Tag Archives: Centurylink

Security News for the Week Ending September 4, 2020

Centurylink Routing Issues Lead to Massive Internet Outage

Last Saturday night/Sunday morning, Centurylink had a bit of a problem, either taking down or severely impacting web site such as Cloudflare, Amazon, Steam, Twitter and many more. Just because a system was designed to stay operating in case of a nuclear attack does not mean that it is immune to human error or software bugs. Centurylink has not explained what happened. This particular attack nullified many business continuity strategies. If staying online is important to you, this would be a good time to review your DR-BC program. Credit: Bleeping Computer

The New Normal: Dell Says 60% of Their Staff Will Not be Going Back to the Office Regularly

We are seeing more companies saying that they do not plan to return to office life ever. Dell says that the majority of it’s 165,000 member workforce will never return to the office again or regularly. Dell says “work is something you do, an outcome, not a place or time”.

Ignore for the moment what this means for the commercial real estate market if this becomes the new normal.

That means a significant leap for your cybersecurity practices going forward. When the majority of your work is being done on a network, via unencrypted wireless through a router that was last patched in 2013, what does that mean for security? If that thought keeps you up at night, call us. Credit: The Register

Users’ Browsing Can Be De-Anonymized With Little Work, Researchers Say

Mozilla (Firefox) collected two 1-week browsing history datasets from 50,000 volunteers and were able to re-identify anonymous browsing data to the individual successfully. With users who only visited 50 web sites during that period, they were able to re-identify up to 80% of them. The odds improve when the researchers have more data. After all, who visits only 50 web sites in a two week period. Therefore, assume claims of data being anonymized with great skepticism. Credit: Help Net Security

US Federal Appeals Court Rules NSA’s Mass Surveillance Disclosed by Edward Snowden is Illegal

Seven years after Edward Snowden disclosed the existence of NSA’s mass surveillance program a federal appeals court said the program is illegal. In defending the program, the NSA pointed to one case where NSA surveillance data was used, but the judge overseeing that case says that the NSA’s information was not material. However, the same court said that the folks convicted in that case are still guilty so no getting off the hook based on that. Given the hundreds of millions of dollars spent on this program, the fact that the NSA can only point to one court case where the program had any effect should kill the program on effectiveness grounds anyway, but that it not the job of the court. I am sure the Republican administration will appeal this up to the Supremes, but they may or may not take the case, so stay tuned. Credit: Threatpost

Republican Plan to Ban Huawei Will Cost Americans $2 Billion

Now that the Republicans have decided (it is an election year) that Huawei is a national security threat (but wasn’t for the last three years), they have created a requirement to rip out and replace all of the existing Huawei (and ZTE) equipment that carriers are already using. The first step in this process was to ask the carriers well, how much will it cost to replace all that stuff. The carriers have come back with that initial estimate and it is $1.8 billion and change. Carriers are notoriously bad at estimating costs like this, so make it $2.5 billion or so.

BTW, I am not saying that the FCC is wrong, I just don’t understand why this wasn’t considered a problem in 2017 vs. two months before the elections.

Where is that money going to come from? There are really only two options – higher prices to customers and a taxpayer subsidy.

Curiously, the Republicans are complaining about a Chinese law that requires Chinese companies to comply with requests from the intelligence services and not tell anyone. If I was wearing a blindfold, that would sound exactly like the U.S. Foreign Intelligence Surveillance Act or FISA.

I have said for a long time that when it comes to telecom, the U.S. is basically a third world country (according to Wikipedia, we rank 30th in the world for mobile Internet connection speed). What the carriers will do in the short term is, except for really densely populated downtown cities, slow down the rollout of 5G Internet (Verizon, for example, only covers 5% of the population with high speed 5G – high speed means that a user can tell the difference when connecting over a 5G connection vs. connecting over a 4G connection). Other carriers cover more of the US, but with virtually no speed difference over 4G, but now, even that rollout will likely slow down.

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.