Tag Archives: 5G

Security News for the Week Ending February 5, 2021

Are You the Victim of Covid Fraud?

As if Covid wasn’t bad enough, there are widespread stories of people getting tax forms for their Covid unemployment benefits -benefits they never applied for and never received, but which are considered taxable income. In California alone, crooks stole at least $11 billion in unemployment benefits by stealing people’s identities and getting the benefits deposited in accounts they control. But the victims will get the tax forms and have to deal with convincing their state and the IRS that they did not get those thousands in income. Credit: Brian Krebs

Paper – Now That’s Secure

Now that the Department of Justice has admitted that (likely) Russia hacked their confidential court filings, exposing search warrants, terrorism investigations and other stuff that should have remained sealed, they have a simple solution. Last week the federal court system issued an order that says that highly sensitive documents (likely those that the court would seal) must be filed on paper and any order or rule of any federal court or judge to the contrary is null and void. Problem solved. Credit: The Register

Billions of Emails/Passwords for Free

Someone has posted a file with 3.2 unique emails and passwords in clear text on a popular hacking forum. This data is a combination of many breaches but is a great input for password stuffing attacks since people love to reuse passwords. For users, this is one more reason to use two factor authentication. Credit: Cybernews

Voting Machine Vendor Smartmatic Sues Fox for $2.7 Bil

Voting machine vendor Smartmatic is suing the Fox network, its hosts individually and Trump lawyers Sidney Powell and Rudy Giuliani for $2.4 billion after these folks made unsubstantiated claims that Smartmatic’s software changed millions of votes from Trump to Biden. Smartmatic says that this is not about the money; they want vindication, so this could get more than a bit nasty. Credit: The Register

T-Mobile is Being Very Aggressive in Deploying 5G

T-Mobile plans to spend $40 billion in the next 3-4 years upgrading its network to 5G and faster 4G. Some of that will be recovered by decommissioning Sprint’s old network. But speed is the issue. Their “low band” 5G is slightly faster than 4G. Their “mid band” might give a couple hundred megabits per second which is quite respectable for cell phones and its “high band” will give you gigabit. But their president of technology says this will take decades to blanket the entire country. For the moment, they appear to be ahead of AT&T and Verizon. Credit: SDX Central

Security News for the Week Ending November 6, 2020

TikTok Ban – Remember That?

Well now that the election is over – at least the voting part – we can get back to the important stuff like whether our kids can create 30 second dance videos on TikTok. The President signed a memo a couple of months ago to add trade pressure on China by banning TikTok in the US, but a Federal judge signed a preliminary injunction putting the memo on hold. The government has asked the DC Circuit to overturn that injunction but there are other restrictions like hosting the TikTok software on US cloud servers that go into effect on November 12th, so assume this subject will heat up over the next week or so. Credit: Law360

Feds Seize $1 Billion in Bitcoin from Silk Road

The feds shut down the Silk Road online crime bazaar in 2013 and convicted its founder, Ross Ulbricht in 2015. He was sentenced to two life terms plus 40 years. Now, this past week, the feds transferred 69,000+ Bitcoin out of a wallet that has been quiet since 2015. Is Ross trying to make a deal? Those Bitcoin are worth not quite a billion dollars. Now the feds have to convince a judge that the money is proceeds subject to forfeiture. If they do, the feds will likely auction off the cryptocurrency and put the proceeds in its piggy bank and, possibly, the piggy banks of other agencies that helped take Ulbricht down. Credit: ARS Technica

How Fast is Our 5G

I know that 5G is not a security issue – except that how we use 5G WILL make it a security issue. Right now, the 3 big carriers continue to roll out some form of 5G nationally and they are succeeding. It is important to understand what they mean by 5G. It does NOT mean that if you spend $1,000 or $1,500 on a 5G phone (although there are a couple of low price models), you should expect really fast speed on your phone. It means that the carriers are layering the 5G protocols on top of the existing 4G infrastructure.

So how fast is our 5G? PC Magazine does tests every few months and has released a new set of tests. They say that our 5G average speed is slower than Saudi Arabia, South Korea, Australia, Canada, Switzerland, United Kingdom and Germany. That is not impressive and is not likely to change for a number of years for several technical reasons. Read the details at PC Magazine.

Jackson, Mississippi Integrating Your Ring Camera into their Surveillance Network

To be clear, they are doing it with the owner’s permission. They are partnering with two companies who claim to be able to suck up your Ring camera data and feed it into the police department’s surveillance network. Obviously, if the city can get the benefit of thousands of surveillance camera feeds without paying for them AND they can really digest the data, then that may help them stop crime. If the cameras point towards the street and record people that are not on your property, YOU may be committing a crime (depending on the state), but since the cops want your data, they are unlikely to complain. On the other hand, the person who is captured on your video which is fed to the police may sue you. Just sayin’. While Ring has made a big deal of trying to get you to give your video feeds to your local police, this is not one of their projects. Credit: Vice

Attention Those 220 Million Web Sites That Use Let’s Encrypt

This is probably not a big deal but still worth mentioning. When Let’s Encrypt first came out it borrowed a friend’s root signing certificate since the browsers did not trust it. Years ago it became trusted when it issued its own root certificate. Now that original signing certificate is expiring and if your computer or phone does not have their new certificate, you will get an error message when browsing to one of the 220 million web sites that use Let’s Encrypt. NOTE that only affects old operating systems and old browsers that use those operating system’s certificate stores (this may be the reason why Chrome is moving away from using the OS certificate store). This doesn’t become a problem until September 2021, but IT managers should make a note of it because they will likely get at least a few calls. Credit: The Register

Security News for the Week Ending October 16, 2020

5 Eyes Ask For Crypto Backdoor – Again

Law enforcement does not like it if they cannot snoop whenever they want. It has been a problem since encryption started to be used by the masses. The CIA, for example, even went to go so far as to BUY the Swiss encryption company Crypto AG, insert backdoors into their hardware and sell it to both our allies and our adversaries for decades before circumstances changed and made that hardware less important. They didn’t tell our allies that we were snooping on them. Part of the game.

So it is no surprise that when consumer products contain decent crypto, these same folks are not happy and they have been fighting the battle ever since.

Now they are saying that these companies should allow them to snoop on everyone – which they will do responsibly, of course – is a matter of public safety and protecting children.

And, of course, unlike the TSA, NSA, CIA and others before them who lost control of those secrets, these secret backdoors that companies should provide will not get into the wild. Trust us! credit: SCMagazine

Apple Releases New 5G Phones That Use Non-Existent 5G Service

Okay, this is not a cybersecurity issue, but it is a hot button for me. You can now buy an iPhone 12 Max with Apple care for $1700+ with 5G support.

I guess if you want to spend your money and help the economy, go for it, but if you think that you will be able to surf the web on your phone 10 times faster than today as they claim, you can. But you will have to wait around 10 years.

The problem is that none of the carriers have FAST 5G infrastructure. Verizon, does have some fast 5G – it covers about one percent of the US population. So, if you want to have a new iPhone and be one of the cool kids, go for it. Just don’t expect to surf the web any faster than you do today. Credit: Cybernews

Microsoft Takes Down TrickBot Network

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.  There is a concern that the bot network, which has connections to Russia and has compromised at least a million computers may be used in an attempt by Russia to impact the U.S. Presidential elections.

That takedown lasted two days. The network is back operational again, causing mischief. This just points to the challenge of permanently stopping hackers who are living in unfriendly countries like Russia. Even with the best efforts of Microsoft and Cyber Command, it only stopped them for 2 days. Credit: ZDNet and Security Week.

And You Thought TSA was the Only Non-Secure Part of Flying? Wrong!

The aviation industry uses a system called ACAS internationally or TCAS in the U.S. It is a collision avoidance system which tells a pilot that there is another plane nearby and tells each pilot how to avoid a collision (up, down, left, right, fast, slow, etc.). Except that TCAS has no security in it and it can be spoofed by a bad guy to crash the plane. There is a new version coming out soon called ACAS X and it too can be fooled. So much for the basics of security. Credit: The Register

800,000 Sonicwall Appliances Can be Hacked by a Kid

The patch, which affects 800,000 Internet facing VPN servers, was released on Monday. The details were disclosed two days later, on Wednesday. In its simplest form, a kid can either crash the device or just make it not respond to commands. Worst case, a more skilled hacker may be able to execute arbitrary code, including bypassing login requirements. Sonicwall says that they are not AWARE OF any customers impacted YET. If I was running a Sonicwall appliance, I would treat this as an emergency and patch it as soon as possible. Credit: ZDNet

Security News for the Week Ending September 4, 2020

Centurylink Routing Issues Lead to Massive Internet Outage

Last Saturday night/Sunday morning, Centurylink had a bit of a problem, either taking down or severely impacting web site such as Cloudflare, Amazon, Steam, Twitter and many more. Just because a system was designed to stay operating in case of a nuclear attack does not mean that it is immune to human error or software bugs. Centurylink has not explained what happened. This particular attack nullified many business continuity strategies. If staying online is important to you, this would be a good time to review your DR-BC program. Credit: Bleeping Computer

The New Normal: Dell Says 60% of Their Staff Will Not be Going Back to the Office Regularly

We are seeing more companies saying that they do not plan to return to office life ever. Dell says that the majority of it’s 165,000 member workforce will never return to the office again or regularly. Dell says “work is something you do, an outcome, not a place or time”.

Ignore for the moment what this means for the commercial real estate market if this becomes the new normal.

That means a significant leap for your cybersecurity practices going forward. When the majority of your work is being done on a network, via unencrypted wireless through a router that was last patched in 2013, what does that mean for security? If that thought keeps you up at night, call us. Credit: The Register

Users’ Browsing Can Be De-Anonymized With Little Work, Researchers Say

Mozilla (Firefox) collected two 1-week browsing history datasets from 50,000 volunteers and were able to re-identify anonymous browsing data to the individual successfully. With users who only visited 50 web sites during that period, they were able to re-identify up to 80% of them. The odds improve when the researchers have more data. After all, who visits only 50 web sites in a two week period. Therefore, assume claims of data being anonymized with great skepticism. Credit: Help Net Security

US Federal Appeals Court Rules NSA’s Mass Surveillance Disclosed by Edward Snowden is Illegal

Seven years after Edward Snowden disclosed the existence of NSA’s mass surveillance program a federal appeals court said the program is illegal. In defending the program, the NSA pointed to one case where NSA surveillance data was used, but the judge overseeing that case says that the NSA’s information was not material. However, the same court said that the folks convicted in that case are still guilty so no getting off the hook based on that. Given the hundreds of millions of dollars spent on this program, the fact that the NSA can only point to one court case where the program had any effect should kill the program on effectiveness grounds anyway, but that it not the job of the court. I am sure the Republican administration will appeal this up to the Supremes, but they may or may not take the case, so stay tuned. Credit: Threatpost

Republican Plan to Ban Huawei Will Cost Americans $2 Billion

Now that the Republicans have decided (it is an election year) that Huawei is a national security threat (but wasn’t for the last three years), they have created a requirement to rip out and replace all of the existing Huawei (and ZTE) equipment that carriers are already using. The first step in this process was to ask the carriers well, how much will it cost to replace all that stuff. The carriers have come back with that initial estimate and it is $1.8 billion and change. Carriers are notoriously bad at estimating costs like this, so make it $2.5 billion or so.

BTW, I am not saying that the FCC is wrong, I just don’t understand why this wasn’t considered a problem in 2017 vs. two months before the elections.

Where is that money going to come from? There are really only two options – higher prices to customers and a taxpayer subsidy.

Curiously, the Republicans are complaining about a Chinese law that requires Chinese companies to comply with requests from the intelligence services and not tell anyone. If I was wearing a blindfold, that would sound exactly like the U.S. Foreign Intelligence Surveillance Act or FISA.

I have said for a long time that when it comes to telecom, the U.S. is basically a third world country (according to Wikipedia, we rank 30th in the world for mobile Internet connection speed). What the carriers will do in the short term is, except for really densely populated downtown cities, slow down the rollout of 5G Internet (Verizon, for example, only covers 5% of the population with high speed 5G – high speed means that a user can tell the difference when connecting over a 5G connection vs. connecting over a 4G connection). Other carriers cover more of the US, but with virtually no speed difference over 4G, but now, even that rollout will likely slow down.

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.