Tag Archives: hacking

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.

 

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

Why Paying Ransomware May Not Be A Great Idea

You may recall that a hacking group called the Dark Overlord hacked into Larson Studios, a third party provider to Netflix and other studios.  They stole the unreleased copies of the whole season of Orange as well as about 36 other series and movies.

Now we are beginning to hear the back story and it points out that paying ransomers is dicey business.

Larson’s owners tried to protect their customers.  The did this by paying the ransomers $50,000 in bitcoin.  The theory was that they would not release any of the titles if they did.

Investigators discovered that ground zero for the attack was a Windows 7 PC.  Whether it was patched current or not is unclear, but as we are seeing with the Wikileaks releases of CIA and NSA exploits, being patched does not mean being secure.  The CIA and NSA do not have an “exclusive” on exploits.

When Larson’s IT guy looked at the server and found the shows were gone, they called the FBI.  They did not tell their clients because the group said not to and at that point they were still hoping to contain the damage.

They paid the ransom.  It took a while to work through the system to buy $50,000 in bitcoin.  About a week in total.

The Dark Overlord got a bit greedy and contacted Netflix and the other studios trying to get them to pay a ransom also.  Those studios opted not to pay.  So, even through Larson paid the ransom, they released the titles.

It is a bit of a crap-shoot as to whether hackers will keep their word, even though not keeping their word should, in theory, destroy their business model.

In many cases, having a backup will protect you from having to pay the ransom.  Not in this and any number of cases where the hackers can steal intellectual property.  Like at law firms or accountants, for example.

Once they have your intellectual property, it is a new game.

They could sell it or publicly release it.  Depending on the model, they might want to embarrass the company, destroy it or make money.

Your best bet is to keep the hackers out.  That is not always so easy.

After the fact, Larson upgraded security.  Files are encrypted.  The network is segmented so that if an attacker gets in they don’t have free range to the whole company.  They no longer keep the audio files and video files together to make it harder for an attacker to get something useful.

Larson lost some customers over this, but they learned a lesson.  An expensive lesson.  Lost customers PLUS ransom PLUS reputational damage PLUS the cost of re-engineering the network EQUALS an expensive lesson.

You can spend the money before an attack or spend a lot more money after the attack.  It is your choice.  But there is no free lunch.

Information for this post came from Data Breach Today.

 

Facebooktwitterredditlinkedinmailby feather

Another Public Private Partnership Between Police and Hackers

A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies.  In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.

Now there are reports of a similar but different arrangement with the Metropolitan Police in London.  These reports are unsubstantiated as of right now.

The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.

Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents.  The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists.  It is not clear how the hackers benefited from this other than for being paid for their work.  How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.

Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.

The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.

The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating.  The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court.  The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.

Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.

The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.

Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.

Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law.  Those laws vary from country to country.

On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.

It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants.  It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.

For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.

For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.

For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution.  This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.

Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.

Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.

For most people, keeping the contents of their email private is, at best, a nuisance.  For other people, including journalists and investigators, privacy likely rises to a higher level.

Certainly interesting.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

Traffic lights are easy to hack

According to an article on CNN’s web site, many traffic lights in the US are easy to hack.

Earlier this summer researchers in Michigan demonstrated how easy it was to hack into the traffic lights in an undisclosed city.

The traffic lights in question are made by Econolite, the largest manufacturer of traffic controls in the U.S.

Used to be, the controllers were all mechanical and the only way to control them was to drive to the intersection, open the control box and do what you needed to do. Now they support WiFi and anyone with a laptop – and in the case of the undisclosed city above – the default userid and password which is published in the manual – can get in and change or shut down the traffic lights.

There is a standard in the U.S. for traffic controllers, NTCIP 1202, that all manufacturers support. It is also susceptible to the same problems if cities don’t change the default settings.

The interesting thing is that with a little work cities could make the traffic lights more secure.  However, that requires money (time) and since most cities are strapped for cash, nothing is likely to change.

Until some hacker decides to shut down a city by turning off all the traffic lights or making the all red or whatever.  All of a sudden folks will get religion.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Why do attackers like your current security strategy?

I just read a white paper on a security vendor’s (Prevoty.com) web site and I think they really understand the problem.  I have not had a chance to review their products, so I make no claims about them, but I do recommend reading the article.

First a quote from the paper:

Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens.

Now onto their 5 reasons attackers love your strategy:

1. Relying on signature and past definitions exposes applications to zero-day attacks.

Most security solutions rely on the fact that what is going to happen is the future is based on what has happened in the past.  While this is partly true, it certainly isn’t exclusively true.  Examples of this are what is known as zero-day attacks – something new, something different.  It could be something as simple as something that was used in the past, but in a different context. Basing the future solely on the past is not a good security strategy.

2. A perimeter based security cannot protect today’s distributed world.

In olden days (like a few  years ago) when mobile phones, tablets and laptops were not as integrated into the enterprise as they are today, you might have been able to at least define the perimeter of your enterprise.  That would be a step towards protecting it.  Today, you cannot even tell me on what devices your corporate data exists – never mind whether you own or control those devices (the misguided principle of BYOD is the primary cause of that, but that is the subject of an entire post by itself).

3. Any attempt at active prevention that occurs outside of the application has no context

This one I might argue with a tiny little bit – but only a tiny bit.  The key point being that you MUST mitigate risk in the context that the risk exists in.  Risk is always context sensitive.

4. Developers are not, and should not be, security experts

If you are counting on your developers to protect you, you already have a problem.  This is not meant to reflect negatively on them.  That is not their focus.  Their focus is to create great applications that satisfy your business requirements.  Security is a discipline of its own and should be treated that way.

5. Your business is not application remediation

Boy, howdy!  As I said above, application, system and network security is a discipline by itself.  Hackers are working 24×7 to break into your world.  You need someone on your side that thinks the way hackers think.  Any doesn’t have to do that as a sideline.

One of the interesting things about digital attacks is that unless the attacker is unskilled or wants you to know she has been there, you often won’t know that an attacker is inside your system.  The only reason Edward Snowden is a household name today is that he ‘outed’ himself.  Initially General Alexander of the NSA told Congress that Snowden took around 250,000 documents.   Later the General said he took 1.7 million documents.  I suspect they don’t really know what the number is.  And remember, the NSA is an organization that prides itself on its data security efforts.  How does your average company compare in terms of security budget, staff and expertise to the NSA?  This is a difficult and never ending battle – for both you and the NSA.

According to a recent Experian report, 60% of small businesses that suffer a breach go out of business within 6 months.  A strategy which depends on you not being attacked may not be totally effective.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather