Tag Archives: Amazon

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Week Ending November 9, 2018

Score One For Amazon Security!

People who have read my blog for a while know that I am a big fan of two factor authentication.  That little bit of extra security usually gets thrown out the window if you call in to customer service instead of logging in to the company’s web site.  Two factor is not a silver bullet, but it does help security, dramatically.

Apparently, at Amazon, two factor means two factor, even on the phone.

I was having a problem with a delivery and had to call in to get it handled.  They refused to do anything at all unless I confirmed the one time password (second factor). They said that even if I escalated the call to a supervisor, the system WOULD NOT ALLOW THEM to access my account without the second factor authentication.

KUDOS TO JEFF BEZOS AND THE AMAZON SECURITY TEAM!

Usually, companies decide that being customer friendly, even at the expense of massive fraud, is more important than security.

Thank you Amazon for being a tad bit more sane!

And, if you don’t have two factor authentication turned on for your Amazon account, you should.  Amazon accounts are a massive target for thieves.  They usually don’t use it to buy products, although I have seen that too, but they use it to guy electronic gift cards which get used immediately, before the fraud is reported.

Usually People Don’t Die From Security Failures, but in this Case, Dozens Did Die

This is not a joke;  this is a serious story and people did die as a result of poor Internet security.

Word is just now coming out that the CIA had a serious security breach of their Internet based covert communications system used by field people, for years.  Apparently, the Iranians figured out how the system worked and that exposed the identities of CIA sources and maybe agents.  Dozens of sources in countries hostile to the U.S. were rounded up and disappeared (meaning, likely, tortured and/or murdered).

Apparently, when the CIA set up this covert communications system, they didn’t consider that state actors might try to hack into it.  For four years they did, successfully.

In defense of the CIA, apparently, the system was not really designed for the way it wound up being used, but, one more time, convenience won out over security and until the CIA was able to figure out what the source of why people were disappearing, they didn’t stop it.

Sometimes people don’t grasp the consequences.  A quote from one former official:

The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

In May 2011, Iran said that they had broken up a ring of 30 CIA spies.

In a statement that is not very comforting, the article says that “the Iranian compromise led to significantly fewer CIA agents being killed than in China”.

This just goes to show that real security is hard to do and we need to remember that.  In this case, it appears that it cost a lot of people their lives.  Source: Yahoo News.

Sen. Ron Wyden Introduces Bill That Punishes CEOs with Possible Jail Time for Security and Privacy Lapses

The draft Consumer Data Protection Act Would give the FTC more power to hand down harsher penalties on companies that violate users’ privacy.

The bill includes a national “do not track” registry, similar to the do not call registry, that would allow people to opt out from tracking for all websites that store their data.

Wyden is targeting companies that make more than $50 million and store data on more than 1 million users.

Those companies would have to submit an annual data protection report (similar, I suspect to the Sarbanes or NY DFS requirements).

Executives that INTENTIONALLY mislead the government could be held criminally liable, fined up to $5 million and jailed for up to 20 years.  These executives include the CEO, CPO and CISO.  Source: CNN .

Colorado Cities and Counties Ignore FCC Warning

Last week I wrote about an FCC commissioner who said that city run Internet services risked resident’s freedom of speech (I assume because he figured the town would censor speech somehow, if they ran the Internet service).  This FCC commissioner didn’t address that many people in the U.S. only have the choice of one Internet provider (like me), not counting satellite Internet (which is a joke) and that lack of choice, it seems to me,  is a much bigger risk to consumers than locally run Internet, where the users meet the councilpeops running their Internet in the local cafe or grocery store and give them a piece of their mind.  I am not sure how to effectively give Comcast a piece of my mind.

Well,  in 2005, Comcast bribed (probably not in the legal sense) the Colorado legislature to make it illegal for cities and counties to run municipal Internets.  EXCEPT.  They put a back door in the Comcast Law that said the law was null and void if a municipality put a ballot measure out that approved offering municipal Internet services.

So far, about half of Colorado counties have passed such a measure and this week there are another 18 on various ballots.

This past September, the town of Salida, West of Colorado Springs and Pueblo, voted on such a measure.  It passed with 85% of the vote.

Apparently, Colorado voters don’t agree with the FCC.  Big surprise.  Source: Motherboard.

UK Hands Investigation Results Over to Ireland’s GDPR Police

It just hasn’t been a good year to be Facebook (the stock price is down to $150 from a high this year of $215).   A pro-Brexit organization was fined 135,000 Pounds for running misleading ads.  And, there is a BUT.  The British Information Commissioner’s Office (ICO) handed over the results of the investigation to Helen Dixon, the Irish Data Protection Commissioner as the Brits felt that was targeting of ads and monitoring of browsing habits (which I am sure that they are), in violation of GDPR.  So now Facebook has to deal with yet another GDPR investigation. Source: Forbes .

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather