Tag Archives: Huawei

Security News bites for the Week Ending March 8, 2019

Commerce Department Wants Companies to Publish Ingredients of their Software

The Commerce Department is trolling around the RSA conference trying to get companies to publish the ingredients in their software – the so called bill of materials that I have written about before – so that users can understand what libraries are being loaded.  The objective is to avoid another Equifax style breach because people don’t know that this particular software package uses a vulnerable version of, say, Struts.  Then people have to figure out how to use it.  Big project, but a useful one.  Source: The Cybersecurity 202.

Massachusetts High Court Orders Man to Unlock Phone

Various courts have come down with different decisions regarding whether a person can be compelled to unlock his or her computing device after a warrant is issued.  In general, it has been held that you can be forced to look at your phone (face ID) or put your finger on your phone (fingerprint reader), but not to enter a password (compelled testimony).  But not all courts agree.

The Massachusetts Supreme Justice Court announced (seriously) “the end of privacy in the digital age” when it compelled an accused pimp to unlock his phone.

Whether this particular case winds up in front of the US Supreme Court or not, the issue will ultimately have to be decided there.  Source: Boston Herald.

Brits Say Brexit was a Russian Plot

As politicians scramble to spin reality regarding Russia’s inflluence peddling efforts, British foreign secretary Jeremy Hunt says that there is no evidence of successful Russian interference with UK polls in the face of lawsuits compelling the government to investigate if that happened.

He is likely right that the Ruskies did not try to literally break into the (digital) ballot box and change votes, but on the other hand, it is equally likely that they used their normal social media techniques to influence the outcome in a direction favorable to Russia.

Why Hunt thinks that England is in some kind of “no-influence” bubble is beyond me (other than to admit it would be politically damaging).  After all, governments around the globe (including the US) have been working hard to influence elections for decades.  Source: The Guardian.

Huawei Sues US Government Over Ban

The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat.

In what will likely be a years long court battle, China is demonstrating that it does not plan to roll over and play dead for Trump.  Source: The New York Times.

 

Its Y2K All Over Again

Its been a few years (like around 1977 or so), but I seem to recall that we discussed this at the time and it is in the spec, but who reads specs anyway.

The Global Positioning System tracks time in weeks since January 5, 1980.  It uses a 10 bit number (1024 weeks) because memory was expensive in 1977, so we knew it was going to roll over about every 20 years and our code (inside the receiver that was placed in a fighter jet) handled the rollover.

But, apparently, not every software developer is as forward looking as we were, so come April 6, 2019 (the next rollover day), some GPSes may become wonky.

In the case that the GPS is directing you to the nearest Starbucks, you might get lost.

If the GPS is controlling a weapon system or a piece of high precision nuclear medicine equipment…. well… people could wind up dead.

So at least a few people are doing the Y2K thing all over again.

I suspect that if you power off your GPS on the day before the rollover and then power it back on, everything will be fine (as I remember the code in the GPS, but that was a real long time ago).  That means you are on your own finding that Starbucks, but powering off that weapon system may not be an option.

It is very likely that the GPS firmware on your phone will be fine, I predict.  We shall see.  Source: Homeland Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 22, 2019

Over 5 Billion Records Exposed in 2018

Risk Based Security is reporting that there were 6,515 publicly reported breaches in 2018 exposing over 5 billion records.  This is a couple hundred breaches less than 2017, but the final numbers are not in yet as breaches continue to be reported.

The number of days between discovery and disclosure is 49 days, well beyond what is required by GDPR. Source: Risk Based Security.

 

Industrial Refrigerators Can Be Defrosted Remotely – By Hackers

As we have been saying for a while, Industrial Internet of Things (IIoT) security is horrible.  Researchers are reporting that temperature controlled systems made by Resource Data Management use a default password which can be found on their web site.  If you can find the IP address, you can log in using any browser and wreak havoc on hospitals, restaurants and supermarkets.  The researchers found hundreds of these systems using the search engine Shodan.

The manufacturer’s defense is that they clearly tell people to change the default password.  Which of course, no one does.  Source: Tech Crunch.

 

Wendy’s Agrees to Pay $50 Million to Settle One More Breach Lawsuit

Wendy’s has agreed to settle a lawsuit with the financial institutions who lost millions as a result of the Point of Sale system breach at hundreds of Wendy’s franchises (interestingly, none of the stores breached were owned by Wendy’s).  Wendy’s will pay $27.5 million and their insurance company will pay the rest.  This is part of the process of putting the 2016 breach behind them.  Wendy’s is famous because their CFO once said on tape that they didn’t want to spend the money to upgrade their credit card terminals to chip based readers because it was cheaper to give away a few free hamburgers.  I wonder if he still feels that way.  Source: Bizjournals.

 

UK Tells Trump Huawei Cyber-Risk is Manageable

President Trump is working hard to get the rest of the world to support him in banning Huawei technology from the next generation of cellular networks due to the possibility of them being compromised by the Chinese government and putting back doors in their software to be able to hack our cell networks.

Apparently, the UK security chiefs disagree with our prez and said that the potential risk from Huawei is manageable.  This doesn’t mean that they think there is no risk and they do not make the final decisions, but given the relationship with our allies is complicated at best, the final result is unknown.

I suspect that will not make the President very happy.  Source: The Guardian.

 

Google to Fix Incognito Mode in Chrome That Leaks Info

Advertisers and web developers really don’t like it when browser makers stop them for doing whatever they want to do.

So they try to find ways around the stops.

In this case, advertisers figured out that even though they could not make cookies persist when the user was in incognito mode, they could figure out if the user was using incognito mode to stop being tracked.  If the user was doing that, some web sites would block them from using the web site.

Now, in Chrome 74, Google will create a virtual in memory file system that will behave just like the real file system so that web site developers won’t be able to detect the use of incognito mode.  At least not that way.  Now they will have to find another trick.  Source:  9to5Google.

 

Facebooktwitterredditlinkedinmailby feather

U.S. Considering Nationwide Ban on Chinese Telecom Gear

As the trade war between the U.S. and China heats up, President Trump is considering issuing an executive order banning all U.S. companies from buying telecommunications gear from companies deemed to be a national security threat.

Right now this threat is deemed to be a targeted attack against two Chinese vendors – ZTE and Huawei.

The executive order would invoke the International Emergency Economic Powers Act and I would expect that if  the order is issued, lawsuits will ensue.

I assume that China would reciprocate and ban, say, Cisco, which would not make John Chambers happy.

But that’s not the big issue.

It is also possible that the executive order could require telecommunications providers to remove existing banned gear at their own cost.  It is not clear if that is legal.

While big telecom carriers have, for the most part stopped buying ZTE and Huewei gear, it is the little carriers that will be hurt the most.

The little carriers have used the Chinese gear because U.S. equipment sometimes cost them 400% of the cost of the Chinese gear.

That likely will translate to price increases for the customers of those carriers.  In many cases, like with me, those carriers are the only choice that is available so switching to a different, less expensive carrier is not an option.

Part of the executive order under consideration is a requirement to replace existing Chinese telecom gear.  The Rural Wireless Association, a trade group for these carriers estimated that it would cost those carriers up to $1 billion to replace the banned equipment, if that is required and would take several years.  Two ways that cost could be paid are price increases or delays in rolling out new higher speed networks.

Currently, the fastest Internet connection I can get is 20 megabits per second, which is not even classified as broadband by the FCC (broadband is defined as 25 megabits or higher), so I am not really worried about the gigabit gear that this ban is targeting,

I am not a big fan of Chinese networking gear so I can’t really argue with the idea of a ban.  I am not in favor of forcing private U.S. companies to replace existing equipment at their cost and I am sure that, if that happens, those companies will sue the government, which will be messy.

One thing that will likely happen out of this ban (if it happens) is a slower rollout of faster 5G network – possibly years or decades longer.

