Tag Archives: Google

News Bites for the Week Ending Nov 2, 2018

Follow on to Google+ Breach and Notification

I recently reported about Google getting in trouble for hiding a breach discovered in March.

The first thing to point out is that it is unlikely that Google broke any laws.  The current breach notifications laws in the U.S. give a company the wiggle room not to disclose a breach if they reasonably think that the risk of harm to breach victims is low.  Each state words that differently, but obviously Google figured that they could wiggle their way out of this and they did until they were outed by none other than that bastion of big business – the Wall Street Journal.

Whether the fox should be making that decision regarding henhouse security or not is a separate issue, but that is the state of breach laws currently in the U.S.  They say that is so that we don’t over tax people’s brains, but I don’t particularly believe that.

The second point is more interesting.  Google made the determination that no one would be harmed by looking at TWO WEEKS worth log data because in a very un-Google style strategy, they only kept two weeks worth of log data.  So a bug that had been around for years had to be analyzed using two weeks worth of log data.

All of this points to the challenges that all businesses have when it comes to breach notification issues, both in the U.S. and internationally.

Mikrotik Routers susceptible to Stealing Your Data

In May Mikrotik announced a bug (and a patch) that allowed an UNauthenticated user to download the password file which was not encrypted.  What kind of a problem could that cause anyway?  Of course, most users who buy a $49 plastic box at Best Buy and shove it in a corner are likely to patch it right away when Mikrotik announces on their blog that a patch is available. (hint: not).  But Mikrotik also makes enterprise routers that are also susceptible.  Hopefully at least some of those are patched.

Last month Mikrotik announced another bug where authenticated users could take over the router and run any software that they wanted, effectively eavesdropping on all inbound and outbound traffic or running a cryptomining operation on your machine.  Several hundred thousand routers have not installed the first patch and thousands have already been compromised.

The moral of the story is patch your router and especially do that if your router has a Mikrotik logo on it. (Source: The Hacker News)

Cathay Pacific Loses Info on 9.4 Million

Cathay Pacific admitted to losing control of records on 9.4 million passengers six months ago.  The good news is that the event occurred prior to the effective date of GDPR, so the fines will be much smaller.  The bad news is that they are based in Hong Kong, China, so there could be other “penalties”.

The South China Morning Post says that the Chinese government is not happy about the breach (maybe they are jealous that they didn’t do it?).

Among the data stolen was name, address, phone number, email address, nationality, travel history and passport information .

Cathay Pacific has hired Experian to provide credit monitoring services.  This may be a good choice because Experian has had so many breaches of their own that 9 million people who’s information was just stolen would be happy to give more of that information to a company that gets hacked on a regular basis (I am guessing not).

Apparently it has been trying to figure out who’s data was stolen since May (call it 100+ days).  Remember that GDPR gives you 3 days, so they are kind of on the wrong side of that number by 97+ days.

As breach notification laws become stricter and the fines get higher (If this were a California business and CCPA was already in effect, a class action asking for $750 x 9.4 million = $7 billion would already have been filed), businesses need to get  much better about their incident response programs.  You need to be able to figure who got in, when they got in, what they took and who you are going to engage very quickly.  Source: CNN ,

Russian Spy Gathered Info On Non-Profit’s Cybersecurity Defenses as a Student in the US
Accused Russian spy Maria Butina, waiting to stand trial in Virginia, is also accused of working on a project at American University where her cover was as a student.  The project examined cybersecurity defenses of organizations such as the Electronic Frontier Foundation and while there is no direct evidence that she funneled that data back to Moscow, it is highly unlikely that she was part of that project for the fun of it.  The non-profits thought the University vetted the students;  the University thought the State Department vetted them.  In the end, no one did and she now is facing trial for spying on us.  Source: The Daily Beast .

US Continues Attack on China to Stop Stealing Our Stuff

Not only are the Russians after us, as the item above points out, but so are the Chinese.  In fact, the Chinese are way more blatant about it.  In two moves to try and counteract that, the DoJ indicted almost a dozen Chinese spies for stealing aviation related secrets.  The theft went on between 2010 and 2015, so the indictment comes 8 years after the theft began.  I would think the Chinese would think that this is an OK return on investment.  Since these people will never face a trial, it is a somewhat meaningless gesture and coming 8 years after the attack started also points out that our ability to detect and stop these folks is somewhat lame.  I say that they won’t come to trial, but a Russian spy was recently lured to Belgium where he was arrested, so you never know. Source: WaPo

In a second action, the U.S. issued sanctions against Chinese semiconductor manufacturer Fujian Jinhua which prevents them from buying parts from the U.S.  While this hurts Jinhua, it also hurts U.S. companies that sell to them.  The Feds are worried that Jinhua will flood the U.S. market with cheap DRAM chips driving U.S. manufacturers out of the business and forcing DoD contractors, who already have massive supply chain security problems, to buy even more parts from China.  I am not sure that there is anything to stop China from creating a new company with the stolen technology and move on, but you have to try.  Source: Computing .

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

Facebook and Google Fell For Business Email Compromise

Since we all know that misery loves company, it may bring some comfort that even Facebook and Google can fall victim to business email compromise scams.

In one way, that makes perfect sense since the weak link is always people.  On the other hand, you would think that big companies like Facebook and Google would have been controls in place, but apparently not.

What is staggering is the scale of the business email compromise.

ONE HUNDRED MILLION DOLLARS.

A hacker in Lithuania was recently arrested at the request of the U.S., but he claims he is innocent and is fighting extradition.

According to the indictment, filed in New York, he created false invoices under a legitimate Asian support, Quanta, for computer parts.  Both companies apparently buy lots of stuff from these guys so the invoices didn’t seem out of line, I guess.  While the details of the indictment are not clear, I assume that he used his own, special wiring instructions.

Because we are talking about Facebook and Google, the indictment only calls them Company 1,2 and 3.  Quanta has admitted they are Company 1.  Facebook, in response to a request from Fortune, admitted they are one of the parties.  Google just admitted that they are one of the parties also.

Facebook said they were able to recover “the bulk of” the funds, whatever that means.  Google also said that they recouped the funds.  For an attack as sophisticated as a hundred million dollar scam would be, it is surprising that he was not able to hide the money.  YOU should be so lucky.

The only difference between this attack and an attack on you or me and why the Manhattan U.S. Attorney was willing to take the case was the sheer size of it.

One question is whether this is a material event that needed to be disclosed to shareholders.  For either company, $50 million (half of the take) might not be material and it certainly might not be material if they got some or all of the money back.

Still, this indicates that it can be hard to stop these guys and companies really need to pay attention, especially when amounts that ARE material to smaller companies are involved.

Information for this post came from Fortune.

 

Facebooktwitterredditlinkedinmailby feather

Google To Appeal Court’s Order To Disclose Emails Stored Abroad

Google has been ordered by a magistrate judge in Philadelphia to turn over emails stored abroad.  While we don’t have all the details of the case, it appears to be related to a domestic fraud case.

The emails in question are stored in a foreign country.  The case is a domestic case.

Last summer, the Second Circuit Court of Appeals agreed that Microsoft did not have to turn over emails stored in Ireland.  The court’s logic was that U.S. law does not apply in foreign countries.

In this case, a magistrate judge (a much lower level court proceeding than an appeals court) said that Google did have to turn over emails stored in a foreign country.  The magistrate’s logic is, in my opinion, somewhat convoluted.  The judge said that since Google could take those emails stored internationally and electronically copy them to the United States and then hand them over to U.S. authorities in California, the search would occur in the United States and, somehow, would not violate foreign laws.

By this logic, U.S. authorities could demand a U.S. based corporation to violate international law at any time by telling the U.S. company to bring data stored in a foreign country back to the U.S. and give it to U.S. authorities, here.

Google has said that it will appeal this order.  If this order stands, U.S. based tech businesses run the risk of being charged with crimes in foreign countries and also run the risk of losing the business of international customers.  This is the rock and a hard place that Google (and Microsoft) are stuck between.

Absent an order from a court of competent jurisdiction in a foreign country to turn over data, Google would potentially be in violation of laws such as the EU’s General Data Protection Regulation.

From a user’s standpoint, in many cases the owner of the email would not even be informed of the court order, since the order is often sealed, sometimes forever,  sometimes for years.

The only way a user has any control over the situation is if the data is encrypted from end to end AND the provider does not control the encryption keys.  Absio Dispatch is an example of an email solution that allows for this; Threema is an example of a messaging application that works this way.

None of the big commercial email applications such as GMail, Yahoo Mail, and Microsoft  Office 365 meet these requirements.

For most users, this is a matter of convenience,  and they don’t worry about the government reading their mail.

For other users, this is a matter privacy and they don’t want the government poking their nose in their private matters.

The good news is that there are options and if it matters to you you can choose whether you want to do something about it or not.  However, if you do want to do something, you need to understand that it will require change for you and your communication buddies.

Information for this post came from the Telegraph.

Facebooktwitterredditlinkedinmailby feather

Android Security Is Improving – But Not As Good As iPhone

The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning.  The challenge is that unlike Apple, where there is one master in control, the Android community is fractured.  The only one who has any hope of pulling off a solution is Google.  They have the size (money) and the motivation to fix the problem.

Two examples popped up today.

First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time.  Some vendors, such as Oracle, choose to announce patches quarterly.  The advantage of that is that you only have to make 4 updates a year.  The disadvantage is that the patch releases are monstrous – with hundreds of patches  in each one – so many companies just ignore them.  Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details.  Also, the bugs are fixed sooner with monthly releases.  I vote for monthly.

In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright.  This is number 3.  Expect more – they are announcing them as they fix them).  There are also 3 other patches in this month’s collection.

Owner’s of Google Nexus phones will get these patches quickly.  Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.

I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.

The other article is about Android Bloatware or Crapware.  Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors.  In most cases, they are so sure that you want this garbage that they do not give you a way to remove it.  In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it.  This is another advantage that Apple has.  They control the phones.  Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone.  This is one reason why Apple phones are more expensive than Android phones.

Google has a research team that hunts for bugs.  Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones.  This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware.  These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone.  Who did Samsung make a deal with for this particular phone.

The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions.  That is where these bugs, for the most part, were found.

The good news is that Samsung has fixed these.  The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.

The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.

One more point.  The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x).  Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found.  Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.

In their defense, Apple does the same thing.  They patch the current release and one release back typically.

For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.

As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.

Just food for thought.

Information for this post came from two articles in Network World – here and here.

Facebooktwitterredditlinkedinmailby feather

Google Knows Almost All WiFi Passwords In The World

Yesterday, I beat up Apple.  Today, I am beating up Google.  I am an equal opportunity beater-upper.

When you buy an Android phone, it backs your junk to the cloud unless you go out of your way to tell it not to.   That way if you lose your phone or buy a new one, all your junk can be restored by magic.  If you are an Android user you may have noticed that when you buy a new phone and log in to Google, all your settings are restored, your apps downloaded, etc.

It turns out based on experimentation that this is stored in a way that allows Google to read those passwords.

OK, Now put on your tin foil hat.

Not only does Google have your home WiFi password, but also every other password that you have.  This includes both your password for Starbucks WiFi as well as your office WiFi.

Multiply that by a 150-200 million new Android phones sold per quarter and that is a lot of WiFi passwords.

If the NSA asks Google for those passwords, they will give them up.  They really don’t have a choice.

Although the option to back up your data to the cloud is on by default, you can turn it off.  Of course, that means you are responsible for backing up your data.

However, if you gave a friend your WiFi password and your friend backs up his data to the cloud, Google still has it.

And when ARS asked Google if they could read your passwords, they avoided answering the question, meaning the answer is yes.  If they could not, they would have said so.  Here is their response:

Update:  A Google spokesperson said in a conversation with Ars today that backup data is encrypted in transit from devices, and provided the following prepared statement from Google on the issue: “Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.”

Okay, you can take off your tin foil hat now.

By the way, you can replace Google with Apple every where it appears in this article.  Sorry.

Source material for this article came from Computerworld and ARS Technica.

Facebooktwitterredditlinkedinmailby feather