Tag Archives: Russia

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 8, 2019

Commerce Department Wants Companies to Publish Ingredients of their Software

The Commerce Department is trolling around the RSA conference trying to get companies to publish the ingredients in their software – the so called bill of materials that I have written about before – so that users can understand what libraries are being loaded.  The objective is to avoid another Equifax style breach because people don’t know that this particular software package uses a vulnerable version of, say, Struts.  Then people have to figure out how to use it.  Big project, but a useful one.  Source: The Cybersecurity 202.

Massachusetts High Court Orders Man to Unlock Phone

Various courts have come down with different decisions regarding whether a person can be compelled to unlock his or her computing device after a warrant is issued.  In general, it has been held that you can be forced to look at your phone (face ID) or put your finger on your phone (fingerprint reader), but not to enter a password (compelled testimony).  But not all courts agree.

The Massachusetts Supreme Justice Court announced (seriously) “the end of privacy in the digital age” when it compelled an accused pimp to unlock his phone.

Whether this particular case winds up in front of the US Supreme Court or not, the issue will ultimately have to be decided there.  Source: Boston Herald.

Brits Say Brexit was a Russian Plot

As politicians scramble to spin reality regarding Russia’s inflluence peddling efforts, British foreign secretary Jeremy Hunt says that there is no evidence of successful Russian interference with UK polls in the face of lawsuits compelling the government to investigate if that happened.

He is likely right that the Ruskies did not try to literally break into the (digital) ballot box and change votes, but on the other hand, it is equally likely that they used their normal social media techniques to influence the outcome in a direction favorable to Russia.

Why Hunt thinks that England is in some kind of “no-influence” bubble is beyond me (other than to admit it would be politically damaging).  After all, governments around the globe (including the US) have been working hard to influence elections for decades.  Source: The Guardian.

Huawei Sues US Government Over Ban

The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat.

In what will likely be a years long court battle, China is demonstrating that it does not plan to roll over and play dead for Trump.  Source: The New York Times.

 

Its Y2K All Over Again

Its been a few years (like around 1977 or so), but I seem to recall that we discussed this at the time and it is in the spec, but who reads specs anyway.

The Global Positioning System tracks time in weeks since January 5, 1980.  It uses a 10 bit number (1024 weeks) because memory was expensive in 1977, so we knew it was going to roll over about every 20 years and our code (inside the receiver that was placed in a fighter jet) handled the rollover.

But, apparently, not every software developer is as forward looking as we were, so come April 6, 2019 (the next rollover day), some GPSes may become wonky.

In the case that the GPS is directing you to the nearest Starbucks, you might get lost.

If the GPS is controlling a weapon system or a piece of high precision nuclear medicine equipment…. well… people could wind up dead.

So at least a few people are doing the Y2K thing all over again.

I suspect that if you power off your GPS on the day before the rollover and then power it back on, everything will be fine (as I remember the code in the GPS, but that was a real long time ago).  That means you are on your own finding that Starbucks, but powering off that weapon system may not be an option.

It is very likely that the GPS firmware on your phone will be fine, I predict.  We shall see.  Source: Homeland Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending October 26, 2018

Poorly Secured Family of Adult Web Sites Leak Account Info

For those people who can think back to the hack of the Ashley Madison web site, this is kind of deja vu all over again.

100 megabytes of user authentication data was leaked – user names, IP addresses, passwords and email addresses.  Not THE most sensitive data, but most people who visit adult web sites do not advertise that fact.  But there is more.

One surprise is that there were OVER ONE MILLION email addresses compromised.

Along with, apparently, pictures that some people uploaded to some of the sites.  Suffice it to say those pictures are not of sunsets over the beach.

The owner of the 8 sites took the sites down almost immediately and told people to change their passwords.

One disappointing feature of the sites – the passwords, while encrypted (or technically hashed), were encrypted with a hashing algorithm over 40 years old and which can be easily decrypted.

All this does point out the dangers of posting data and pictures to the web – YOU don’t understand what their security practices are like.  It also points out that web site owners need to get a security review of their web site from time to time to make sure that they re not using 40 year old unsecure algorithms.  Source: Ars Technica.

 

Saudis “buy” Twitter Employee to Spy on Dissidents

The Saudis do not need any more bad news, but they are getting it anyway.  The Times has reported that the Saudis “groomed” (maybe bribed or blackmailed) a Twitter employee to feed them dirt on Saudi dissidents.  In addition, the Saudis, like the Russians, have mounted a huge disinformation campaign.  Social media has a huge challenge and no easy answers.  Source: The Hill .

