Tag Archives: Amazon

News Bites for Week Ending November 9, 2018

Score One For Amazon Security!

People who have read my blog for a while know that I am a big fan of two factor authentication.  That little bit of extra security usually gets thrown out the window if you call in to customer service instead of logging in to the company’s web site.  Two factor is not a silver bullet, but it does help security, dramatically.

Apparently, at Amazon, two factor means two factor, even on the phone.

I was having a problem with a delivery and had to call in to get it handled.  They refused to do anything at all unless I confirmed the one time password (second factor). They said that even if I escalated the call to a supervisor, the system WOULD NOT ALLOW THEM to access my account without the second factor authentication.

KUDOS TO JEFF BEZOS AND THE AMAZON SECURITY TEAM!

Usually, companies decide that being customer friendly, even at the expense of massive fraud, is more important than security.

Thank you Amazon for being a tad bit more sane!

And, if you don’t have two factor authentication turned on for your Amazon account, you should.  Amazon accounts are a massive target for thieves.  They usually don’t use it to buy products, although I have seen that too, but they use it to guy electronic gift cards which get used immediately, before the fraud is reported.

Usually People Don’t Die From Security Failures, but in this Case, Dozens Did Die

This is not a joke;  this is a serious story and people did die as a result of poor Internet security.

Word is just now coming out that the CIA had a serious security breach of their Internet based covert communications system used by field people, for years.  Apparently, the Iranians figured out how the system worked and that exposed the identities of CIA sources and maybe agents.  Dozens of sources in countries hostile to the U.S. were rounded up and disappeared (meaning, likely, tortured and/or murdered).

Apparently, when the CIA set up this covert communications system, they didn’t consider that state actors might try to hack into it.  For four years they did, successfully.

In defense of the CIA, apparently, the system was not really designed for the way it wound up being used, but, one more time, convenience won out over security and until the CIA was able to figure out what the source of why people were disappearing, they didn’t stop it.

Sometimes people don’t grasp the consequences.  A quote from one former official:

The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

In May 2011, Iran said that they had broken up a ring of 30 CIA spies.

In a statement that is not very comforting, the article says that “the Iranian compromise led to significantly fewer CIA agents being killed than in China”.

This just goes to show that real security is hard to do and we need to remember that.  In this case, it appears that it cost a lot of people their lives.  Source: Yahoo News.

Sen. Ron Wyden Introduces Bill That Punishes CEOs with Possible Jail Time for Security and Privacy Lapses

The draft Consumer Data Protection Act Would give the FTC more power to hand down harsher penalties on companies that violate users’ privacy.

The bill includes a national “do not track” registry, similar to the do not call registry, that would allow people to opt out from tracking for all websites that store their data.

Wyden is targeting companies that make more than $50 million and store data on more than 1 million users.

Those companies would have to submit an annual data protection report (similar, I suspect to the Sarbanes or NY DFS requirements).

Executives that INTENTIONALLY mislead the government could be held criminally liable, fined up to $5 million and jailed for up to 20 years.  These executives include the CEO, CPO and CISO.  Source: CNN .

Colorado Cities and Counties Ignore FCC Warning

Last week I wrote about an FCC commissioner who said that city run Internet services risked resident’s freedom of speech (I assume because he figured the town would censor speech somehow, if they ran the Internet service).  This FCC commissioner didn’t address that many people in the U.S. only have the choice of one Internet provider (like me), not counting satellite Internet (which is a joke) and that lack of choice, it seems to me,  is a much bigger risk to consumers than locally run Internet, where the users meet the councilpeops running their Internet in the local cafe or grocery store and give them a piece of their mind.  I am not sure how to effectively give Comcast a piece of my mind.

Well,  in 2005, Comcast bribed (probably not in the legal sense) the Colorado legislature to make it illegal for cities and counties to run municipal Internets.  EXCEPT.  They put a back door in the Comcast Law that said the law was null and void if a municipality put a ballot measure out that approved offering municipal Internet services.

So far, about half of Colorado counties have passed such a measure and this week there are another 18 on various ballots.

This past September, the town of Salida, West of Colorado Springs and Pueblo, voted on such a measure.  It passed with 85% of the vote.

Apparently, Colorado voters don’t agree with the FCC.  Big surprise.  Source: Motherboard.

UK Hands Investigation Results Over to Ireland’s GDPR Police

It just hasn’t been a good year to be Facebook (the stock price is down to $150 from a high this year of $215).   A pro-Brexit organization was fined 135,000 Pounds for running misleading ads.  And, there is a BUT.  The British Information Commissioner’s Office (ICO) handed over the results of the investigation to Helen Dixon, the Irish Data Protection Commissioner as the Brits felt that was targeting of ads and monitoring of browsing habits (which I am sure that they are), in violation of GDPR.  So now Facebook has to deal with yet another GDPR investigation. Source: Forbes .

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather

Why An Incident Response Program Is Critical

Do you have a written incident response program?

Do the people who are part of it – the outside legal team, crisis communications team, forensics team, for example – know they are part of it?

Are contracts signed with outside service providers – or at least providers periodically reviewed and selected vendor already approved?

Has the team – both internal and external – conducted a mock disaster drill within the last 12 months?

Are the people answering the phones, email, chat and social media – from reception to help desk – trained in what to do when there is an inbound communication regarding a potential breach (you may remember the FBI called the Democratic National Committee several times last year to warn them but the person who answered the phone thought it was a prank)?

All of this needs to be in place and ready to go so that when (not if) an event occurs you are ready to spring into action.

Case in point.

One of our favorite white hat security researchers, Chris Vickery of Upguard, discovered a cache of voter information of Chicago residents unprotected on Amazon (does this ring a familiar bell – come on folks, lets get it together).  1.8 million voters.  Names, addresses, birth dates, partial socials, drivers license, etc.

He was able to associate it to a service provider to the City of Chicago, ES&S and Chris notified them.

Without regard to the fact that for some reason, someone at ES&S changed the default Amazon permissions from private to public – and I would certainly like to understand that, other than that, they handled the incident well.

Unlike the DNC who blew off the FBI, the email got to the right person.  As a side note, if someone wanted to notify your company, how would they know who to contact?  Is there information on your web site about what to do about security issues, for example?

While the details are still private, based on the results, they had a security incident response program.  They quickly – even though they were notified after business hours – investigated the report and within a few hours, the data was gone from Amazon.

Their crisis communications team released information that the data that was breached was limited and that no vote data was compromised.  They explained that it was a backup of a database that was unprotected, so the vote process integrity was intact.

They notified their customer, the Chicago Election Board.

Bottom line, they responded to a crisis quickly and worked to limit the damage.

I am sure that the City of Chicago will have more questions, but at least from the public side, they did what needed to be done and they did it quickly.

Can you say the same for your company?

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather