Tag Archives: China

What is the Back Story on China’s Hack of Microsoft Exchange Servers?

One possible answer is that they wanted to steal your email, impersonate you and use your email accounts to send spam and malware. This is certainly possible, but there is another, more sinister possibility.

What if – China was looking for mountains of data to train its AI systems?

The attacks gave them tens of billions of messages, calendar information and other files.

That translates to trillions of bits of information.

This is what some government officials and security experts are saying.

And, of course, this is addition to all the data that they have already stolen.

This includes, for example, entire security clearance files from the OPM breach, medical records from the Anthem breach, travel information from the Marriott breach and financial information from the Equifax breach.

William Evanina, former director of the National Counterintelligence and Security Center says that the Chinese have more data on the average citizen than we do.

Sounds a bit scary to me. Credit: The Register

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register

Security News for the Week Ending June 11, 2021

Feds Recover Some of the Colonial Pipeline Ransom

The feds say that they recovered most of the Bitcoin paid as ransom, but because the price of Bitcoin is in a slump, it is only worth about $2 million. The feds say that they acquired the private key to the Bitcoin wallet and transferred 63 Bitcoin out of it. The feds didn’t say how they did that, but the gang that claims to have carried out the attack, DarkSide, said that they lost control of their server (i.e. the hackers were hacked). If that was done by the feds **AND** the private key for the wallet was stored on that server **STUPID**, that would explain it. The good news is that most crooks operational security is horrible. Credit: Bleeping Computer

Colonial Breach Due to Compromised Password, Lack of 2FA

Hackers are not Superman; they tend to use simple attack vectors first. According to Bloomberg, a consultant says that the whole thing went down due to a compromised VPN password that allowed the attacker free reign of the network. On top of that, the account was no longer in use at the time, but still enabled. Finally, the VPN account did not use MFA. So, basic hygiene – MFA and disabling unused accounts – either of which – would likely have avoided the shut down of the fuel supply to the East coast. If I was a lawyer, I would be rubbing my hands in glee. If I was Colonial’s insurance company, I might be sending out a notice that I don’t plan to renew the policy. Credit: Bloomberg

Walmart to Give 700,000 Employees a Free Phone and Walmart App

Walmart plans to provide all of their employees a free Samsung phone so that they can keep tabs on them. Walmart has been sued enough times that they understand that the preloaded Walmart employee app will only work when the employee is clocked in. They don’t want hourly employees doing work things when they are off the clock. This a good thing. While buying 700,000 phones at $500 retail, maybe $300 in in that kind of volume is not cheap, it appears that they are not providing a voice or data plan, meaning that even though they say that you can use that phone for personal use, unless you buy your own voice/data plan, it is really only going to work while you are in a Walmart store while logged into the Walmart WiFi. Walmart says that they won’t spy on you, but that may be easier said than done. For example, they might say that they want to access your contacts so that they can connect you with other employees, but once you give them access to your contacts, they have them. Many employees are saying we would like Walmart to raise our salary instead. Credit: Vice

Biden Revokes Trump EOs Banning AliPay, TikTok, WeChat

A year ago former President Trump issued a series of EOs that were designed to hurt China, but for a variety of reasons, his administration never actually completed the EOs. This week President Biden revoked those failed EOs. The replacement EO does try to address the real problem – protecting the data of Americans. That is a very difficult problem because we really are not addressing the real problem, securing users’ phones and computers. Credit: ZDNet

Another Pipeline Hit By Ransomware – Lost 70 Gig of Data

LineStar Integrity Services was attacked at about the same time as Colonial Pipeline, but they tried to keep the attack quiet. That didn’t work. That is because the hackers posted the gigs of stolen data online. LineStar does not actually move petro; rather it helps those companies remain legally compliant. The data stolen and posted could enable future attacks. Given the rather crappy cybersecurity of the industry, that is likely to happen. Credit: Wired

Cybersecurity News for the Week Ending May 14, 2021

If You Thought the FTC Was Toothless Before, Just Wait

I always complained that the FTC’s penalties were way too meek. Now I understand why, but it has just gotten MUCH worse. 99.99% of the blame goes to Congress. Initially, the FTC could not bring lawsuits against businesses at all. All they could do was to hold an administrative hearing. Then they could issue telling a business to stop doing bad things. In 1973 Congress added Section 13(b) to the FTC act, allowing the FTC to go to court and get an injunction – again no penalty for past bad deeds. In 1975 Congress added Section 19 which allows the FTC to seek monetary damages – after obtaining a cease and desist order and then only after future bad deeds which were obviously malicious, so still no relief. Last month the Supreme Court agreed that Congress, in its stupidity, did not grant the FTC any ability to make consumers whole for companies that break the law. Individually, a person can still sue the company – spending a lot money and years. Maybe they can convince some State AG to take up their case – maybe. If you can convince the Justice Department to go after some company, that is possible too, but all of those take years, maybe a decade with appeals. Congress intentionally neutered the FTC. This is the result. Will Congress act now? Your guess is as good as mine. Credit: ADCG

Apple is Privacy Focused – Except if it Hurts their Rep

Epic games and Apple are fighting in court and lawsuits tend to get dirty. In countering Apple’s argument that they didn’t want Epic to bypass their store because they want to protect their customers, Epic trotted out emails that Apple chose not to notify 128 million customers after a supply chain attack called XcodeGhost. This is the largest ever known attack against Apple products. They said notifying all those people would be hard and it would damage their reputation. They never did notify anyone. So much for being a privacy focused company.

The True Cost of Ransomware

Insurance giant CNA, which announced that it suffered a “sophisticated cyberattack” (what you and I call ransomware) in March. This week, two months later, they announced that all of the systems were back up and that yes, surprise, it was a ransomware attack. They said it took them two months to get back online because they had to restore each system, then scan and clean it and finally, harden it. This is the cost of ransomware. A lot of hard work and more importantly, months of time. If you do not have good backups, add to that the loss of data. And, as Colonial Pipeline learned this week, just because the hackers give you the decryption key, it doesn’t mean that the decryption process will be fast (they said that they were restoring from backups, even though they paid the $5 million in ransom) or that it will even work. Credit: Security Week

Global Chip Shortage Much Worse than Communicated

OUT OF STOCK! Expect to see more of that message.

In addition to phones, computers and laptops, expect to see those signs elsewhere such as appliances and kids toys. Already car makers are replacing cool tech like high tech entertainment consoles with radios. Probably with knobs and dials. Maybe that fancy auto-parking feature, well it is not available. Manufacturers are looking at which products are more popular or offer them higher margins and just not shipping some other models. Samsung is considering completely skipping the next generation of the super popular NOTE phones altogether. Expect the problem to continue into and through 2022. Credit: ZDNet

China has Collected Health Data of 80% of US Adults

China wants our data. Our health data is particularly useful because our population is very diverse. That makes us useful for them to test their software and systems on. Besides stealing that data, the are doing things like setting up Covid testing labs. What do you get with every sample? Our DNA. China wants to beat the US out of the biotech industry and stealing our data is helping them. Credit: The Hill

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week