where they let you host anything, legal or otherwise.

Apparently the Germans got tired of this guy, who calls himself HRH Prince Sven Olaf of CyberBunker-Kamphuis and thinks he runs his own country.

The overkill part is that they sent in 600 paramilitary troops to arrest him and a dozen of his employees who were this bunker.  I wonder how much that cost them.  Source: The Register

Hacker GnosticPlayers Steals User Info From Zynga – 218 million people

This guys seems to be on a mission.  After stealing about a BILLION (yup, that’s right) userids already, he just added 200+ million Zynga gamers to the mix.  While the information isn’t super sensitive, this points to how weak security is in many places.  Source: The Hacker News

Demant Hearing Aids Expects to Spend $95 Million Due to Ransomware Attack

In case you tend to dismiss ransomware attacks, Demant, the Danish hearing aid manufacturer, says that an unidentified cyber incident will cost them between $80 million and $95 million, due to lost sales as the outage (likely ransomware) impacting shipping, receiving and production.  Source: ZDNet

TEN More Hospitals Hit By Ransomware Attacks

Three hospitals in Alabama and seven more hospitals in Australia have been hit by ransomware.  In the Alabama attacks, ambulances are being redirected to other hospitals and if someone walks into the ER, they will stabilize the patient and transfer him or her elsewhere.

The hospitals in Australia also say that patient services are being affected.  Source: ARS Technica

 

Baltimore Did Not Have Backups For Key Files

Baltimore lost a lot of key data because it did not have effective backup policies.  Users were storing the only copy of data on their local hard drives.

While it is fun to criticize Baltimore, when is the last time that your company actually tested that you have readable backups for **ALL** of your key data, including and especially, data stored in the cloud.

Baltimore is going to spend about $10 million and lose an additional $8 million in revenue due to the attack.  Source: Dark Reading

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Facebooktwitterredditlinkedinmailby feather

FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC

 

 

 

Facebooktwitterredditlinkedinmailby feather

Coworking and Shared Work Spaces Are A Security and Privacy Nightmare

Coworking and shared office spaces are the new normal.  WeWork, one of the coworking space brands, is now, apparently, the largest office space tenant in the United States.

Who are in these coworking spaces are startups and small branches (often 1 or 2 people) of larger companies, among others.

Most of these folks have a strong need for Internet access and these coworking spaces offer WiFi.  Probably good WiFi, but WiFi.  And WiFi is basically a party line, at least for now.

Look for WiFi 6 with WPA 3 over the next couple of years – assuming the place that you are getting your WiFi from upgrades all of their hardware and software.  And YOU do also.

A couple of years ago a guy moved into a WeWork office in Manhattan and was concerned about security given his business, so he did a scan.  What did he find but hundreds of unprotected devices and many sensitive documents.

When he asked WeWork if they knew about it, the answer was yes.

Four years later, nothing has changed.

Fundamentally, it is a matter of money.  And convenience.

But, if you are concerned about security, you need to think about whether you are OK with living in a bit of a glass house.

For WeWork in particular, this comes at a bad time because they are trying to do  – off and on  – an initial public offering and the bad press from publications like Fast Company on this security and privacy issue don’t exactly inspire investor confidence.

Fundamentally, using the Internet at a WeWork office or one of their competitors is about as safe as using the WiFi at a coffee shop that is owned by the mob  and is in a bad part of town.  Except that you are running your business here.

In their defense, WeWork does offer some more secure options (although you might be able to do it yourself for less).  A VLAN costs an extra $95 a month plus a setup fee and a private office network costs $195 a month.  That might double the cost of a one person shared space (a dedicated desk costs between $275 and $600 a month, depending on the location).

And clearly they do not promote the fact that you are operating in a bit of a sewer if you do not choose one of the more expensive options.  The up sell here is not part of their business model.

For users of shared office spaces, like WeWork (but likely anywhere else too, so this is not a WeWork bug), they need to consider if they are dealing with anything private or whether they care whether their computer is open to hackers.  If not, proceed as usual.

If not, then you need to consider your options, make some choices and spend some money.  Sorry.  Source: CNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 27, 2019

Did Apple ‘Play’ President Trump?

Apple says that it has received a waiver from import tariffs on Chinese parts for the Mac Pro.  Why, after President Trump said he wouldn’t do that?  Apple’s PR machine made it look like the Mac Pro was now going to be made in Texas after they floated a rumor that it was going to be made in  China.  But the Pro has always been made in Texas.  And they are not building a new plant – only using the same plant where they have always been built.  It is an example of how a very rich, connected and powerful company can game the system to get what it wants while smaller companies lose out.  Source: The Register.

Click2Gov – ITS BACK!

Click2Gov facilitates self service government web site portals and in 2017 and 2018 it was compromised in dozens of cities, compromising 300,000 credit cards and costing banks about $2 million.

Well, ITS BACK!

The new attacks started last month and have hit 8 cities so far this time. So far, 20,000 records have been offered for sale.  Cities in Florida, Idaho, California and Oklahoma have been hacked.

Coming to a city near you.  Source: Wired.

Simjacker – A Mobile Attack That is Invisible

The SIM card in your phone has the information necessary to identify your phone to your carrier, but of course, vendors could not leave well enough alone, so it does more.

The attack begins with the attacker sending the victim an infected SMS message.  Except this message has a series of SIM Toolkit (STK) instructions.  This message is captured by the SIM card and the commands in it processed.  The commands are quite powerful and could potentially send SMS messages containing data from the phone to the attacker, conduct espionage, spread malware  and other things.

Not all phones and not all carriers are susceptible.  Some US carriers say that they do not use that type of SIM chip.  Source: Adaptive Mobile.

Microsoft Bans More File extensions from Outlook Web Access

Apparently OWA is now called Outlook for the Web.  Must have missed the email.  In any case, Microsoft is now banning a total of 142 file extensions after 38 more extensions will be banned in the next release.   In addition to the existing banned extensions like .EXE, .COM, .ASP, .JAR and more, the new list includes Python files (6 extensions), Powershell (10), Digital certificates (3), Java (2) and miscellaneous applications (17).  Source: The Hacker News.

Checkm8 Exploit Could Mean Permanent Jailbreak for Many iPhones

This is still new, so there is a lot we don’t know, but a researcher nicknamed ami0mX says that he accidentally found a bug in the iPhone boot ROM that affects most iPhones.

The good news is that it requires local access.  Read only memory is only sometimes read only, so maybe Apple will be able to patch this – stay tuned.

If you can exploit this, it would allow you to jailbreak any affected iPhone or iPad.  The models affected include (but may not be limited to) the iPhone 4s through the iPhone 8 and the iPhone X.  It is not clear if the most recent iPhones are vulnerable.

A jailbreak would allow either a hacker or state actor or a vendor like Celebrite to either extract all data or compromise any affected phone, hence the name checkmate (Checkm8).  Source: Threatpost.

 

Facebooktwitterredditlinkedinmailby feather

RUFADAA – What’s That?

I never heard of it, but now both you and I have.

RUFADAA stands for REVISED UNIFORM FIDUCIARY ACCESS to DIGITAL ASSETS ACT.  It is a model law that is designed to deal with your digital exhaust after you move on to the afterlife (I am not sure, but I don’t think they have Internet access in heaven or even in the other place).

The issue is that many online service’s user agreements strictly limit what happens to your access after you die.  For example, Apple doesn’t want you to share.  The license agreement says “Unless otherwise required by law, You agree that your Account is non-transferable and that any rights to your Apple ID or Content within your Account terminate upon your death.  Upon receipt of a copy of a death certificate, your account may be terminated and all Content within your Account deleted”. Source: Apple.

So what is the solution?  RUFADAA.    The original model law (that state legislatures can use to create their own law) was created in 2014 and it gave executors and personal representatives unfettered access to your digital assets.  Examples include things like all of your personal photos that might be stored in the cloud.  But it also includes your email, which you may or may not want your executor to read.  It also would allow them to get the login information to, say, cancel online accounts that might be billed to the deceased every month.

Tech companies said this was contrary to federal privacy laws and state and federal computer fraud laws (that seems like a bit of a stretch, but maybe).  They also said that it violated their terms of service which say things like when you die, so does your content.

The revised version, called RUFADAA, greatly reduces the authority that an estate executor has regarding access to digital assets.

Under RUFADAA, an executor no longer has access to your emails, tweets, chats and other electronic communications unless the deceased specifically consented to that disclosure.

An executor can get access to other types of digital assets but only if he or she petitions the court and explains why access is needed to wrap up the estate.

If the fiduciary does not have explicit permission through a will or something similar, the online service can look to their terms of service for guidance.  I.E., if your will does not grant your executor access to your iTunes photos, Apple will look at their terms and tell you to take a long walk off a short pier.

OK, so what should you do?

#1 – Create a complete inventory of all of your online accounts where anything important is.  That includes things like your subscription to any online content for which your estate will be billed.  If your executor does not cancel your account, you will continue to be billed and are likely legally obligated to pay for that account, even if you don’t even know it exists.

The simplest but least legal thing to do (because it likely violates the terms of service that you agreed to abide by) is to write down your userids and passwords and store them in a safe place or with a trusted person (such as your personal attorney), but remember to change the document when you change your passwords.

The better thing to do is to change your will to explicitly grant your executor access to your digital exhaust to whatever degree that you want.  This can be done formally in your will or informally by writing those instructions in crayon and signing it.  Or anything in between.

Include information and instructions to your executor, along with userids, passwords, two factor authentication information (don’t pull an FBI and cancel the deceased’s phone service before you figure out that you need to be able to receive a text message on that phone in order to log in).  DO NOT INCLUDE THESE INSTRUCTIONS IN YOUR WILL BECAUSE ONCE THAT IS FILED WITH THE COURT, IT COULD BECOME PUBLIC, ALONG WITH ALL OF YOUR PASSWORDS.

41 states have enacted RUFADAA.  Here is a current list.

Bottom line is that it is up to you, but the law is really working against you, not for you, unless you take specific actions.  The good news is that if you do take specific actions, your service providers must follow your wishes.  

Source: Nolo, The Legal Encyclopedia

 

 

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed