Tag Archives: Covid-19

Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post

Security News for the Week Ending April 24, 2020

Corona Virus Puts Brakes on 5G Deployment

A research reports says that global cloud revenue from the operation of core 5G networks will fall 25% to 30% shy of the $9 billion forecasted for this year.

They predict that this will only be a short term problem and that 5G deployment will pick up next year.

*I* think a bigger problem is going to be network congestion, but what do I know; I am not trying to sell consumers and businesses a dream.

Samsung just demonstrated a 5G phone on a commercial cell site (TEST) was able to transmit at 4.2 gigabits a second. Two phones doing that fully consumes one 10 gigabit fiber. 100 of those at one cell site would consume 50 fiber strands from that site. One hundred cell sites with each filling up 50 fiber strands would, in the aggregate fill up 50×100= 5,000 strands of fiber and that is for just 100 cell sites. The forecast is for hundreds of thousands of cell sites in the U.S. Where do we get all of that network capacity? The answer of course, is to throttle down your speed to something they can digest, unless you pay a lot of money (which they would like). Most people will say that it is not worth it. That spells a problem, I predict. Credit: Computer Weekly.

Space Crime – Astronaut Accused of Hacking Spouse’s Bank Account from Space

In possibly the first space crime ever, the spouse of an astronaut on the U.S. space station, who was separated and filing for divorce, accused the astronaut of hacking into her bank account from outer space. I used to say that you could hack from half way around the globe, but I guess now I have to amend that to include outer space. It turns out that the spouse is now being charged with lying to the cops – she had given her spouse access to that bank account years earlier and never changed the password, even though she said that she had. Credit: CNN

Ticketmaster Changes Refund Policy After the Fact

While this is not really a security issue, I find the numbers staggering. And a warning.

Ticketmaster has postponed or cancelled 30,000 events and still has another 25,000 events scheduled for the rest of this year. Just the cancelled events represents $2 billion in ticket sales and, I am sure, hundreds of millions of dollars of profit. As a result, Ticketmaster decided to change their refund policy, AFTER PEOPLE PURCHASED THEIR TICKETS to say that you won’t get a refund unless the event is cancelled and not “indefinitely postponed”. Since the performer, venue and Ticketmaster all have a vested interest in keeping people’s money, many events will be “indefinitely postponed”. Not surprisingly, Ticketmaster is being sued.

Ticketmaster is working on offering refunds for 18,000 postponed events, likely due to a combination of the shaky legal strategy of changing contract terms after the fact and the bad publicity, but that still leaves maybe 30,000 to 40,000 events, representing maybe 100-500 million tickets (depending on average venue size), in limbo.

For consumers, this is a bit of a security warning in the sense that you should consider that any money that you spent on tickets for concerts and travel should be treated as a total loss for now. Plan for the worst and be happy if you wind up better than that. I assume that no one is buying tickets right now, but consider this when that option resumes.

For example, a high school class trip got cancelled here in the Denver area and the travel agency refunded 25% of the cost of the trip. The other 75% is, apparently, unknown.

Credit: Blabbermouth. For more information on the behind the scenes challenges that Ticketmaster is dealing with, see this article in Billboard.

Remote Worker’s Lack of Corporate Firewalls Blamed for Rise in Malicious Activity

SC Magazine says that the number of devices that have been commandeered to work for the bad guys has more than doubled since the pandemic.

The researchers believe that many of these devices were infected before the pandemic but the devices were blocked from the Internet by corporate firewalls.

Now that people are home and have a range of protection from NO firewalls to crappy firewalls that have never been patched to OK firewalls – but probably very few great firewalls, the malware can do it’s damage.

As a side note, reports from some corporate IT departments say that the availability of corporate grade firewalls suitable for home deployment is non-existent, so even companies that want to fix the problem by providing firewalls to employees can’t. The study says that the number of OBSERVED compromised companies increased by 400% between January and March in some countries. Credit: SC Magazine

Half a Billion iPhones at Risk Due to Email App Bug

While Apple is claiming that they don’t have any concrete evidence that hackers abused a bug in Apple’s default email application, they are not denying that the bug exposes email users to to having their phones compromised and data stolen just by receiving a blank email.

Apple is also saying that while they are developing a patch, the three bugs in mail that were reported were not enough to compromise phones.

Security firm Zecops says that at least 6 firms were targeted as far back as 2018. The bug dates back to iOS 6 — 2012!

For now, high risk users should not read their emails on their phones.

Credit: Tech Crunch and Engadget

News Bites for the Week Ending March 27, 2020

Hacker Sells 538 Million Weibo Accounts

Karma is a B**tch.

With all of the Chinese hacking efforts, someone is hacking back.  Is it us?  Not clear.  In any case, the data includes information like real names, site names, location, etc. and 172 million of the 538 million records include users’ phone numbers, but not passwords.  The data is available for $250.  Given China’s iron grip on the Internet, they should be able to catch this guy.  Unless he is not in China.  Source: ZDNet

Pentagon Increases Progress Payments to Primes

The Pentagon is trying to keep the Defense Industrial Base afloat during these trying times by increasing so-called progress payments to primes and other measures.  Whether it will be enough to keep small subs in business is not clear, but what we have seen is that the bankruptcy courts have seen that these companies’ intellectual property as an asset and sells it off during liquidation – even selling defense information to the Chinese.  In theory, CFIUS should allow the government to stop these (and it absolutely can if it moves fast enough) and FIRRMA (aka CFIUS 2.0) gives the government even more power to stop it but the bankruptcy courts have, for the most part, thumbed their noses at it, possibly (kindly) because they are clueless about the risk.  Source: National Defense Magazine

Experts See Over 600 Percent Spike in Malicious Emails During Covid-19

Barracuda Networks researchers saw a 667% spike in malicious emails using Coronavirus.  The goal is to get you to click on malicious links or download attachments that include viruses.  They saw almost 10,000 coronavirus linked emails attacks in the last three weeks compared to 1,800 in February and less in January.  Phishing attacks are nothing if not tied to current events. Source: The Hill

Netflix Reduces Video Quality in Europe Over Bandwidth Crunch

According to Variety, Netflix uses one out of every eight bits traversing the Internet (12%).  As general  Internet usage goes up, Europe has asked Netflix and other streaming video providers to reduce their video quality from HD to SD.

“As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators.”

Netflix has agreed to reduce its video stream bitrate by 25% for the next month.  Source: Bleeping Computer

Weekly Security News for the Week Ending March 20, 2020

Senate Kicks the Can Down The Road Again With FISA Renewal

Last week it looked like Congress was going to renew the parts of the Foreign Intelligence Surveillance Act that DID EXPIRE last weekend.  But Congress being Congress, they didn’t.  On Monday the Senate agreed to kick the can down the  road for 77  days.  Now the House has to agree.  In the meantime, I am not sure what the NSA is doing about those expired provisions and they only plan to kick the can down the road on two of the three expired provisions.  In fairness, Trump wants to reign in the Intelligence Community since he doesn’t trust them and never has.  This could work to the advantage of the privacy advocates.  Source: Reuters

Covid-19 Web Site President Said Google Would Bring Online Monday is Online But Not Like he Said

Google/Alphabet subsidiary Verily launched its Project Baseline Coronavirus website, but it is not national, it only covers two counties in the San Francisco Bay area.  It was supposed to allow people to make appointments to get tested, but the few slots that were available filled up instantly.  Only people living in those two counties are even allowed to use the site.

Google says that they are working on a nationwide INFORMATION ONLY site and it will be released sometime in the future.  Source: Bleeping Computer

Open Source Vulnerabilities Surge in 2019

Some people say that open source software is more secure.

Reality is a little different than that.

In 2019 DISCLOSED open source vulnerabilities surged from 4,000 to 6,000 last year.  The good news is that the open source community is good about fixing the vulnerabilities once they are found.  85% of the vulnerabilities  have a fix once they are responsibly disclosed.

Bottom line, make sure that you have an effective open source software patching program to keep your company safe. Source: Help Net Security

U.S. Census Figures Coronavirus Will Be Over in Two Weeks

The Census, that every 10 year event, was supposed to start this week.  But there is kind of an issue.  I think there is some kind of virus going around.  Part of how the Census works is that Census workers go around collecting information from people.  Given the current situation, (a) Census workers are probably not going to be willing to risk their health for a few bucks, (b) people that they visit are likely not going to let them in the door or (c) some other less than nice thing might happen.

So what did the geniuses at the Census  bureau decide to do?  They decided that they are going to send out Census workers in 13 days on April 1st. WHAT, EXACTLY, DO THEY EXPECT TO BE DIFFERENT IN 13 DAYS?

Ya gotta wonder about those folks in Washington.  Source: Reuters

OCR Lifts Penalties For Telehealth Use During Covid-19

Its all hands on deck.  HIPAA has a number of provisions that allow a healthcare provider to bypass certain HIPAA rules.  A pandemic is not one of those options.  Of course since the Feds make the rules, they can change them.  In light of the current situation, HHS says that they will not penalize Covered Entities for using telehealth providers who are not fully HIPAA compliant.  They are not saying using those providers is legal;  they are just saying, given the circumstances, they are not going to go after providers who do so.  This will allow providers to use apps like Facetime or Google Chat to diagnose patients instead making them come into the office and potentially infect dozens of other people.  It seems like a reasonable trade off.  Source: HealthIT Security