Tag Archives: China

News Bites for the Week Ending Nov 2, 2018

Follow on to Google+ Breach and Notification

I recently reported about Google getting in trouble for hiding a breach discovered in March.

The first thing to point out is that it is unlikely that Google broke any laws.  The current breach notifications laws in the U.S. give a company the wiggle room not to disclose a breach if they reasonably think that the risk of harm to breach victims is low.  Each state words that differently, but obviously Google figured that they could wiggle their way out of this and they did until they were outed by none other than that bastion of big business – the Wall Street Journal.

Whether the fox should be making that decision regarding henhouse security or not is a separate issue, but that is the state of breach laws currently in the U.S.  They say that is so that we don’t over tax people’s brains, but I don’t particularly believe that.

The second point is more interesting.  Google made the determination that no one would be harmed by looking at TWO WEEKS worth log data because in a very un-Google style strategy, they only kept two weeks worth of log data.  So a bug that had been around for years had to be analyzed using two weeks worth of log data.

All of this points to the challenges that all businesses have when it comes to breach notification issues, both in the U.S. and internationally.

Mikrotik Routers susceptible to Stealing Your Data

In May Mikrotik announced a bug (and a patch) that allowed an UNauthenticated user to download the password file which was not encrypted.  What kind of a problem could that cause anyway?  Of course, most users who buy a $49 plastic box at Best Buy and shove it in a corner are likely to patch it right away when Mikrotik announces on their blog that a patch is available. (hint: not).  But Mikrotik also makes enterprise routers that are also susceptible.  Hopefully at least some of those are patched.

Last month Mikrotik announced another bug where authenticated users could take over the router and run any software that they wanted, effectively eavesdropping on all inbound and outbound traffic or running a cryptomining operation on your machine.  Several hundred thousand routers have not installed the first patch and thousands have already been compromised.

The moral of the story is patch your router and especially do that if your router has a Mikrotik logo on it. (Source: The Hacker News)

Cathay Pacific Loses Info on 9.4 Million

Cathay Pacific admitted to losing control of records on 9.4 million passengers six months ago.  The good news is that the event occurred prior to the effective date of GDPR, so the fines will be much smaller.  The bad news is that they are based in Hong Kong, China, so there could be other “penalties”.

The South China Morning Post says that the Chinese government is not happy about the breach (maybe they are jealous that they didn’t do it?).

Among the data stolen was name, address, phone number, email address, nationality, travel history and passport information .

Cathay Pacific has hired Experian to provide credit monitoring services.  This may be a good choice because Experian has had so many breaches of their own that 9 million people who’s information was just stolen would be happy to give more of that information to a company that gets hacked on a regular basis (I am guessing not).

Apparently it has been trying to figure out who’s data was stolen since May (call it 100+ days).  Remember that GDPR gives you 3 days, so they are kind of on the wrong side of that number by 97+ days.

As breach notification laws become stricter and the fines get higher (If this were a California business and CCPA was already in effect, a class action asking for $750 x 9.4 million = $7 billion would already have been filed), businesses need to get  much better about their incident response programs.  You need to be able to figure who got in, when they got in, what they took and who you are going to engage very quickly.  Source: CNN ,

Russian Spy Gathered Info On Non-Profit’s Cybersecurity Defenses as a Student in the US
Accused Russian spy Maria Butina, waiting to stand trial in Virginia, is also accused of working on a project at American University where her cover was as a student.  The project examined cybersecurity defenses of organizations such as the Electronic Frontier Foundation and while there is no direct evidence that she funneled that data back to Moscow, it is highly unlikely that she was part of that project for the fun of it.  The non-profits thought the University vetted the students;  the University thought the State Department vetted them.  In the end, no one did and she now is facing trial for spying on us.  Source: The Daily Beast .

US Continues Attack on China to Stop Stealing Our Stuff

Not only are the Russians after us, as the item above points out, but so are the Chinese.  In fact, the Chinese are way more blatant about it.  In two moves to try and counteract that, the DoJ indicted almost a dozen Chinese spies for stealing aviation related secrets.  The theft went on between 2010 and 2015, so the indictment comes 8 years after the theft began.  I would think the Chinese would think that this is an OK return on investment.  Since these people will never face a trial, it is a somewhat meaningless gesture and coming 8 years after the attack started also points out that our ability to detect and stop these folks is somewhat lame.  I say that they won’t come to trial, but a Russian spy was recently lured to Belgium where he was arrested, so you never know. Source: WaPo

In a second action, the U.S. issued sanctions against Chinese semiconductor manufacturer Fujian Jinhua which prevents them from buying parts from the U.S.  While this hurts Jinhua, it also hurts U.S. companies that sell to them.  The Feds are worried that Jinhua will flood the U.S. market with cheap DRAM chips driving U.S. manufacturers out of the business and forcing DoD contractors, who already have massive supply chain security problems, to buy even more parts from China.  I am not sure that there is anything to stop China from creating a new company with the stolen technology and move on, but you have to try.  Source: Computing .

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.

Facebooktwitterredditlinkedinmailby feather

Trump Considers Executive Order Declaring National Security Emergency

President Trump is considering signing an executive order asserting a national security emergency using the International Emergency Economic Powers Act (IEEPA).

While every president since Jimmy Carter has used the IEEPA to impose sanctions on governments that we don’t like, no president has ever used it to tell private companies who they should buy parts from and who they should do business with.

This is all based on concerns from some people on both sides of the aisle that Chinese components (and Chinese products) have the potential to present national security issues.  Trump used national security as the reason to impose tariffs on imported steel and aluminum.  While that argument has drawn a lot of critics, it seems likely that IF the president decides to try and force businesses to stop buying parts and products and stop foreign investment in U.S. businesses, there may be less complaints.

Except, that is, for companies that have to shut down, lay off workers and go out of business because the only source for the components that they use to make their products has been banned or the money that they need to keep operating is no longer available.

That is the challenge that the president has to sort out.

Very few chips that are the guts of everything from dishwashers to computers are made in the United States.  Many are made in China, but others are made in Japan, Korea and a small number of other countries.

In general, there is very little overlap.  A chip that is made in China is likely not made elsewhere, so for companies building products that use those chips, they will have stop building and selling those products and also, possibly more importantly, possibly stop fixing ones that people have already bought.  They likely could re-engineer those products, source new and different parts, rework the assembly lines and then restart production.  For large companies, that is possible.  Smaller companies will just go bankrupt and layoff all of their employees.  Since most American companies are small businesses, it could, possibly, have significant impact on the U.S. workforce, depending.

It is also not clear whether this is like the tariffs in the sense that products that are made outside the U.S. would be banned because they contain Chinese parts.  None of this has been sorted out yet, but it is likely that if that happens, those countries would retaliate and ban U.S. products.  That would turn the U.S. into an island.

The whole thing is a bit of a mess.

The government also considered using this same law to implement restrictions on foreign investment in the United States, but instead used a different law, CFIUS, to achieve the same goals.  In both cases, the result is that U.S. businesses that want to expand and create more jobs won’t be able to do that – at least not with certain foreign investments.  This EO could further restrict foreign investment in the U.S. above and beyond what is possible with CFIUS.

Interestingly, two companies that the EO would target are Huawei and ZTE, both of whom are the subject of major Department of Commerce sanctions right now. Trump has been trying to negotiate a deal where ZTE pays the U.S. a lot of money and would then be no longer considered a national security threat.  You can’t have it both ways.  Either they are or they are not.  To be continued.

This is at the same time that Facebook admitted to sharing information on users with 52 companies, including Chinese companies like Huawei, Lenovo, Alibaba and Qualcom.  One assumes that in Facebook’s case, it was a matter of money – probably not direct cash, although it may have included some of that, but rather to lock those vendors into the Facebook Kool-Aid in one way or another.

In light of admitting to doing this, likely illegally since they did not get user’s permission to share the data, Facebook now says that they have ended 38 of those relationships and will end the rest of them soon.

Facebook says that it forgot to mention these data sharing relationships because they had shifted to sharing data using a different method – the way they shared data with Cambridge Analytica.  I am not sure that is any better, but who knows.

All in all, there are some real issues here, but also, given the global economy, it is not clear that there is an easy answer.  We have already seen that some of the countries that we have hit with tariffs on Steel and Aluminum have imposed their own tariffs, and all that has not played out yet.

Information for this post came from The Washington Post and The Hill.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Hidden Backdoor Found In Another Chinese Network Gateway

The headline reads Hidden Backdoor Found in Chinese-Made Equipment.  Nothing New! Move Along!

That headline by itself should scare you.

Researchers found a hidden backdoor in a Double Technology GSM gateway used by telephone companies and VoIP providers.  DblTek is based in Hong Kong.

According to the security firm Trustwave, there is an account called Dbladm that is not listed in the documentation and that is allowed to telnet into the device with Root (admin) access.

Unlike other manufacturer supplied userids which are listed in the documentation, this userid does not use a password which the user can change.  Instead, it uses a challenge phrase from which the user needs to calculate a response in order to log in.

So lets see where we are right now?

#1 – Hidden userid, not in the documentation

#2 – User cannot change the password even if they found out the userid was there.

#3 – User cannot disable the account

#4 – the account uses a challenge rather than a password and the response to the challenge is pretty easy to figure out.

Once the user figures out the challenge response, they have full access to the device, can listen to traffic or use the device for other purposes such as launching a denial of service attack on other web sites.

In the “this would be funny if it wasn’t so scary” category, when the researchers told Dbltek about the security hole, they didn’t remove it, they merely changed the algorithm to make the response a little harder to calculate.  Still easily hackable.

So why does the headline say NOTHING NEW?

Researchers have already found similar back doors in MVPower DVRs, RaySharp DVRs, Dahua DVRs, AVer DVRs and Foxconn firmware used in some (cheap) Android phones.

And remember, just because the equipment has a name brand on the face plate does not mean that there isn’t some nosy Chinese software in it under the covers.

In 2012 a former Pentagon analyst told the media that China had backdoors in the equipment of 80% of the world’s telecoms.

Think about that for a minute.  The Pentagon says that the Chinese can listen to traffic from 80% of the world’s telecoms.

So why would you buy Chinese equipment for your network?

One word.  Price.

Just consider that you are getting a little extra value with your purchase.

A Free (no extra charge) backdoor.

Nice.

So when you are considering buying network and computer equipment, dig a little deeper, ask more questions, do some research.  It might just help you keep the Chinese out of your stuff.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather