Tag Archives: hotel security

Security News for the Week Ending October 18, 2019

Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy

In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results.   54 state agencies did not respond to the audit.   38% of those responding did not encrypt sensitive data.  22 agencies had not conducted a third party security risk assessment.  11 did not even have a cybersecurity policy plan.  Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law.  State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money.  I wonder how typical this is in other states.  Source: Govtech

 

Karma Wins

Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,

BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you.  In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months).   If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.

But now hackers hacked the hacker and stole 26 million credit cards from them.  Needless to say, BriansClub can’t ask the cops for help.

Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.

Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.

Source: Brian Krebs

 

Hotel [NON] Security

Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes.  I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.

On the other hand, why bother to change the backdoor combination from all zeros.  See the video on YouTube.

 

One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack

One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain.  Trump’s website is one of hundreds that have left the tool enabled.

The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug.  How long the data on the site was exposed is unknown.  Source: Threatpost.

 

Samsung Issues Alert for Fingerprint Reader Fail

Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.

Samsung’s response was that you should only use official Samsung accessories.  FAIL!!!   Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem.  Why fix the problem if you can die cut the screen protector for a whole lot less?

Samsung is working on a fix, but this is another example of convenience over security.  Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security.  In fact, biometrics should never be used to authenticate you, only to identify you.  Source: Ars

 

Facebooktwitterredditlinkedinmailby feather

Friday News

FDA Begins Process to Change Patching of Medical Devices

The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly.  They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board.  They are talking about requiring medical device makers to integrate patchability into device design.  Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time.  Note that mostly, this is talk, so expect this process to take years.  In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).

Hey Alexa, Are You Hacked?  Again?

Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo.  Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo.  Glad they are the good guys.   The moral is that with convenience comes risk.  You have to decide what your acceptable level of risk is.  (Source: Threatpost).

For Drupal Users is the Third Time a Charm?

For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions.  This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks.  Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework.  If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).

Ever Wonder if Hotel Keycard Locks are Safe?

Well wonder no more.  Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference.  The attack takes about a minute and creates a master key for the entire hotel.  The bad news is that there really is nothing that you, as a guest, can do about it.  Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).

FISA Court Denies More Requests in Last Year than in Entire History

The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part.  That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency.  Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather