GoDaddy Users Beware

GoDaddy has an interesting feature.  If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.

If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.

Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.

Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.

Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.

This attack method apparently also works at other registrars.

Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails.  Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.

Thousands of domains were compromised.  Soon after the story of the attack method was published GoDaddy said that they put a fix in place.

They also said that they fixed 4,000 hijacked domains.

The only problem is that there are many thousands of more domains that they didn’t detect or fix.

GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.

GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method.  Other methods – not so sure.  Existing domains compromised?  You’re on your own.

Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.

One of the attacks using this scheme distributed the Gand Crab ransomware.  One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware.  The ransom was initially $2,000 but went to $4,000 while they decided what to do.

Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“.  “We  have accepted the fact, for now, that we are just locked out of our company’ information.  We known nothing about this type of issue other than we have to pay it or just start again.

While she is absolutely correct, the crooks don’t really care.  The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.

So what do you need to be doing?

First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current.  I keep mine in a bank vault.  The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.

Second, beef up employee training.  The A.S. Price attack happened when an employee clicked on a malicious link.

Third, add robust anti-malware protections.  There are lots of them out there.  It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data).  While it is a lot of money, what if they asked for $100,000 instead.  It has happened.  And the hackers have been paid.

Next, have a strong, tested incident response program.  A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas).  Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack.  Visualize this.  Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected.  Unplugging the entire Sands empire from the Internet.  WITHOUT A SINGLE MEETING.  That is training, trust and empowerment.  And it worked!

Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.

Information for this post came from Brian Krebs.

Facebooktwitterredditlinkedinmailby feather

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.


1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .


Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.


Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.


FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.


Facebooktwitterredditlinkedinmailby feather

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

Do You Have Cyber-Risk Insurance? Enough?

A recent study estimates that a coordinated global cyber attack (think Wannacry, but not geographically bounded) could cause economic damages of between $85 billion and $193 billion.

The investigation was conducted by Lloyds of London and Aon Insurance as a “stress test” of the industry.

Claims would likely include everything from business interruption to incident response costs.

Total claims estimated to be paid by the insurance companies range from $10 billion to $27 billion.

That means that industry is on the hook for between $75 billion and $166 billion.

That is going to come out of victim companies’ checkbooks.

Are you ready to write a check for $166 billion?  How about $75 billion?

They estimate the biggest losses would be in retail, healthcare, manufacturing and banking.

Countries that are more service oriented – like the United States – would suffer more damage and have higher losses.

So there are a couple of questions –

  1. Do you have cyber insurance?
  2. Do you have enough cyber insurance?
  3. Can you make up the loss shortfall out of your checkbook?

One last thought.  Are you sure that the coverage that you do have matches the risk that you are exposed to?  Given that every policy is different, you might want to look into that too.  We can help.

Information for this post came from Reuters,

Facebooktwitterredditlinkedinmailby feather

Managing Supply Chain Risk

Supply chain risk is a hot button right now and getting hotter.

It has always been an issue – it was the source of the Target breach, the Home Depot Breach, Panama Papers and thousands of others that you never heard about.  According to a Ponemon study, 56% of organizations admit that they had a breach caused by one of their vendors.

According to that study, the average number of vendors a company is sharing sensitive data with is 471 and only 35 percent of the companies had a list of all of the vendors that they were sharing data with.

The problem doesn’t stop when you terminate a supplier relationship because they do not delete all of your data when you go away.  They keep it.

Add to that the fact that only 18 percent had a handle on fourth party risk – the risk that comes from your third parties using their own third parties.

Regulators are starting to deal with it.  New York is requiring financial service providers to actively manage it and it is not easy.

GDPR also holds companies responsible for what their vendors do with their data, so if you do business in Europe, that is another concern.

Expect regulators to add more third party risk management to their requirements over the next few years.  Colorado just did that.

Supply chain risk not only includes vendors that provide services to your company, but also hardware vendors and software providers.  Each purchased device, each downloaded application needs to be vetted, and monitored for potential security risks, and all patches have to be up to date.

The Magecart malware in the Magento Open Source eCommerce software has allowed hackers to steal millions of credit cards.

Supply chain risk not only puts your client’s data at risk, but also puts your own intellectual property at risk.  When the hackers come, they take everything,

Cloud service providers add their own risks.  Recently researchers were able to compromise at least a half dozen large web hosting providers.

And professional service providers – accountants, lawyers, analytics providers and many others add their own risk to the mix.

So what do you need to do?

Kind of like when alcohol gets out of control, the first step is admitting that you have a problem.

The biggest suppliers are likely not the biggest risk.  They often  have robust security programs, but even when they do, those sometimes fail . Think about Equifax.

We are seeing more CONTRACTS requiring supply chain risk management.  Vendors may be asked to self assess or use third party risk vendors like CyberGRX, Vendorly or others.  And there are vendors that provide security scores such as Bitsight and Security Scorecard.

Companies need to up their game when it comes supply chain risk – because the bad guys have already done that.

Information for post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed