Tag Archives: Census

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather

Will Hackers Compromise the Census by Attacking Library Computers?

The U.S. Census wants people to respond online because it will save them money.  They don’t have to transfer data from paper forms and they don’t have to send census workers out.  From a pure finance standpoint, it makes perfect sense.  The census will cost us about $15 billion this time around.

And, from a typical user’s standpoint, whether the census data is right or wrong won’t change the number of dollars in their pocket, so they don’t really care whether it is correct.  That is, of course, a short term perspective.

In fairness, the Census Bureau has been working with Homeland Security to try and protect the first ever digital census, but given the government’s general cybersecurity record, that doesn’t give me a whole lot of hope.

From our adversary’s perspective, destroying normal Americans’ confidence in the Census results would be a good thing.

The Census Bureau plans on telling the 66 million Americans who do not have Internet at home to go to a local public library (that sounds like an awful concept to me, but I understand that the Census Bureau wants to save money).

Consider, however, the track record of public libraries from a cybersecurity perspective.   In 2017 hackers successfully attacked 700 public libraries from St. Louis, to Anne Arundel County, MD. to South Carolina, New York and many others.

Library budgets are being slashed across the country, so cybersecurity is probably not their top priority, even if it means that the Census results may be invalid and subject to lawsuits.

The New York Library Association said that state libraries were unprepared for the Census.

Alaska cancelled funding for Internet access at it’s public libraries, so many of those libraries may not even be able to allow residents to complete their Census forms online at all.

If Russia and China decide that creating more chaos would be useful to them, increasing the level of attacks on libraries could happen during the Census filing season.

The Census Bureau, following the tradition that many businesses started years ago, has eliminated or reduced testing as their software is behind schedule.  Companies have figured out that was a bad idea, but not the Census Bureau.

For me, paper seems like a much safer idea.

And don’t be surprised if we see a lot of lawsuits.  Stock up on popcorn, this could get interesting.

Source: Wired.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.

 

If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Facebooktwitterredditlinkedinmailby feather

Potential Cyber Attack Target: The 2020 Census

Given Russia’s and China’s seeming insatiable desire to know everything possible about us, it is reasonable that they would try and target the 2020 Census.

Congress has been asking questions about the security of the Census process for the last several years and not getting any answers that they like.  We are getting pretty close to 2020 and still don’t have those comforting answers.

Kevin Smith, Chief Information Officer of the Census Bureau last week said that they are working with Homeland Security and using tools like encryption to protect the data.

He assured the folks at the meeting that security is the Census’s highest priority.

I would hope that accuracy is important too, but maybe not.

Critics of the Census Bureau’s work at the House Oversight Committee and former national security officials are less than persuaded.  In fact they are not convinced that the Census Bureau has implemented even basic cyber security practices.

Given the government’s track record when it comes to cyber security, that could be hard to argue with.

Just think about how well Russia could target citizens in the next election after the Census if they have all of the Census data.

Smith said that he didn’t want to say what they were doing because that would help the adversaries.  True enough.  But he also didn’t say that they had hired hackers from, say, another government agency like the NSA to try and hack in.  Or red team hackers from industry either.

Basically it is give us all of your data and trust us.

For people who are less than confident of the government’s ability to keep anything secret – think F-35, Sea Dragon, Office of Personnel Management and a host of other leaks – and it is hard to argue with them.

Oh, yeah, while Smith is trying to convince us that all is good, they actually haven’t finished writing the software yet, so it is kind of hard to test something that isn’t written yet.  Hopefully they will get it finished before they have to use it.  When was the last time you saw a government project finished on time?  Actually, can’t think of one.

But not to worry;  I am sure the White House has a plan.

Congress is less convinced.

And you should be less convinced as well.

Information for this post came from Cybersecurity 202.

 

Facebooktwitterredditlinkedinmailby feather