Patch your Linksys router – if you can

The US Department of Homeland Security through the Computer Emergency Readiness Team (CERT) at Carnegie Mellon issued an alert to owners of a number of Linksys routers to patch those routers ASAP.  The alert referenced two vulnerabilities – the first one allowed anyone on the internet to read or modify sensitive information on the router;  the second allowed anyone on the internet to read the device’s password file (and thereby gain full access to the router and as a result also gain access to the Linksys user’s internal network.

Unfortunately, according to an article on Security.org , LInksys has not yet released patches for all of the affected routers and a proof of concept attack for the vulnerability on some models was published on a Turkish hacker site in September.

If we follow the timeline in the article, Kyle Lovett, the researcher who discovered the bugs told Linksys about it in July (about 4 months ago), sample exploits were posted on a hacker web site in September (2 months ago) and the article claims that there are still no patches available for some models of Linksys routers.

On top of that, many small and medium size businesses do not have the knowledge, skills or staff to patch their routers, making them kind of a cyber sitting duck.

One part of every business’s cyber security plan should be to make sure that all devices (from network routers to phones) are patched frequently.

Does your business have a written, adopted and audited cyber security plan?

 

Mitch Tanenbau

There Will Be A Lot Of Battles – Unfortunately, Some Will Be Lost

An article in American Banker talks about the fight that all the banks are fighting right now.

JP Morgan Chase CEO Jamie Dimon Says the bank plans to double its $250 million annual computer security budget within the next five years.

I think Chase understands the problem;  Dimon said “It’s about firewall protection, it’s about internal protection, it’s about vendor protection, it’s about everything that hooks up into you”.

Banks used to be fighting against kids in the basement.  Now its about fighting nation states.  That is a big difference.

Dimon also made one other comment that we need to consider – “There will be a lot of battles.  Unfortunately, some of them will be lost.”  That does not mean that shouldn’t fight the battle.  It means the battle won’t be easy.

Mitch Tanenbaum

 

An Admin’s Worst Nightmare (AKA Cryptowall Gotcha)

Sometimes not using best practices gets us.  Other times it is fatal.

Check out this article about an admin who had his (or her) entire universe fall down around his/her ankles.

The article shows how, in this case, not following best practices was more than a little inconvenient.

The admin was reading his email, apparently with admin privileges and with links to all the disks on his or her entire server farm with write privileges (this sentence is wrong on so many levels – kind of like a to do list of what not to do).

Then this admin got phished.  Some phishing attacks are bad.  This one was worse.  The attack was a cryptowall attack and before he or she knew it, the entire production server farm was encrypted (at least it is now secure).

The entire organization was dead in the water.  This included the public facing side of this unnamed US based non-profit with hundreds of employees.

They did have backups, but not all of them had been tested.

In addition, even if the backups worked, it would take days to restore.

Sooooooo, they decided to pay the ransom (which was very low – a strategy that the attackers play to their advantage.  If they wanted $10,000 you might think twice but if they ask for $500, you might say what the hell.)

The good news here is that they got the crypto key from the attacker (which does NOT always happen) and were able to decrypt the files in a few hours.

This is a great lesson for people who take the opportunity to learn.  Learning from OTHER people’s mistakes, in my humble opinion, is the least painful way to learn.  As long as we don’t say that we will implement the lessons another day.

 

Mitch Tanenbaum

Feds Look To Get Firms To Close “Gaping” Cyber Holes

An article in the Times a week ago says that the Feds and States want banks and brokerage firms to close some gaping holes in their defenses.

What is that gaping hole?  OUTSIDE VENDORS!

Many people are aware that the suspected source of the Target breach was a small HVAC contractor.  They didn’t do anything on purpose;  they got phished.  It also appears that the JP Morgan Chase attack may have started with a vendor as well.

According to the article, the Securities and Exchange Commission is conducting an audit of 50 firms to assess their readiness for attacks AND their relationships with vendors. FINRA is doing the same with brokerage firms.  Other regulators are doing the same with 500 community banks and credit unions.

Benjamin Lawsky, New York’s outspoken head banking regulator, suggested that banks may be required to “obtain representations and warranties” from vendors about the adequacy of their controls to thwart hackers.

Lawsky said “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”

If I was a vendor – and that includes everyone down to janitorial firms according to Treasury – I would be looking at my cybersecurity readiness and figuring out what the implications of Reps and warranties might be.

Nothing is a done deal until it is a done deal, but there seems to be a lot of “smoke” around this issue right now.  Too much to assume there is no “fire”.

Mitch Tanenbaum

 

 

 

 

 

 

Your Flashlight May be Spying On You!

Do you think about the permissions that an app asks for?  A recent ITWorld article delves into the subject and while the article was testing Android apps, the issue is a concern, although a somewhat lesser concern, for Windows and iOS apps as well.

The issue at hand is that apps ask for certain permissions and you as the user have no idea what that app may or may not do with those permissions.  The developer may not have thought about the implications of asking for all those permissions.  OR the app may have designs that you are not aware of.

For example, the app might look at your wifi connections to figure out your location to present ads for stores that are nearby.  You might think this is ok – or you might not.

In the article, it gives a table of permissions that some flashlight apps ask for.  For example, some ask to be able to take pictures and videos.  Why would a flashlight app ask for that permission.  Could be benign.  Could be malicious.

Until users stop installing apps that ask for too many permissions (or the Android OS is modified to allow you to pick and choose which of the permissions an app asks for that you grant – which I hear is on the way), nothing will change.

In the iOS world you already have more flexibility in granting requested permissions or not.

BUT, you as a user have to consciously pay attention and either not grant permissions if you see something that concerns you or not install the app.  THAT TAKES A LITTLE BIT OF EFFORT.  AND, it might mean that you don’t use a particular app.

Remember, if an app asks for a permission – say access to your contacts – and you allow it, that app could send your entire contact list to a hacker in Eastern Europe and you would never know.  Think about that for a minute.

Or your pictures might show up on the internet.  Those private ones.

You are the only one that can lock things down.  Practice responsible apping. 🙂

Mitch Tanenbaum

Over 500 million financial records hacked in the last year

I read an interesting article in USA Today recently.  The FBI says that over 500 million financial records have been hacked in the last 12 months (given that the Chase hack accounts for over 80 million records alone, this number in itself is not surprising).

Here are a few tidbits out of the article that should get your attention:

  • The FBI says that nearly 519 million financial records were stolen in the last 12 months
  • Joseph Demarest, Assistant director of the FBI’s cyber division says “You are going to be hacked … have a plan”
  • 35% came from website breaches, 22% from cyberespionage, 14% from point of sale and 9% when swiped your credit or debit card.
  •  About 80% of the hacking victims in the business community didn’t even realize they’d been hacked until they were told by the government, vendors or customers.

Probably the most telling item on this list is that most companies did not figure out that they were hacked themselves.  This is very different than having your car stolen.  When that happens, you go looking for your car and it is not where you left it.  You know you have a problem.  When a good hacker breaks into your business systems, nothing is missing, nothing is askew.  Absent you being proactive, how would you know you have been had?

It’s scary, but doing nothing is not an option any more.  It is much harder to hit a moving target – so plan on moving.  Otherwise you are a sitting duck.

 

Mitch Tanenbaum

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed