Tag Archives: CISA

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Security News for the Week Ending Nov 13, 2020

The “S” in Coworking Stands for Security

While the WSJ says that coworking companies are closing money losing spaces as a result of Covid, don’t forget that coworking spaces are about as secure as airport WiFi, meaning not at all. The local news just said that some coworking companies are actually expanding as people want to get out of their house. For most coworking companies, the users are on a shared WiFi connection with no security and often, no encryption. Your remote working policy and procedures need to address this subject, based on the level of risk you are willing to accept and whether you are part of a regulated industry that might frown on you sharing your trade secrets, PII or customer data with the world. Also remember, that if malware gets into shared WiFi, it will certainly try to attack you. Here are a few tips for coworking company security.

Travelers are Faking Covid-19 Test Results

Apparently some travelers don’t want to go through the hassle of getting tested for Covid but still want to travel to countries that require those tests to enter the country. First there were paper documents, which, with Photoshop, were easy to forge. The cops in Paris’ Charles de Gaulle Airport just arrested some of those forgers. They were charging $180-$360 for fake documents. Apparently the French do not cotton to counterfeiters. The penalty for counterfeiting Covid documents is 5 years in a French prison and a half million dollar fine. Brazil arrested some tourists last month for presenting fake documents, so it sounds like you can get in trouble whether you are the buyer or the seller. Some locales are now only accepting electronic versions of the documents from the labs, making it harder to fake. Credit: USAToday

Google Finds At Least 7 Critical Bugs in Chrome, Android, iOS and Windows

Google says the bugs were being actively exploited int the wild, but are not saying by whom or against whom. The iOS 12 patch released patches back to iPhone 5S and 6, typically indicating that it is a big problem. The bugs were “found” by Google’s Project Zero, but apparently were being used by someone(s) prior to them being found. Does this smell like some spies were caught? Probably. We just don’t know which side they were on. Credit: Vice

Vietnam’s OceanLotus Hacking Group Joins Other Countries in Hacks

While countries like China get all the credit for hacking, Russia, North Korea and others are just as active. Add Vietnam to the list. Right now they are attacking their Asian neighbors. As is typical for these government run attacks, they are applying a great deal of effort to compromise their victims. Credit: The Record

White House May Fire Krebs for Securing the Election

Chris Krebs, the head of DHS’s Cybersecurity agency CISA, says he expects to be fired by the White House for securing the election from hackers. All reports indicate that while there is a lot more work to do to secure elections, the 2020 elections were, by far, the most secure ever. The agency also created an election rumor control web site (www.cisa.gov/rumorcontrol). This website debunked many of the myths being spread people who are trying to discredit the election results. General Nakasone, head of NSA and Cyber Command, who also said that there was no significant election fraud, could also be in trouble. Credit: Darkreading

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Newsbites: GoToMyPC, Carbonite, DHS and CISA and the FBI

Carbonite: Carbonite sent out an email to all customers to reset their passwords.  They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.

They say that based on their security review, they have no evidence that they have been hacked.

If none of these attempts to get in was successful, then why force millions of people to change their password?  Likely, at least some of these attempts were successful.

Source: Carbonite web site.

GoToMyPC:  GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.

Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.

Citrix provided little additional information about the situation.

Source: BBC News.

Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game.  Some recommendations are:

  1. Use a password manager so that you don’t have to remember all those passwords.  Many of them, such as LastPass, will automatically log you in, making the password step easier.  While this is a security risk in itself, it is likely less of a risk than using simple passwords.
  2. DO NOT reuse passwords across important sites like online backups, banking, email and remote access.  Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
  3. For any important web site, such as banking, Amazon and others, use two factor authentication.  I know it adds an extra step to the login process, but it makes stealing passwords much less useful.

DHS and CISA:  DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year.  The bill created a voluntary system trying to encourage businesses to share threat data with the government.  The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data.  Out of the 30 million or so businesses in the United States, so far 30 are using it.  That would be .0001 percent.  I think it is going to need some more users to be effective.  To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.

Source: IAPP.

FBI:  The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no.  Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.

Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want.  And it’s all happening in secret.”

The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them.  The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.

Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.

Source: IAPP

Office Of Personnel Management Breach and CISA

Congress has been trying to pass some sort of cyber security bill for 3 or 4 years now, but up until last December, was never able to pass one.  Part of the reason is that knowledgeable people understand that this information sharing will likely not help you or me at all.

Last December, Congress quietly placed what was the CISA bill (S.754) inside the federal budget bill that was passed quickly so as to avoid shutting down the government.  There was very little debate – there was no time – and the intelligence community was able to negotiate the weakening of language that required companies that share information with the government – in exchange for which they get immunity in case anyone sues them for doing that – to make sure that there is no personally identifiable information being shared,  While some people read the law as protecting privacy, others read it in the opposite manner.

The weakened privacy protections say that a company cannot share information that they KNOW to be personally identifiable and KNOW that is irrelevant to cyber security.  That seems like a pretty big loophole to share almost anything.  The good news is that many companies will try to avoid sharing any information with the government because of the negative business PR when they get outed as sharing data with the government. See Wikipedia for more information.

What we don’t know is how the government might use this law to “encourage” companies to share information if they want, say, government help or government contracts.

One note.  The law requires DHS and ODNI to provide procedures for sharing information within 60 days of enactment of the law.  If enactment, in this case, means when the President signed it, that means they the procedures must be sent to Congress this week, so stay turned.

So how does this relate to OPM?

Whether the data provided by private industry directly contains your PII or not, it is likely that the data may be sensitive to the company sharing it.  As a result, those companies are counting on the government to protect that information.

Almost a year ago the U.S. Office of Personnel Management acknowledged the fact that hackers made off with information on around 20-25 million Americans – many in positions of trust and who have access to sensitive classified information.

Based on my background, I assumed I was one of those people.

So, I waited for a letter to arrive.  By October I still had not received a letter, which I thought odd.

So I went to the OPM web site and there is a process, they say, that will tell you whether OR NOT your information was breached.  No response.

So I called the OPM call center and asked them to resubmit my request.  And, still, no letter.

Remember, in both of these cases I should have received a letter either way – whether my information was compromised or not.

So I wrote to my Senators and and asked for their help.  One did not respond to my letter;  the other talked to the OPM who said, go their web site.

So I did, again.

Finally, today, about 10 months after the breach was announced, I got a letter.  Yes, I was included.

What was taken?  Name, address, social security number, date and place of birth, where I have lived, education including dates and degrees, employment history, personal foreign travel history, immediate family members (and actually I would call that extended family – it includes brothers and sisters, their spouses and their children),  business acquaintances and personal acquaintances.

Oh yeah, also all 10 of my fingerprints. OPM says they are not sure how an attacker would misuse them, but they are pondering the question.

Based on that, here is my – and a lot of other people – thought on CISA.

If the government cannot keep information such as the list above out of the hands of hackers, how likely is it that they can keep information that I share with them regarding threats – which certainly could include enough information for another hacker to figure out how the original hacker planned to attack me or other sensitive information- including an attack vector that might still be valid – safe and secure.

Especially since once I share it with Homeland Security they can share it with a whole raft of other agencies. so not only do we have to worry if DHS is keeping the information secure, but we also have to worry about the other agencies that get that information from DHS keeping it secure.

It will be interesting to see what the procedures say when they come out – maybe this week.

Addendum:  BestVPN reported that there was a private, invitation only meeting between the government and the CIOs of the largest companies where DHS tried to convince the CIOs that they were from the government and were here to help them.  As Ronald Reagan said, those are the most terrifying words in the English language (see the clip on YouTube).

Curiously, only 58% of the CIOs in attendance think that CISA will increase corporate cooperation with the government.  Because the government, they say, is useless at cyber security.  The FBI even admitted it, the article says, after the OPM breach.

As part of the roll out, DHS and/or NSA has created at least two new systems.  TAXII, a messaging system to exchange information and STIX, a threat parsing system.

DHS says that they will start this program – maybe already done – with a few select companies.  Who might those be?  They have not said and I bet those companies are not going to tout that they are participating.

Information for this post came from BestVPN and other news.

E.U. Safe Harbor Deadline Nears – What Will Happen?

As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen.  My guess is not much, but stay tuned.

The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else.  Or else what?  Not really clear.  What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops.  I don’t believe that will happen.

There are a lot of negotiations happening behind the scenes.

One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in  U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee.  Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction.  Do I think this will get signed by January 31?  No.

On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill.  Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA.  Oh, wait, companies share it with Homeland Security.  Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.

The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR.  It is actually much stricter in terms of provisions than the old law.

I think February could be very interesting.

Information for this post came from The Register and Dark Reading.