Tag Archives: Hacks

Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.

Facebooktwitterredditlinkedinmailby feather

Chrysler Lawsuit Goes to Trial

Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch.  All while the reporter videoed it (see this CBS web page).

Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.

According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.

The researchers took over the car via its radio (OK, it is a little more complicated than that;  through the “infotainment” system).  It is all interconnected and there is very little security in it.

Over the last three years this case has been working its way – slowly – through the courts.  The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.

A year later the researchers figured out how to break through the patch, although that required physical access to the car.

And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode.  The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park.  That will unlock the cruise control.

You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.

At this point the U.S. Supreme Court said that the car owners do have standing.  This is a huge win for attorneys who want to sue over cyber-security issues.

Chrysler says that they are looking forward to the trial (sure they are.  If they were so confident, why have they been fighting to avoid going to trial for the last three years).  They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed.  The plaintiffs say that the resale value of their cars has been damaged.

The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.

For businesses, this is yet another step in holding companies liable for software bugs.  Potentially, in this case, bugs that they knew about but did not fix.

Does your insurance cover this?  Is it product liability insurance or cyber insurance?  It is probably not general liability insurance.  Maybe none of them.

This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.

Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.

This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,

Details from this post came from The Register.

 

Facebooktwitterredditlinkedinmailby feather

Another Law Firm Hacked?

Remember the Panama Papers hack?  11 million documents stolen causing one Prime Minister to resign and another to be fired?  If not, check out an old post here .  That hack caused the law firm of Mossack Fonseca to go out of business.

We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.

The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents.  It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London.  The group claims to have hundreds of gigabytes of documents.

They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.

They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police.  Now they want more ransom.

The hackers claim to be shopping the data on the dark web.

However, they are very kind.  They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.

You have to admit that it is pretty entrepreneurial.

This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids.  Not necessarily a nice bunch.

The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.

What does this mean for you?

One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.

It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.

If they do release documents, there is the prospect of collateral damage.  Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective.  In which case, collateral damage is likely.

Now would be a good time to look at your agreements with your various  law firms, no matter who they are.

On the other hand, if you are a law firm, now would be a good time to review your security practices.

Is there anything in writing about cybersecurity requirements?

What about  liability for damages if they get hacked?

Do they have to provide annual third party certification of their cybersecurity practices?

Are they even required to notify you if your stuff is compromised?  (Note that in many cases, the law does not require that).

And, of course, you are dealing with lawyers.  If it is not in writing it will be hard to impossible to enforce.

If cybersecurity requirements are missing, now might be a good time to review and amend your agreement.  In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms.  Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.

If the firms say that you should trust them, tell them that you do.  And you still want it in writing.  Trust, but verify, so to speak.

One thing that we do not know – how many other firms have been hacked and have not said anything about it?  Think about reviewing and changing your law firm agreements as insurance.

Information for this post came from SC Magazine.

 

Facebooktwitterredditlinkedinmailby feather

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Not a Great Week For Apple Users

UPDATE:  Apple says that a preliminary assessment of the most recent Wikileaks document dump shows old, fixed flaws for iPhone and Mac.  Some of the documents released had a date of 2008, so that those flaws are fixed is not completely surprising.  I am sure that Apple is continuing to review those documents.  Unlike the first Wikileaks dump where they still haven’t given Apple the data needed to figure out whether those flaws are still working, in this dump Apple, apparently, had enough information to figure out how the attack worked, so they could tell if they had fixed it.  Wikileaks tactics may be to dribble out information from the oldest (and likely least valuable because they fixed) vulnerabilities to the newest ones (likely not fixed), so no computer vendor should relax just yet.

A group of hackers is threatening to wipe the devices of more than 600 million Apple users on April 7th using hacked Apple account passwords.

According to the hackers 220 million of the credentials have been verified to work.

Initially, the hackers asked for $75,000 in Bitcoin or Etherium, but they have raised that “request” to $150,000.

Apparently, Apple has told them that they don’t pay bad guys.

It is not clear what Apple’s plan is.

One thing that the could do is force everyone to turn on two factor authentication, but that would cause a wee bit of chaos.  Alternatively, they could force a billion users to change their passwords between now and April 7.  No big deal.  RIGHT!

As a user, I would say it is every person for themselves and we would suggest a couple of things:

  1. Change your password.  Now!
  2. Enable two factor authentication.  Yes, it is a little bit extra work, but probably worthwhile
  3. Make backups of your Apple devices and store them offline and disconnected from the net.

It is possible that Apple has a plan.  It is also possible that the hackers are lying, but there is (or was) a video on YouTube showing someone testing accounts with passwords not hidden behind ****s and that demonstrates some degree of reality.

Changing your password alone MAY NOT be sufficient if the hacker has a way inside Apple to obtain changed passwords.

This is all speculative, but assuming that you don’t want to wake up on April 7th to a wiped device, planning ahead seems like a good idea.

The second Apple news story of the week is that WikiLeaks posted more information about the CIA hacking tools and there are details of compromised iPhones and Macs that were hacked in the distribution channel before the original buyers ever saw them in a way that even doing a factory reset would not remove (i.e. a hack of the firmware itself).

The hack the story talked about required physical access to the devices, but knowledgeable people have told me that hacking which requires them to have physical access and implanting hardware is so last year, so we can assume that the CIA has upgraded this capability to allow them to do the same thing without needing physical access.

Why would the CIA want to hack iPhones instead of Android phones?

Well first, why would you assume this is INSTEAD rather than IN ADDITION TO Androids?  Likely they can deal with either.

Second, the likely reason for going after Apple devices is not that they are more or less secure, but rather that they are status symbols in many parts of the world.  That means that people that the CIA is interested in knowing a lot about are likely iPhone/Mac users.  There are other reasons too, but that one is probably good enough.  If you are interested in the details, read the WikiLeaks Post.  It is pretty fascinating.

What that means is that Apple users are now in the cross hairs and who knows what the boys and girls from “The Company” might be looking at.  Just sayin’.  I would say, in general, they are not looking at U.S. citizens unless they have a reason.

So for those people who thought Apple devices were immune from hacking, I would say that you are probably in the same boat as the rest of us.  Sorry.

Information for this post came from Mac World and WikiLeaks.

Facebooktwitterredditlinkedinmailby feather