Tag Archives: IP theft

Chinese Bank Forced Western Companies to Install Malware

Security firm Trustwave has discovered malware laced tax software in two of it’s western customer’s networks after they opened offices in China.

The bank said the software was required to pay local taxes. In fact the software did perform that function.

Trustwave calls this malware GoldenSpy and said that it installed a backdoor in their client’s computer. The backdoor allowed the Chinese to connect to the computer, install other malware and run Windows commands.

GoldenSpy installs two copies of itself and will automatically reinstall itself if one of the copies is discovered. It also has other self-protection measures.

It also waits two hours after the tax software is installed to silently install the backdoors.

There is no way to prove how the malware got there, but given they are in China and a western company, you can draw your own conclusions. Credit: ZDNet

Okay, so what does this mean?

It is not completely clear, but certainly it raises some questions.

Assuming you are not doing business in China, should you worry?

There is nothing special about the technique used and, in fact, the NSA is reported to have used it against folks that they want to monitor.

The technique could be used by

  • Competitors
  • Hackers
  • Nation state actors
  • and probably a host of others

Since *you* installed the software voluntarily, most of the security controls in your system will not detect it.

We have seen a number of attacks like this over the years. Sometimes hackers compromise a developer’s computer and insert the malware there. That way, when it gets checked in and compiled, it is not detected.

But that is only one way the malware can get there.

Traditional anti-virus/anti-malware software will not detect this.

What will detect this is software similar to Trustwave. They do managed security services (we offer a similar product that is well suited to small businesses).

What the software needs to do is detect unusual behavior like accessing data that it should not, connecting to web sites that it should not, installing software etc.

Generally interpreting what the alerts mean requires an expert.

What is less clear is how frequently this happens because most companies do not have software/services like these companies did. There also are no laws requiring companies to report these types of attacks unless the company is publicly traded and the attack materially affects the company’s balance sheet.

Assuming that the software doesn’t break anything, it likely would go undetected. Forever!

If you do not have anything in place to detect this type of malware, you should definitely consider it.

Historically, these types of attacks are designed to steal intellectual property. IP Theft is more difficult to detect because there are no systems in place nationally to detect these types of theft like there is for credit card fraud. In addition, IP theft has a long shelf life. If you steal information about a company’s business processes, for example, that information will be valuable until the company no longer uses those business processes, which could be decades later.

If the IP theft is controlled by a competitor, then that competitor could use that information to unfairly compete with the company who’s information was stolen.

If you need more information, please contact us.

Security News for the Week Ending May 15, 2020

Pitney Bowes Hit By Ransomware for 2nd Time in 7 Months

Pitney Bowes has verified that it has been hit by a ransomware attack for the second time in 7 months. This time it is the maze ransomware, which steals data before encrypting your systems. Sometimes ransomware hackers leave their hooks in a victim’s system so they can come back later and cause more pain. Again I ask – are you ready? Credit: Computer Weekly

U.S. To Accuse China of Trying To Steal Vaccine Data

The U.S. says – no surprise – that other countries such as China, Vietnam and even South Korea are trying to steal vaccine research, treatments and testing. Other than warning businesses that other countries are trying to steal our stuff, it is not clear what the government can or plans to do. Credit: MSN

Security May Be Victim to Business Downturn

If fairness, all costs have to be justified during a business downturn and security costs are one of those costs.

As companies layoff employees and downsize, security teams are at risk because they don’t tie directly to revenue.

But all you need to do is as a company that had even a small breach and spent, say, $1 million on it, whether saving the salary of that dedicated security team member made sense in hindsight.

The bad news is that the hackers understand this and they will watch for companies that are not paying attention.

Of course, that does not mean that every company is spending every security dollar wisely. Probably not. Credit: WSJ

Ransomware is Getting to be Like Commercial Software with Feature Releases

Something tells me that this is not a good thing, but ransomware software is big business. As a result developers are enhancing their software with new releases. The Sodinokibi (REvil) software has added a new feature that allows it to encrypt files, even if they are open and locked by another process. The ransomware kills the process or processes that are locking the file and then encrypt it, after stealing a copy first. Adding features seems to work for companies like Google and Microsoft…. Credit: Bleeping Computer

FBI Reportedly Asks Apple for Contents of Senator Burr’s iPhone

Senator Burr, is being investigated for selling stocks after he was briefed on the Coronavirus as the chairman of the Senate Intelligence Committee. The FBI asked for his phone, which his attorney gave them. Apparently the FBI was able to get a warrant after they asked Apple for the contents of Burr’s iCloud account. Apple seems to be willing to give the cops your iCloud data, which they can decrypt, if the cops remember to ask in time. It has been reported that in late January and early February, Burr and his wife sold between $600,000 and $1.7 million worth of stock. The market started it’s nosedive around February 20th. Credit: CNet

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Equifax Hack – The Prequel

While we all know about the Equifax breach last year that compromised the data of almost 150 million people and businesses, until today we did not know about the Equifax hack two years earlier.

In the earlier hack, former employees – actually Chinese spies – stole thousands of pages of documents including plans for new products, human resource files, manuals and other information.

Equifax went to the FBI and even the CIA, but did not publicly admit the problem.

That is because there is no law that requires them to disclose the theft of intellectual property although investors may disagree and sue them now that they know.

Equifax later found out that the Chinese had asked 8 companies to help them build a national credit reporting system.

I am sure that is just a coincidence.

So what do you as a business owner need to do?

The first thing is to understand that the theft of intellectual property dwarfs credit card theft and the best we can do is guess at the magnitude because most of it is not reported.

While hackers can break into your company, it is much easier for employees to walk the data out the front door.  That problem is so bad that defense contractors and financial firms are required by law to have insider threat programs.  Understand what a competitor inside the US or internationally might be interested in.  

Implement employee training programs to make sure that employees do not contribute to the problem.

While the insider attack is one part of the problem, the outsider problem is just as big a problem.  To protect against this, you need to implement a full cyber security program – hardening servers, patches, access controls, firewall rules, etc.  

This needs to be part of a formal, documented program.

The most important thing to understand is that it doesn’t always happen to “the other guy”.  Most attacks are attacks of opportunity and small and medium businesses are disproportionately affected – likely because they do not have the sophisticated IT controls and staff that big companies have.

You have two choices – 

Prepare now.

React when an event happens.

I can tell you from experience, preparation is way better.

Information for this post came from Slashdot.

 

Industrial Espionage – Much Worse Than Credit Card Breaches

General Keith Alexander, former director of the National Security Agency, said that cyber espionage is the greatest transfer of wealth in history.  In 2012 when he made that statement, the the value of cyber industrial espionage on an annual basis was $338 billion.  Per year.  5 years later I am sure that number is greater.

Of course industrial espionage is not new.  In the early 18th century John Lombe, a British silk spinner went to Italy to steal the technology of an Italian company.  At night, by candlelight, he sketched drawings of the Italian company’s machines that he had managed to get a job working for.  He returned to England with the stolen technology and built a better machine to compete with the Italians.  Industrial espionage is not new.

What is new is the ease with which this can be done.  With everything being connected, you can now steal secrets from half way around the world.  And with cyber security practices at many businesses being a bit lax (there are a few industries for which this is not the case, but they are the exception), it is pretty easy to do.  Even defense, which you think would be secure, is not.  Lockheed lost the technology for the F-35 and now the Chinese make a knockoff and sell it at a fraction of the price.

Unlike credit card or personal information theft which is required to be disclosed, for the most part, stolen intellectual property is kept quiet.  It is embarrassing and would likely make stockholders upset.  What they don’t know won’t hurt them.

As the manufacturing process becomes more computerized, it is a huge leak opportunity.  Traditional IT security solutions sometimes don’t work on the factory floor.  Crooks know that and attack at that weak spot. In the absence of controls, detection and good processes, the crime will go undetected.

Fast forward a couple of centuries.

6 men in Houston were arrested for stealing technology for creating marine foam.  China wanted to increase it’s marine business and this foam is used in building boats due to its special buoyancy.

The Chinese, like John Lombe above, spent years weaseling their way into the company in Houston that makes this.  The crooks sent the info back to China who then had the gall to try and sell it back to the company they stole it from saying they could make it for less.

In the process of stealing the information they kept coming back to the insiders in the U.S. to get more information when their efforts at cloning the process was not working.

Now, except for one guy who is in China, they are all under arrest.  BUT, the technology has already been stolen, so it is not clear how this company can get the genie back in the bottle.  Not clear at all.

Supposedly, this information that was stolen was only known to about a half dozen employees in this company – it was the company’s crown jewels and now the cat is out of the bag.

The company considered buying the stuff from the Chinese knockoff IF the Chinese would give them an exclusive.  SO, rather than go public and be outed, they proposed making a deal with the devil.

When the Chinese started offering this U.S. company’s technology to other companies in the U.S., the company called in the FBI.  That started an investigation and, eventually, the arrest of these 6 engineers. FOUR years later.

Unfortunately, this is one of, likely, thousands of incidents.  Stopping one will NOT stop the hackers.  They just consider that an acceptable loss or collateral damage to the bigger game.

And American companies continue to ignore the warning signs (because, in many cases, there are no warning signs because the companies who got hacked keep the attack quiet).

Think about what happens to your company if you lose control of your intellectual property, whatever that is.

Information for this post came from IIoT World and the Houston Chronicle.