Tag Archives: Amazon

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Week Ending November 9, 2018

Score One For Amazon Security!

People who have read my blog for a while know that I am a big fan of two factor authentication.  That little bit of extra security usually gets thrown out the window if you call in to customer service instead of logging in to the company’s web site.  Two factor is not a silver bullet, but it does help security, dramatically.

Apparently, at Amazon, two factor means two factor, even on the phone.

I was having a problem with a delivery and had to call in to get it handled.  They refused to do anything at all unless I confirmed the one time password (second factor). They said that even if I escalated the call to a supervisor, the system WOULD NOT ALLOW THEM to access my account without the second factor authentication.

KUDOS TO JEFF BEZOS AND THE AMAZON SECURITY TEAM!

Usually, companies decide that being customer friendly, even at the expense of massive fraud, is more important than security.

Thank you Amazon for being a tad bit more sane!

And, if you don’t have two factor authentication turned on for your Amazon account, you should.  Amazon accounts are a massive target for thieves.  They usually don’t use it to buy products, although I have seen that too, but they use it to guy electronic gift cards which get used immediately, before the fraud is reported.

Usually People Don’t Die From Security Failures, but in this Case, Dozens Did Die

This is not a joke;  this is a serious story and people did die as a result of poor Internet security.

Word is just now coming out that the CIA had a serious security breach of their Internet based covert communications system used by field people, for years.  Apparently, the Iranians figured out how the system worked and that exposed the identities of CIA sources and maybe agents.  Dozens of sources in countries hostile to the U.S. were rounded up and disappeared (meaning, likely, tortured and/or murdered).

Apparently, when the CIA set up this covert communications system, they didn’t consider that state actors might try to hack into it.  For four years they did, successfully.

In defense of the CIA, apparently, the system was not really designed for the way it wound up being used, but, one more time, convenience won out over security and until the CIA was able to figure out what the source of why people were disappearing, they didn’t stop it.

Sometimes people don’t grasp the consequences.  A quote from one former official:

The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

In May 2011, Iran said that they had broken up a ring of 30 CIA spies.

In a statement that is not very comforting, the article says that “the Iranian compromise led to significantly fewer CIA agents being killed than in China”.

This just goes to show that real security is hard to do and we need to remember that.  In this case, it appears that it cost a lot of people their lives.  Source: Yahoo News.

Sen. Ron Wyden Introduces Bill That Punishes CEOs with Possible Jail Time for Security and Privacy Lapses

The draft Consumer Data Protection Act Would give the FTC more power to hand down harsher penalties on companies that violate users’ privacy.

The bill includes a national “do not track” registry, similar to the do not call registry, that would allow people to opt out from tracking for all websites that store their data.

Wyden is targeting companies that make more than $50 million and store data on more than 1 million users.

Those companies would have to submit an annual data protection report (similar, I suspect to the Sarbanes or NY DFS requirements).

Executives that INTENTIONALLY mislead the government could be held criminally liable, fined up to $5 million and jailed for up to 20 years.  These executives include the CEO, CPO and CISO.  Source: CNN .

Colorado Cities and Counties Ignore FCC Warning

Last week I wrote about an FCC commissioner who said that city run Internet services risked resident’s freedom of speech (I assume because he figured the town would censor speech somehow, if they ran the Internet service).  This FCC commissioner didn’t address that many people in the U.S. only have the choice of one Internet provider (like me), not counting satellite Internet (which is a joke) and that lack of choice, it seems to me,  is a much bigger risk to consumers than locally run Internet, where the users meet the councilpeops running their Internet in the local cafe or grocery store and give them a piece of their mind.  I am not sure how to effectively give Comcast a piece of my mind.

Well,  in 2005, Comcast bribed (probably not in the legal sense) the Colorado legislature to make it illegal for cities and counties to run municipal Internets.  EXCEPT.  They put a back door in the Comcast Law that said the law was null and void if a municipality put a ballot measure out that approved offering municipal Internet services.

So far, about half of Colorado counties have passed such a measure and this week there are another 18 on various ballots.

This past September, the town of Salida, West of Colorado Springs and Pueblo, voted on such a measure.  It passed with 85% of the vote.

Apparently, Colorado voters don’t agree with the FCC.  Big surprise.  Source: Motherboard.

UK Hands Investigation Results Over to Ireland’s GDPR Police

It just hasn’t been a good year to be Facebook (the stock price is down to $150 from a high this year of $215).   A pro-Brexit organization was fined 135,000 Pounds for running misleading ads.  And, there is a BUT.  The British Information Commissioner’s Office (ICO) handed over the results of the investigation to Helen Dixon, the Irish Data Protection Commissioner as the Brits felt that was targeting of ads and monitoring of browsing habits (which I am sure that they are), in violation of GDPR.  So now Facebook has to deal with yet another GDPR investigation. Source: Forbes .

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather