Tag Archives: Huawei

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.

 

China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.

 

Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 8, 2019

Commerce Department Wants Companies to Publish Ingredients of their Software

The Commerce Department is trolling around the RSA conference trying to get companies to publish the ingredients in their software – the so called bill of materials that I have written about before – so that users can understand what libraries are being loaded.  The objective is to avoid another Equifax style breach because people don’t know that this particular software package uses a vulnerable version of, say, Struts.  Then people have to figure out how to use it.  Big project, but a useful one.  Source: The Cybersecurity 202.

Massachusetts High Court Orders Man to Unlock Phone

Various courts have come down with different decisions regarding whether a person can be compelled to unlock his or her computing device after a warrant is issued.  In general, it has been held that you can be forced to look at your phone (face ID) or put your finger on your phone (fingerprint reader), but not to enter a password (compelled testimony).  But not all courts agree.

The Massachusetts Supreme Justice Court announced (seriously) “the end of privacy in the digital age” when it compelled an accused pimp to unlock his phone.

Whether this particular case winds up in front of the US Supreme Court or not, the issue will ultimately have to be decided there.  Source: Boston Herald.

Brits Say Brexit was a Russian Plot

As politicians scramble to spin reality regarding Russia’s inflluence peddling efforts, British foreign secretary Jeremy Hunt says that there is no evidence of successful Russian interference with UK polls in the face of lawsuits compelling the government to investigate if that happened.

He is likely right that the Ruskies did not try to literally break into the (digital) ballot box and change votes, but on the other hand, it is equally likely that they used their normal social media techniques to influence the outcome in a direction favorable to Russia.

Why Hunt thinks that England is in some kind of “no-influence” bubble is beyond me (other than to admit it would be politically damaging).  After all, governments around the globe (including the US) have been working hard to influence elections for decades.  Source: The Guardian.

Huawei Sues US Government Over Ban

The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat.

In what will likely be a years long court battle, China is demonstrating that it does not plan to roll over and play dead for Trump.  Source: The New York Times.

 

Its Y2K All Over Again

Its been a few years (like around 1977 or so), but I seem to recall that we discussed this at the time and it is in the spec, but who reads specs anyway.

The Global Positioning System tracks time in weeks since January 5, 1980.  It uses a 10 bit number (1024 weeks) because memory was expensive in 1977, so we knew it was going to roll over about every 20 years and our code (inside the receiver that was placed in a fighter jet) handled the rollover.

But, apparently, not every software developer is as forward looking as we were, so come April 6, 2019 (the next rollover day), some GPSes may become wonky.

In the case that the GPS is directing you to the nearest Starbucks, you might get lost.

If the GPS is controlling a weapon system or a piece of high precision nuclear medicine equipment…. well… people could wind up dead.

So at least a few people are doing the Y2K thing all over again.

I suspect that if you power off your GPS on the day before the rollover and then power it back on, everything will be fine (as I remember the code in the GPS, but that was a real long time ago).  That means you are on your own finding that Starbucks, but powering off that weapon system may not be an option.

It is very likely that the GPS firmware on your phone will be fine, I predict.  We shall see.  Source: Homeland Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 22, 2019

Over 5 Billion Records Exposed in 2018

Risk Based Security is reporting that there were 6,515 publicly reported breaches in 2018 exposing over 5 billion records.  This is a couple hundred breaches less than 2017, but the final numbers are not in yet as breaches continue to be reported.

The number of days between discovery and disclosure is 49 days, well beyond what is required by GDPR. Source: Risk Based Security.

 

Industrial Refrigerators Can Be Defrosted Remotely – By Hackers

As we have been saying for a while, Industrial Internet of Things (IIoT) security is horrible.  Researchers are reporting that temperature controlled systems made by Resource Data Management use a default password which can be found on their web site.  If you can find the IP address, you can log in using any browser and wreak havoc on hospitals, restaurants and supermarkets.  The researchers found hundreds of these systems using the search engine Shodan.

The manufacturer’s defense is that they clearly tell people to change the default password.  Which of course, no one does.  Source: Tech Crunch.

 

Wendy’s Agrees to Pay $50 Million to Settle One More Breach Lawsuit

Wendy’s has agreed to settle a lawsuit with the financial institutions who lost millions as a result of the Point of Sale system breach at hundreds of Wendy’s franchises (interestingly, none of the stores breached were owned by Wendy’s).  Wendy’s will pay $27.5 million and their insurance company will pay the rest.  This is part of the process of putting the 2016 breach behind them.  Wendy’s is famous because their CFO once said on tape that they didn’t want to spend the money to upgrade their credit card terminals to chip based readers because it was cheaper to give away a few free hamburgers.  I wonder if he still feels that way.  Source: Bizjournals.

 

UK Tells Trump Huawei Cyber-Risk is Manageable

President Trump is working hard to get the rest of the world to support him in banning Huawei technology from the next generation of cellular networks due to the possibility of them being compromised by the Chinese government and putting back doors in their software to be able to hack our cell networks.

Apparently, the UK security chiefs disagree with our prez and said that the potential risk from Huawei is manageable.  This doesn’t mean that they think there is no risk and they do not make the final decisions, but given the relationship with our allies is complicated at best, the final result is unknown.

I suspect that will not make the President very happy.  Source: The Guardian.

 

Google to Fix Incognito Mode in Chrome That Leaks Info

Advertisers and web developers really don’t like it when browser makers stop them for doing whatever they want to do.

So they try to find ways around the stops.

In this case, advertisers figured out that even though they could not make cookies persist when the user was in incognito mode, they could figure out if the user was using incognito mode to stop being tracked.  If the user was doing that, some web sites would block them from using the web site.

Now, in Chrome 74, Google will create a virtual in memory file system that will behave just like the real file system so that web site developers won’t be able to detect the use of incognito mode.  At least not that way.  Now they will have to find another trick.  Source:  9to5Google.

 

Facebooktwitterredditlinkedinmailby feather

U.S. Considering Nationwide Ban on Chinese Telecom Gear

As the trade war between the U.S. and China heats up, President Trump is considering issuing an executive order banning all U.S. companies from buying telecommunications gear from companies deemed to be a national security threat.

Right now this threat is deemed to be a targeted attack against two Chinese vendors – ZTE and Huawei.

The executive order would invoke the International Emergency Economic Powers Act and I would expect that if  the order is issued, lawsuits will ensue.

I assume that China would reciprocate and ban, say, Cisco, which would not make John Chambers happy.

But that’s not the big issue.

It is also possible that the executive order could require telecommunications providers to remove existing banned gear at their own cost.  It is not clear if that is legal.

While big telecom carriers have, for the most part stopped buying ZTE and Huewei gear, it is the little carriers that will be hurt the most.

The little carriers have used the Chinese gear because U.S. equipment sometimes cost them 400% of the cost of the Chinese gear.

That likely will translate to price increases for the customers of those carriers.  In many cases, like with me, those carriers are the only choice that is available so switching to a different, less expensive carrier is not an option.

Part of the executive order under consideration is a requirement to replace existing Chinese telecom gear.  The Rural Wireless Association, a trade group for these carriers estimated that it would cost those carriers up to $1 billion to replace the banned equipment, if that is required and would take several years.  Two ways that cost could be paid are price increases or delays in rolling out new higher speed networks.

Currently, the fastest Internet connection I can get is 20 megabits per second, which is not even classified as broadband by the FCC (broadband is defined as 25 megabits or higher), so I am not really worried about the gigabit gear that this ban is targeting,

I am not a big fan of Chinese networking gear so I can’t really argue with the idea of a ban.  I am not in favor of forcing private U.S. companies to replace existing equipment at their cost and I am sure that, if that happens, those companies will sue the government, which will be messy.

One thing that will likely happen out of this ban (if it happens) is a slower rollout of faster 5G network – possibly years or decades longer.

The U.S. currently ranks 44th in mobile download speed (see here), which is not very impressive.

This would continue the U.S.’s not very exciting role as a third world country when it comes to Internet access.  Due to higher costs, only some people in very high density areas will get newer, faster service and the rest of us will get Internet service comparable to, say, Syria.  That is not a very exciting prospect.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather