Tag Archives: Google

Security news for the Week Ending May 24, 2019

SalesForce Gives Users Access To All of Your Company’s Data

In what can only be called an Oops, SalesForce deployed a script last Friday that gave users of certain parts of SalesForce access to all of the data that a company had on the system.  The good news is that it didn’t show you anyone else’s data,  but it did give users both read and write access to all of their company’s data.

In order to fix it, Salesforce took down large parts of its environment, causing some companies that depend on SalesForce to shut their company down and send employees home.

This brings up the issue of disaster recovery and business continuity.  Just because it is in the cloud does not mean that you won’t have a disaster.  It is not clear if replicating your SalesForce app to another data center would have kept these companies working.  Source: ZDNet.

Google Tracks Your Online Purchases Through GMail

While this is probably not going to show up as a surprise, Google scans your emails to find receipts from online purchases and stores them in your Google purchase history at https://myaccount.google.com/purchases .  This is true whether you use Google Pay or not.  One user reported that Google tracked their Dominos Pizza and 1-800-Flowers purchases, as well as Amazon, among other stores.

You can delete this history if have masochistic tendencies, but I doubt anyone is going to do that because it requires you to delete the underlying email that caused it to populate the purchase, one by one.  There is also no way to turn this “Feature” off.

It appears that it keeps this data forever.

Google said they are not using this data to serve ads, but they did not respond to the question about if they use it for other purposes.  Source: Bleeping Computer.

President Trump Building An Email List to Bypass Social Media

Welcome to the world of big data.  The Prez has created a survey for people to submit information about how they have been wronged by social media.  And get you subscribed to his email list.  Nothing illegal.  Nothing nefarious.  Just a big data grab.

If you read the user agreement, it says you “grant the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content.  (NOTE: That “content” includes your email address and phone number).  The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media.” 

This seems to be hosted on the Whitehouse.Gov servers.  It is not clear who will have access to this data or for what purpose.  Source: Vice.

Colorado Governor Declares Statewide Emergency After Ransomware Attack

Last year the Colorado Department of Transportation suffered a ransomware attack.  Initially the state thought it was getting a handle on the attack, but ten days later it came back.

It was the first time any state had issued a Statewide Emergency for a cyberattack.  Ever!  Anywhere!

It had the affect that the state was able to mobilize the National Guard, call in resources from other departments, activate the state Department of Homeland Security and Emergency Management and get help from the FBI and the US Department of Homeland Security.  It also allowed them to call for “Mutual Aid”, the process where neighboring jurisdictions  – in this case neighboring states – provided assistance.

It worked and since then, other states have begun to do this.

When you have a disaster, even a cyber disaster, you need a lot of resources and an emergency declaration is one way to do it. Source: StateScoop.

 

Latest Breach – 885 Million Records

First American Financial, one of the largest title insurance companies, exposed 885 million records going back to 2003 due to a software design flaw.  The records include all kinds of sensitive records that are associated with real estate closings.  Source:  Krebs on Security.

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).

 

 

More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.

 

O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.

 

Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.

 

Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending Nov 2, 2018

Follow on to Google+ Breach and Notification

I recently reported about Google getting in trouble for hiding a breach discovered in March.

The first thing to point out is that it is unlikely that Google broke any laws.  The current breach notifications laws in the U.S. give a company the wiggle room not to disclose a breach if they reasonably think that the risk of harm to breach victims is low.  Each state words that differently, but obviously Google figured that they could wiggle their way out of this and they did until they were outed by none other than that bastion of big business – the Wall Street Journal.

Whether the fox should be making that decision regarding henhouse security or not is a separate issue, but that is the state of breach laws currently in the U.S.  They say that is so that we don’t over tax people’s brains, but I don’t particularly believe that.

The second point is more interesting.  Google made the determination that no one would be harmed by looking at TWO WEEKS worth log data because in a very un-Google style strategy, they only kept two weeks worth of log data.  So a bug that had been around for years had to be analyzed using two weeks worth of log data.

All of this points to the challenges that all businesses have when it comes to breach notification issues, both in the U.S. and internationally.

Mikrotik Routers susceptible to Stealing Your Data

In May Mikrotik announced a bug (and a patch) that allowed an UNauthenticated user to download the password file which was not encrypted.  What kind of a problem could that cause anyway?  Of course, most users who buy a $49 plastic box at Best Buy and shove it in a corner are likely to patch it right away when Mikrotik announces on their blog that a patch is available. (hint: not).  But Mikrotik also makes enterprise routers that are also susceptible.  Hopefully at least some of those are patched.

Last month Mikrotik announced another bug where authenticated users could take over the router and run any software that they wanted, effectively eavesdropping on all inbound and outbound traffic or running a cryptomining operation on your machine.  Several hundred thousand routers have not installed the first patch and thousands have already been compromised.

The moral of the story is patch your router and especially do that if your router has a Mikrotik logo on it. (Source: The Hacker News)

Cathay Pacific Loses Info on 9.4 Million

Cathay Pacific admitted to losing control of records on 9.4 million passengers six months ago.  The good news is that the event occurred prior to the effective date of GDPR, so the fines will be much smaller.  The bad news is that they are based in Hong Kong, China, so there could be other “penalties”.

The South China Morning Post says that the Chinese government is not happy about the breach (maybe they are jealous that they didn’t do it?).

Among the data stolen was name, address, phone number, email address, nationality, travel history and passport information .

Cathay Pacific has hired Experian to provide credit monitoring services.  This may be a good choice because Experian has had so many breaches of their own that 9 million people who’s information was just stolen would be happy to give more of that information to a company that gets hacked on a regular basis (I am guessing not).

Apparently it has been trying to figure out who’s data was stolen since May (call it 100+ days).  Remember that GDPR gives you 3 days, so they are kind of on the wrong side of that number by 97+ days.

As breach notification laws become stricter and the fines get higher (If this were a California business and CCPA was already in effect, a class action asking for $750 x 9.4 million = $7 billion would already have been filed), businesses need to get  much better about their incident response programs.  You need to be able to figure who got in, when they got in, what they took and who you are going to engage very quickly.  Source: CNN ,

Russian Spy Gathered Info On Non-Profit’s Cybersecurity Defenses as a Student in the US
Accused Russian spy Maria Butina, waiting to stand trial in Virginia, is also accused of working on a project at American University where her cover was as a student.  The project examined cybersecurity defenses of organizations such as the Electronic Frontier Foundation and while there is no direct evidence that she funneled that data back to Moscow, it is highly unlikely that she was part of that project for the fun of it.  The non-profits thought the University vetted the students;  the University thought the State Department vetted them.  In the end, no one did and she now is facing trial for spying on us.  Source: The Daily Beast .

US Continues Attack on China to Stop Stealing Our Stuff

Not only are the Russians after us, as the item above points out, but so are the Chinese.  In fact, the Chinese are way more blatant about it.  In two moves to try and counteract that, the DoJ indicted almost a dozen Chinese spies for stealing aviation related secrets.  The theft went on between 2010 and 2015, so the indictment comes 8 years after the theft began.  I would think the Chinese would think that this is an OK return on investment.  Since these people will never face a trial, it is a somewhat meaningless gesture and coming 8 years after the attack started also points out that our ability to detect and stop these folks is somewhat lame.  I say that they won’t come to trial, but a Russian spy was recently lured to Belgium where he was arrested, so you never know. Source: WaPo

In a second action, the U.S. issued sanctions against Chinese semiconductor manufacturer Fujian Jinhua which prevents them from buying parts from the U.S.  While this hurts Jinhua, it also hurts U.S. companies that sell to them.  The Feds are worried that Jinhua will flood the U.S. market with cheap DRAM chips driving U.S. manufacturers out of the business and forcing DoD contractors, who already have massive supply chain security problems, to buy even more parts from China.  I am not sure that there is anything to stop China from creating a new company with the stolen technology and move on, but you have to try.  Source: Computing .

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

Facebook and Google Fell For Business Email Compromise

Since we all know that misery loves company, it may bring some comfort that even Facebook and Google can fall victim to business email compromise scams.

In one way, that makes perfect sense since the weak link is always people.  On the other hand, you would think that big companies like Facebook and Google would have been controls in place, but apparently not.

What is staggering is the scale of the business email compromise.

ONE HUNDRED MILLION DOLLARS.

A hacker in Lithuania was recently arrested at the request of the U.S., but he claims he is innocent and is fighting extradition.

According to the indictment, filed in New York, he created false invoices under a legitimate Asian support, Quanta, for computer parts.  Both companies apparently buy lots of stuff from these guys so the invoices didn’t seem out of line, I guess.  While the details of the indictment are not clear, I assume that he used his own, special wiring instructions.

Because we are talking about Facebook and Google, the indictment only calls them Company 1,2 and 3.  Quanta has admitted they are Company 1.  Facebook, in response to a request from Fortune, admitted they are one of the parties.  Google just admitted that they are one of the parties also.

Facebook said they were able to recover “the bulk of” the funds, whatever that means.  Google also said that they recouped the funds.  For an attack as sophisticated as a hundred million dollar scam would be, it is surprising that he was not able to hide the money.  YOU should be so lucky.

The only difference between this attack and an attack on you or me and why the Manhattan U.S. Attorney was willing to take the case was the sheer size of it.

One question is whether this is a material event that needed to be disclosed to shareholders.  For either company, $50 million (half of the take) might not be material and it certainly might not be material if they got some or all of the money back.

Still, this indicates that it can be hard to stop these guys and companies really need to pay attention, especially when amounts that ARE material to smaller companies are involved.

Information for this post came from Fortune.

 

Facebooktwitterredditlinkedinmailby feather