The U.S. currently ranks 44th in mobile download speed (see here), which is not very impressive.

This would continue the U.S.’s not very exciting role as a third world country when it comes to Internet access.  Due to higher costs, only some people in very high density areas will get newer, faster service and the rest of us will get Internet service comparable to, say, Syria.  That is not a very exciting prospect.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

FBI, NSA, CIA Say Don’t Use Huawei, ZTE Phones

The heads of the intelligence community – NSA, CIA, FBI and the Defense Intelligence Agency, appearing in front of the Senate Intelligence Committee, said that Chinese smartphones posed a threat to national security.

Exactly why they singled out those two Chinese phones, compared to the iPhone, which is likely made in the same factory, is not clear.  It would seem that two phones, made in the same factory by the same people would have a similar security risk, but apparently not.

FBI Director Chris Wray said that it was because Huawei and ZTE are beholden to the Chinese government.  I would think that Foxconn, who, for example, makes TVs for Sony and others, Cisco networking gear, HP and Dell computers and Nintendo games would also be beholden to the Chinese government in a very big way.

I suspect there is classified intelligence that they are not sharing that explains why these two companies are being singled out.

The concern, they say, is that these devices could steal information or conduct undetectable surveillance using the phone’s user.

AT&T was going to going to sell Huawei phones but magically decided not to last month.  No doubt these same agencies explained to AT&T why that was not a good plan.

Ultimately, everyone has to make their own decisions, but there are plenty of phones made in Korea, which seems to be a more friendly locale.  There are no phones made in the United States.

Apple and others do buy some parts in the US, like glass from Corning,  but those parts are then shipped to China to be assembled.  Apple is looking at assembling some phones in the US, likely for the PR value, but doesn’t actually do that.  Even if they do, since iPhones represent less than 15% of smartphone sales, that will still mean that 80% to 90% of smartphones are manufactured in other countries.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

The Problem With Buying Chinese Electronics

Electronics made in China are often less expensive than products sold by western companies such as Cisco and Juniper.  But there may be a cost associated with that price.

The Chinese security firm Boyusec is working with the Chinese Ministry of State Security intelligence service in conducting cyber espionage, according to the Pentagon.  This would not be a surprise except that they are also working with the Chinese network equipment manufacturer Huawei that the Pentagon banned from DoD purchasing a few years ago.

While Huawei denies this, the Pentagon says that Huawei/Boyusec is putting back doors in Huawei networking gear so that the Chinese can spy on purchasers of Huawei equipment.  In addition to spying on customer’s phone and network traffic, using these backdoors also allow the Chinese to take control of these devices – likely to subtly reprogram them to allow them even more effective spying.

This follows a report earlier this month that software was found on more than 700 million phones, cars  and other smart devices that was manufactured by Shanghai Adups and used by Huawei, among others.  The software phoned home every three days and reported on the users calls, texts and other data.  Another Chinese technology manufacturer, ZTE, also uses the software.

The moral of the story  is that you should consider the reputation of the vendor that you are considering prior to making your purchase decision.

Sometimes that vendor is hard to detect.  If you buy a piece of electronic gear – such as those security web cams that took out Amazon and hundreds of other companies last month – had software and internal parts that were made by a vendor that didn’t care about security, but that company was not the name on the outside of the cameras – sold by many different companies.

Unfortunately, those vendors are price sensitive, so if they can find software for a few cents per device sold, they may decide to use it and not ask any questions about security.  After all, there is no liability in the United States if a company sells a product with poor or even no security.  That is up to the customer to figure out. 99% of the customers have no idea how to figure out whether a web cam or baby monitor is secure.  Unfortunately, what is needed is for companies to be held accountable for the security of these products.  This doesn’t mean that they should be clobbered for every bug found, but if they are ignoring reasonable commercial security practices, well, then, that might be a different story.  My two cents, for what it is worth.

Information for this post came from the FreeBeacon.

Facebooktwitterredditlinkedinmailby feather