Security News for the Week Ending September 10, 2021

Signal Provides Customer IP Address to Swiss Police

While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit

McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin

El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice

Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report

As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters

WhatsApp Promises End to End Encrypted Backups on iCloud

Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register

US Wired Broadband Ranks Right Behind Moldova

I often say that the US Internet access ranks right up there with many third world countries. Now I have the data to prove it.

Ookla, the company that makes and runs the SPEEDTEST software, reports every month on Internet speed around the world.

This year, in the wired category (the kind you likely have at home and in the office) we rank 14th, right behind Moldova. And behind Hungary. And behind Romania.

By the way, I had to look up Moldova. It is between Romania and Ukraine.

In the mobile wireless category (like you get on your phone), we are curiously also ranked 14th. That puts us behind countries like Bulgaria and Cyprus.

Contrary to those commercials that you see on TV, our average speed was wireless 91 megabits. That is a little different from those gigabit speeds that they claim on TV ads.

On the wired side, our average speed was 195 megabits, or about double the wireless speed.

For the US, we haven’t invested much in fixed broadband infrastructure which is why we rank behind Moldova. It also is because we have very little competition for Internet service, which means providers don’t have to invest in improving service. After decades of being asleep at the wheel, the FCC is starting to wake up about regulating telecom, but you have to remember that the last FCC chairman used to be a lobbyist for one of the large telecoms (the one that starts with a V).

Likely, these numbers are going to get worse.

Overall, the global mobile download speed jumped 60% since last year and the fixed download speed jumped 32%. Did your Internet speed increase by 1/3 or 2/3 last year? Mine did not jump by anything.

We say that we want to compete with countries like China, but China ranked #4 in wireless speed. Their push is all wireless; their wired speed was #17.

I am fine if the US wants to push wireless but that is going to take a huge investment. It probably makes sense for the US to have a hybrid approach where we mix wired and wireless.

Millions of Americans have no access to broadband Internet. I live just outside of Denver and the fastest Internet that is available to me just barely qualifies as broadband Internet under the FCC definition and if they raise the standard then I will have no access to broadband.

83 million Americans have only a single option such as Comcast.

Still millions more only have access to slow DSL-based Internet.

Carriers such as AT&T are abandoning their DSL based Internet service and not replacing it with anything, leaving those users, usually in poor neighborhoods, without Internet.

How does that work in a world of remote learning and work from home?

It is possible that people are not buying the fastest service the carriers offer and that is affecting the result, but that brings us to price where the US is really expensive compared to the rest of the world.

If you really want to get depressed, the US ranked 21st out of 26 countries tracked BY THE FCC in both standalone fixed broadband price and in mobile broadband price. That is, apparently, normal for us. Credit: Vice

Increased Liability of Work From Home

Why care?

Hackers often lurk inside networks for weeks or months. During this time they gather a lot of information about how the network works, what it looks like and even how it is secured. With people working from home, often on poorly maintained — scratch that — unmaintained networks, that job just became a lot easier. For the hackers. This is especially true if companies allow personally owned devices (including phones).

What is happening?

With work from home becoming the norm, hackers are using the poorly secured – or more accurately – not secured home networks as a launching pad. Compromise one computer on the home network (not picking on anyone), say a student who is doing hybrid learning, and that device can now try and infect the parents’ devices. Or start with one parent’s device and pivot to another device. You get the idea. Once the hacker finds a beach head on any device in the home, the hacker can use that to attack other devices.

Why is this possible?

Think about the typical hardware in an employee’s home –

  • Consumer grade
  • Often never patched
  • Lacking encryption
  • Lacking high end security features of corporate devices
  • No logging (think about your compliance requirement to figure out how you got hacked after a breach – good luck with that)
  • No security operations center at home

You get the idea.

But we use company owned devices!

Okay, let’s say you do.

Does that mean there are zero personally owned devices on the network? Not likely. No Siri. or Google Assistant. Or Alexa.

Let’s assume those personal devices are like most and are poorly patched. Now they are infected. Smart hackers lay in wait.

Microsoft (or anyone else) releases patches. Hackers reverse engineer them. You deploy patches. Wheh!

Well, maybe. The hackers can reverse engineer the patches in 12 hours to at most 3 days. How quickly do you patch. GAME OVER, HACKERS WIN!

What about unrelated Housemates or shared Internet connections?

That makes the problem worse. Now you have even more endpoints and even ways to cross-infect systems.

But I use a VPN!

Okay, that MIGHT BE good. Do you force **ALL** Internet traffic across the VPN all the time? Do you allow the employee to use his or her computer to access the Internet without being connected to the VPN?

If the answer to the first question is no or the answer to the second question is yes, then the VPN gives you some limited protection. But that’s all.

There are some things you can do, but they are likely politically difficult.

If you DO NOT ALLOW employees to use personally owned devices or you only allow an employee to use a local device to connect to a virtual desktop that you control then that probably, maybe, improves security.

If you force ROBUST two factor authentication ALL OF THE TIME AND EVERYWHERE and you TRAIN your employees on what a two factor attack looks like. REPEATEDLY. That likely improves security.

But, it is not easy and you will expend some political capital getting your employees to do what you want them to do.

It is just not easy. Credit: The Hacker News

New Bluetooth Bug Affects Billions of Devices

Researchers from the Singapore University of Technology and Design have published details about BrakTooth, a new family of security vulnerabilities in Bluetooth software implementations.

They assessed 13 Bluetooth devices from about a dozen vendors including Intel, Qualcomm, Texas Instruments and Cypress and found 16 vulnerabilities. On the good side, they can cause a denial of service attack (crashing the device and requiring the other to power cycle it); on the bad side it can allow remote code execution.

The researchers discovered 1,400 products affected by the vulnerabilities including phones, car radios (now called infotainment systems), computers, speakers, headphones, home entertainment systems, toys and industrial automation. Likely there are way more products vulnerable.

Estimates are that there are billions of vulnerable devices, many of which will never be fixed and remain vulnerable until they are in a landfill a decade from now.

The risk varies of course. If you home microwave fails, you may have to find a different way to heat your food. However, if factory automation software fails, it could shut down a factory or worse.

More detailed information is available at this Bleeping Computer article.

None of the vulnerabilities require the hacker to pair with the device, just be in range. The Hacker News says that proof of concept code is available online.

While the end user may think he or she is buying a device from a reputable company, that same owner has no clue where that company is buying their Bluetooth software from and whether it has been patched.

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Is Selling Your Data Legal?

Well, we assume that it is. After all, we think our data is sold all the time.

But mega-data-company Thompson Reuters ran across a judge that disagrees. We shall see where the appeals go.

The case hinges on a product that TR sells called CLEAR.

If you sign up as a CLEAR customer then you can log in and get a dossier on hundreds of millions of people. This is not anonymous data like Facebook or Google claims, but fully identified data. If it was my file, they would claim to have collected all kinds of data about me, both public and not so public and provide that in a simple to use package.

That is where they got sideways with the court.

First the court said that they didn’t get the user’s permission. TR said it was all public data. The court said that the only reason that people bought the service is that TR had collected all that data, even including pictures and they were trampling on people’s rights.

Then TR said they could sell your data unless you opted out. But the court said, among other reasons, that TR made it hard to opt out. After all, who even knew there was such a thing as Thompson’s CLEAR before reading this post. How can you possibly opt out of something you don’t know exists.

The court even used TR’s marketing material against them.

We shall see where this goes on appeal, but this could be an interesting attack on data brokers. Whether it succeeds or not this time, could on the approach coming back again. Credit: Professor Eric Goldman

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed