Tag Archives: China

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.

 

If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 10, 2019

Hackers Wiping Github and Other Repos

Hackers are attacking repositories of users on Github, Gitlab and Bitbucket, leaving a ransom note that says pay up if you want your software back.

The ransom isn’t much – around $500, – which may cause people to pay up rather than trying to recover the data, which I assume is their strategy.

One possibility is that users have the password embedded in other repositories in clear text and the hackers were able to find those passwords.

Key point here is to make sure that you have backups OF ALL OF YOUR CLOUD BASED DATA.  Today it is Github;  tomorrow it is something else.  If you care about your data, make sure that it is securely backed up.  Offline backups are best because it is hard to wipe something that is not connected.  Source: Bleeping Computer.

 

Remember Shadow Brokers – China Already Had the Tools That Were Released

Remember all the fury a few years ago when Shadow Brokers released a whole bunch of NSA hacking tools?  Symantec now says that China already had those tool a year earlier and was using them against others.  Was NSA hacked?  Apparently not – China captured the NSA tools that were being used on them and repurposed them.

It is hard to keep these tools under check.  If you use them people will likely discover that fact and if they are motivated, they may use them against you.   In this case, China used them hacking targets in at least 5 countries including one telecom carrier where they got access to hundreds of thousands or millions of private communications.

After Shadow Brokers released the tools, China felt even bolder to use them because now they weren’t secret any more and would soon be patched.

Keeping these secrets under wraps is basically impossible.  Source:  The NY Times.

Israel Blows Up Palestinian Hackers

In an unusual move, Israel blew up a building that it said was used by Hamas for cyber attacks – in direct response to current or future Hamas cyber attacks, according to a press release from the IDF.

Neither side is saying much beyond that Israel did blow up the building.  No one is saying if there were casualties.

Apparently this facility was known to the Israelis.  This points to the likely escalation of cyber war into kinetic war as large countries fear what small countries can do in cyberspace.  This likely causes an escalation into cyber warriors operating out of spaces which would cause collateral damage if bombed, such as schools, hospitals and shopping malls.  Source: Gizmodo.

 

A Few More Details On Cyber Attack Against Western US Power Utility

We are hearing a few more details about the cyber attack on a so-far unnamed western US power utility.

The attackers, it is now being anonymously reported disabled the utility’s Cisco ASAs.  This is particularly scary since Cisco is pretty much the 800 pound gorilla in that space and their Adaptive Security Appliance is used by hundreds of thousands (or more) of businesses.  It is certainly possible that the ASAs were configured insecurely or missing patches (security patches are typically not available to owners unless they have a paid up maintenance plan, which I HOPE an electric utility would have).

Given how critical the electrical grid is in the US and how fragile it is, this is a bit of a wake up call for those utilities (water, power, gas, phone, Internet, etc.) that have not yet drunk the security Kool-Aid.  Source: EENews.

 

Navy May Be Getting Serious About Cybersecurity

Last year the Navy decided that having a CIO was superfluous and eliminated the position as unnecessary (See article).   They decided that the Undersecretary of the Navy could manage all those pesky IT and security details in his spare time.

In March the Navy released a SCATHING report on how bad their cybersecurity really was.  Now they are working on asking Congress to approve adding a position at the Assistant Secretary level, responsible for IT and security.

They also are looking at training (too basic) and discipline (can cyber-mistakes get you fired).

There is a report due June 1 outlining the roles, responsibilities and staffing for a Assistant secretary for cyber with a plan to role it out in July.  March.  June.  July.  This is amazingly fast for an organization as large as the Navy.

WHAT ARE THE OTHER SERVICES DOING?  Source: Defense Systems.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 26, 2019

As Terrorists Blow Up Soft Targets, Sri Lanka Turns Off Social Media

As Sri Lanka is dealing with multiple bombs exploding at churches and hotels, the country’s solution to the inevitable use of social media to fan flames and release propaganda, in addition to news is to turn off social media.

At the current time, it appears that 8 bombs went off, 200+ people were killed and 400+ people were injured.  The target seems to be minorities and foreigners, which is often the case in terrorist attacks.

Facebook and other social media, in an effort to spin the news, said that they are working to remove content that does not meet their guidelines (which of course could be very different than the government’s guidelines), but as we saw in Christchurch, New Zealand, doing that effectively is very difficult.  Facebook and its cousins would like to be thought of as an important news source and not just a purveyor of trash and hate, so they are no doubt trying to figure out how to respond.

What is not clear is whether other governments (probably not in the U.S.) see this as an effective way to control the flow of information when they choose to (which could include any number of different situations, not just terrorist attacks) and follow Sri Lanka’s example.  If this does become more common, that will not be good for the social media brands.  (Source: CNN).

 

Businesses Continue to Ignore Contacts About Data Which is Exposed

In this case, it was the Mexican Embassy in Guatemala.  Thousands of documents including passports and birth certificates and also documents related to the embassy itself were accidentally made publicly visible on a cloud storage provider.

But that is not my big concern.

One more time, the researcher contacted Mexican officials but got no response.

If a researcher contacted ANY person in your company saying they found a security issue, does every single employee know what to do?   It is, after all, very simple.

CONTACT SECURITY and provide them the information that they received.  Don’t try to figure out if it is a scam or how to fix it.  Just contact security.  Let them deal with it.  That is what they do for a living.   Now, if security screws up, well, that is their fault.    My guess is that, in this case, the information never made it to the right people.  Eventually, it did get removed.  Source: Engadget).

 

China Has a New Export

China is the model of a surveillance state.  Now China has figured out that they can make a lot of money exporting that technology to other countries.  Ecuador is the prototype.  4,300 cameras.  16 monitoring centers.  More than 3,000 people watching those cameras.

Oh,  yeah, in addition to spotting crimes, the video feed also goes to Ecuador’s domestic intelligence agency.  Some of the other countries buying the Chinese spy gear include Zimbabwe, Uzbekistan, Pakistan, Kenya, the United Arab Emirates and Germany.

36 countries received training on topics such as censorship (politely called “public opinion guidance”.  Soource:  The NY Times.

 

North Carolina Unveils Changes to Privacy Law

An amendment to the North Carolina Identity Theft Protection Act was introduced earlier this month.  Among the changes are:  (1) requires businesses to implement reasonable security practices (where reasonable is undefined and left for the lawyers to argue over in case of a breach), (2) reduces the time to notify victims and the AG to 30 days, like Colorado, (3) expands the definition of protected information to include health and healthcare information (which may also be protected under HIPAA, depending on how the business received it), (4) clarifies that other information may be included as covered PII depending whether there is sufficient information compromised to abuse it (for example, an email ID is not covered, unless the email password is also compromised), (5) changes the definition of a breach to unauthorized access, without regard to whether the compromised information is used, (6) if the business determines that there was no potential harm due to a breach, they must now keep that proof for three years, (7) requires in cases of breaches at a CRA or any breach that involves Social Security Numbers, the company provides 24 or 48 months of credit protection, (8) expands the information that a business may be required to provide to the AG in case of a breach, (9) says that compliance with GLBA or HIPAA gives a business safe harbor FOR THOSE sections of the bill that overlap and (10) imposes other requirements on CRAs and businesses conducting credit checks.

The bill also allows a person to file a private right of action if they have been damaged.  Source: JDSupra  

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

U.S. Considering Nationwide Ban on Chinese Telecom Gear

As the trade war between the U.S. and China heats up, President Trump is considering issuing an executive order banning all U.S. companies from buying telecommunications gear from companies deemed to be a national security threat.

Right now this threat is deemed to be a targeted attack against two Chinese vendors – ZTE and Huawei.

The executive order would invoke the International Emergency Economic Powers Act and I would expect that if  the order is issued, lawsuits will ensue.

I assume that China would reciprocate and ban, say, Cisco, which would not make John Chambers happy.

But that’s not the big issue.

It is also possible that the executive order could require telecommunications providers to remove existing banned gear at their own cost.  It is not clear if that is legal.

While big telecom carriers have, for the most part stopped buying ZTE and Huewei gear, it is the little carriers that will be hurt the most.

The little carriers have used the Chinese gear because U.S. equipment sometimes cost them 400% of the cost of the Chinese gear.

That likely will translate to price increases for the customers of those carriers.  In many cases, like with me, those carriers are the only choice that is available so switching to a different, less expensive carrier is not an option.

Part of the executive order under consideration is a requirement to replace existing Chinese telecom gear.  The Rural Wireless Association, a trade group for these carriers estimated that it would cost those carriers up to $1 billion to replace the banned equipment, if that is required and would take several years.  Two ways that cost could be paid are price increases or delays in rolling out new higher speed networks.

Currently, the fastest Internet connection I can get is 20 megabits per second, which is not even classified as broadband by the FCC (broadband is defined as 25 megabits or higher), so I am not really worried about the gigabit gear that this ban is targeting,

I am not a big fan of Chinese networking gear so I can’t really argue with the idea of a ban.  I am not in favor of forcing private U.S. companies to replace existing equipment at their cost and I am sure that, if that happens, those companies will sue the government, which will be messy.

One thing that will likely happen out of this ban (if it happens) is a slower rollout of faster 5G network – possibly years or decades longer.

The U.S. currently ranks 44th in mobile download speed (see here), which is not very impressive.

This would continue the U.S.’s not very exciting role as a third world country when it comes to Internet access.  Due to higher costs, only some people in very high density areas will get newer, faster service and the rest of us will get Internet service comparable to, say, Syria.  That is not a very exciting prospect.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather