Tag Archives: Hacks

Security News for the Week Ending March 13, 2020

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks

AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research.

Known as “Take A Way,” the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD’s Bulldozer micro-architecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. Source: The Hacker News

And… AMD is Not Alone This Week  – Intel has Unpatchable Flaw

And the “chip wars” continue.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The flaw, if exploited (only theoretical this week) would allow hackers to extract the root encryption key in the Intel Mangement Engine – which is the same for all chips in a particular processor family.  That potentially would nullify all DRM and all whole disk encryption, among other things.  Source: The Hacker News

President Signs Bill To Help Rural Telecom Carriers Replace Chinese Equipment

The President signed the Secure and Trusted Communications Networks Act this week.  The bill mandates that US telecom carriers rip and replace any “suspect foreign network equipment”.  It requires the FCC to set up a compensation fund to help rural telecom carriers do this;  the bigger carriers are on their own – which will likely be reflected in your bill as a fee or surcharge.

Carriers have to provide a list of equipment and estimated costs to replace it by April 22.  Sometime after that, we will have a better estimate of the cost.

For some reason which is not clear to me, the bill will not cover the cost of replacing equipment purchased after August 14, 2018.  It appears that telcos do not need to replace new Chinese equipment.

The requests and status of replacement activities will be posted on the FCC’s website.

The law authorizes the FCC to spend $1 billion in this year’s budget to do this.

The bill also allows companies that won spectrum bids in the last auction to abandon their builds and get their money back for the spectrum if they determine that they can’t build out what they promised without using suspect gear.

It would also appear that if the telco buys or has bought Chinese gear without a government subsidy, they can continue to use it.  Source: Engadget

Microsoft Says: 99.9% of Compromised Accounts did NOT use Multi-Factor Authentication

Microsoft tracks 30 billion login events every day.

They say that roughly 0.5% of all accounts get compromised every month.  That translated to around 1.2 million accounts compromised in January.

THEY ALSO SAY THAT AROUND 99% OF ALL ATTACKS TARGET LEGACY PROTOCOLS, SO, IF THOSE PROTOCOLS CAN BE DISABLED AND MULTI-FACTOR AUTHENTICATION IS TURNED ON, SUCCESSFUL ATTACKS GO TO NEARLY ZERO.

THEY ALSO SAY THAT MULTI-FACTOR AUTHENTICATION BLOCKS 99.9% OF ALL ATTACKS.  Source: ZDNet

Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.

Chrysler Lawsuit Goes to Trial

Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch.  All while the reporter videoed it (see this CBS web page).

Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.

According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.

The researchers took over the car via its radio (OK, it is a little more complicated than that;  through the “infotainment” system).  It is all interconnected and there is very little security in it.

Over the last three years this case has been working its way – slowly – through the courts.  The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.

A year later the researchers figured out how to break through the patch, although that required physical access to the car.

And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode.  The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park.  That will unlock the cruise control.

You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.

At this point the U.S. Supreme Court said that the car owners do have standing.  This is a huge win for attorneys who want to sue over cyber-security issues.

Chrysler says that they are looking forward to the trial (sure they are.  If they were so confident, why have they been fighting to avoid going to trial for the last three years).  They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed.  The plaintiffs say that the resale value of their cars has been damaged.

The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.

For businesses, this is yet another step in holding companies liable for software bugs.  Potentially, in this case, bugs that they knew about but did not fix.

Does your insurance cover this?  Is it product liability insurance or cyber insurance?  It is probably not general liability insurance.  Maybe none of them.

This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.

Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.

This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,

Details from this post came from The Register.

 

Another Law Firm Hacked?

Remember the Panama Papers hack?  11 million documents stolen causing one Prime Minister to resign and another to be fired?  If not, check out an old post here .  That hack caused the law firm of Mossack Fonseca to go out of business.

We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.

The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents.  It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London.  The group claims to have hundreds of gigabytes of documents.

They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.

They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police.  Now they want more ransom.

The hackers claim to be shopping the data on the dark web.

However, they are very kind.  They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.

You have to admit that it is pretty entrepreneurial.

This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids.  Not necessarily a nice bunch.

The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.

What does this mean for you?

One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.

It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.

If they do release documents, there is the prospect of collateral damage.  Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective.  In which case, collateral damage is likely.

Now would be a good time to look at your agreements with your various  law firms, no matter who they are.

On the other hand, if you are a law firm, now would be a good time to review your security practices.

Is there anything in writing about cybersecurity requirements?

What about  liability for damages if they get hacked?

Do they have to provide annual third party certification of their cybersecurity practices?

Are they even required to notify you if your stuff is compromised?  (Note that in many cases, the law does not require that).

And, of course, you are dealing with lawyers.  If it is not in writing it will be hard to impossible to enforce.

If cybersecurity requirements are missing, now might be a good time to review and amend your agreement.  In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms.  Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.

If the firms say that you should trust them, tell them that you do.  And you still want it in writing.  Trust, but verify, so to speak.

One thing that we do not know – how many other firms have been hacked and have not said anything about it?  Think about reviewing and changing your law firm agreements as insurance.

Information for this post came from SC Magazine.

 

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.

 

 

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.