Tag Archives: FCC

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

FCC Continues to Support Network Providers at the Expense of Consumers

In general, the U.S. ranks below many third world countries in the speed, quality and cost of Internet access.  If you ask your neighbors what they think about the price, speed and customer service of their internet provider , you will generally not get a positive answer.  My brother lives in Europe and his internet connection is 50 times faster than mine is here and he pays less than half of what I pay.  That is a 100 to 1 ratio.

Some cities have attempted to fill this vacuum by building their own network for Internet services.   While the number is small (about 750 cities) compared to the number of cities in the U.S., cable companies are not happy about the competition.

Therefore, it falls on the FCC to protect those cable company’s interests by saying that local community owned Internet services are a threat to free speech.  Really,  FCC commissioner Mike O’Reilly actually said that in a speech.

As is often the case with Washington, he gave zero evidence to support that claim.  That is a big surprise.  But at least a few people will believe him.

Recently the FCC reversed its own net neutrality regulation saying that it didn’t have the authority to issue the order and when 38 states started issuing similar orders, it said that the states didn’t have the authority to do that, only it had that authority.  Confused?  Me too.

So now the FCC is saying that when local cities work to solve local problems (poor or non-existent internet services, it is a threat to the First Amendment.

The only remote connection is one university paper that says the same thing, also with no evidence.  The issue at hand is the pretty universal statement in almost all ISP’s terms of service that say that they can kick you off the network if you threaten violence or spew hate speech.  The Pittsburgh synagogue shooter used an online service called Gab to promote the killing of all Jews and, not surprisingly, Gab’s ISP kicked it off when the fact became public and threatened its reputation.  Paypal refused to process its credit card transactions and its domain name provider won’t host it’s domain.  None of these are community run, but I don’t hear the FCC whining about them.  In fact, as of today, no ISP is willing to host them and they are off the air for now.  ISPs create terms of service that reflect community norms and have the ability to drop customers who violate those standards.

What is not clear is why the FCC is so anti-consumer at this point.  It kind of makes you wonder if there is money involved.  And not in a good way.  Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Senate Reverses FCC Rule on ISP Privacy Requirements

Last year the FCC proposed a rule requiring Internet Providers to get your permission before selling your data.  The rule was set to go into effect in April.  The large ISPs – AT&T, Verizon, Comcast and others – didn’t like this rule since it affected their revenue.  They said that Facebook and Google didn’t need to get your permission, so why did they need to.

After President Trump’s inauguration, the control of the FCC changed and the new chairman, Ajit Pai, suspended the effective date of the rule and this week the Republican controlled Senate and House voted to permanently stop the FCC from implementing this rule or anything like it, now or in the future.

So what is the impact to you?

One needs to consider this.  Facebook or Google only has access to your data when you visit one of their websites or their partner websites.

On the other hand, your Internet provider has more information about you, such as:

  • Who you call, when you call, how long you talk, etc.
  • Who you text, when and potentially the content
  • For encrypted messaging like Whatsapp, who you are exchanging messages with and when
  • What web sites you visit, how often and when – even if the data itself is encrypted
  • Your location data – where you go and when and how long you stay there.
  • In fact, they can likely track anything you do online

With no rules, you cannot opt out of this data collection.

A couple of years ago Verizon and AT&T installed secret apps on your phone (Caller IQ, for example), super cookies and by inserting universal identifiers or UIDs, all to track your traffic.  They stopped some of that when it became public and the bad press outweighed the revenue.

Again, with no rules, ISPs can keep this data for as long as they want to keep it.  In addition, they can sell it to whoever they want to.  Or give it away.

Obviously, this does not overturn any other laws, but in general, there are very few rules in this arena.  This is especially true when it comes to meta data.  There is a difference between selling your emails and selling the fact that you sent an email at this time to this person.

There are also no rules regarding who they can sell (or give) this data to.  Could be your employer or your insurance company or even law enforcement.

Recently we saw that Scotland Yard hired hackers in India via the Indian police to hack journalists they were interested in eavesdropping on.

Assuming your ISP decides to collect and keep this data, there is no reason why the police couldn’t either ask them nicely for it or subpoena it.  We have already seen cases where the police want the data in your Amazon Echo and even the data in your smart water heater, so why not this data?

Could your insurance company or employer ‘acquire’ this data, directly or indirectly?  I don’t see why not.

And, you apparently have no way to opt out –  unless the ISP voluntarily decides to give you that option and I would not count on that.  I do not expect this to change during the current administration, but it could if enough people complain.

We live in an interesting world.

Information for this post came from PC Magazine.

Facebooktwitterredditlinkedinmailby feather

The Regulators Are Coming! The Regulators Are Coming!

Everyone knows that the regulators have been going after businesses that don’t protect consumer information.  Some people say they are to overreaching.  Others say that they are not doing enough.  Either way, the reality is that you have to deal with them.  So who are they and who do they go after?  Read on.

The FTC.  The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices.  Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security.  Unfortunately, the courts did not agree and Wyndham settled (see article).  Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.

The FCC. The FCC is  a new player in the privacy regulation business.  Their jurisdiction is limited to communications and broadcasters.  Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price.  Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article).  This is a low risk regulator to most businesses.

The CFPB.  The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010.  Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers.  CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc.  In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions.  The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.

HHS Office Of Civil Rights (OCR).  Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information.  They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy.  Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement.  Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs.  Still, they seem to be behind the power curve.  Recently, they finally created a full time office to handle enforcement.

Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data.  This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.

Also this month, HHS OCR fined the Feinstein Institute $3.9 million.  This fine also was the result of an unencrypted laptop being stolen out of an employee’s car.  This time it had 13,000 patient records on it.  They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed.  HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.

They two cases date back to 2012.  I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.

These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.

I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.

Of course, this does not include state regulators, such as the New York Department of Financial Services or the California Attorney General, both of whom have been very active in the privacy arena.

So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.

Information for this post came from Health Data Management.

Facebooktwitterredditlinkedinmailby feather