 

NY Times Reports US Begins First LIMITED Cyber Ops Against Russia

In spite of the fact that President Trump says that the Russians are not hacking our elections, the United States Cyber Command is targeting Russians to stop them from interfering with the elections.  The campaign started in recent days.

The campaign comes after the Justice Department released a report last Friday outlining a Russian campaign of information warfare.

Not surprisingly, the Pentagon is not talking much about this – just like they would not talk about any spy activities or activities that would likely be considered illegal, aggressive or an act of war by the targeted countries.

Interestingly, the story says that the actions are “measured” and much less that what the Russians are doing.  Why?  Because they are worried that Russia might take down the US power grid or some other major cyber activity.

That is not comforting.  Source: NY Times .

 

UK Grocer Morrisons Loses Appeal of Breach Class Action

This is the UK and not the US, but still, this is interesting.  A disgruntled employee downloaded data on 100,000 employees, leaked it to the press and posted it online.  Data leaked include salary and bank account information.

Morrisons was sued not surprisingly but, somewhat surprisingly, lost.  Morrisons appealed the court verdict, but lost the appeal.  They now plan to appeal to the UK Supreme Court.

If they lose there, it will mark a turning point in security law.  The company maintains that they did nothing wrong and it was a rogue employee who leaked the data.  The employee is now in jail.  The court says Morrisons is responsible anyway.  Stay tuned because if the courts hold that companies are responsible for the unauthorized actions of their employees, boy oh boy.  Source: BBC .

Yahoo Settles One More Lawsuit for $50 Mil Plus Credit Monitoring for 200 Million

As Yahoo continues to feel the fallout from its data breaches in 2013-2014 that it failed to disclose, they agreed to another settlement covering 1 billion of the 3 billion users affected.

For this suit, they will pay $50 million, split between Verizon and Altaba (the company that controls what is level of Yahoo) and provide credit monitoring for 200 million people for 2 years.  Add to that $35 million in legal fees.

This, of course, is not the end.  It is only one lawsuit of many plus fines from regulators. Stay tuned for further settlements. This really poorly planned strategy of Marissa Mayer to hide the breach may wind up costing Yahoo and Verizon a billion dollars.  Source: Seattle Pi.

Score One For the Right to Repair Movement

Every three years the Librarian of Congress gets to arbitrarily decide who is breaking the law and who is not.  Really.  Specifically, he or she gets to decide who and why the Digital Millennium Copyright Act (DMCA) applies to.

Every three years, those people who got an exemption before have to go back to the Librarian and ask, again, mother may I?

One example is that the Librarian said that you can circumvent encryption and DRM tools to jailbreak your phone.

Another exemption allows educators to use encrypted DVDs (and break that encryption) in certain educational settings.

None of this gives you the tools to actually do it, but they can’t put you in jail or fine you millions of dollars if you succeed.

The newest addition to the list of approved exemptions from DMCA is for the right to repair movement, a growing group that says that people should have the right to repair things that they bought like cars, iphones and tractors.  John Deere, for example, said that while a farmer bought the metal pieces of that million dollar combine, they do not own the software that actually makes it work when you turn it on and if you don’t let an authorized John  Deere mechanic fix it, they will try to sue you into oblivion.

Now people can try to fix their cars, tractors, iphones and other devices.  It doesn’t mean that the manufacturers will help you – it just means that they can no longer sue you.  Source: Motherboard .

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Oct. 5, 2018

Web Page Load Times Double Due to Trackers

Trackers, those microscopic bits of pixie dust that web pages and advertisers insert into web pages to track our activities, make a significant negative contribution to user experience.

Full disclosure – this study was done by Ghostery, who makes software – free software – that blocks these trackers.

Ghostery looked at the page load time of the top 500 US web sites as defined by Alexa and discovered that it took, on average, 10 seconds longer to load with trackers enabled than when blocked by Ghostery.

The 10 slowest of the top 500 sites loaded 10x faster without trackers, saving users 84 seconds on average.

Obviously you could run their free software to reduce your page load times and I have run it for years.  It is amazing how many trackers can exist on one web page.  Source: Ghostery

Feds Issue Alert Regarding Remote Deskup Protocol

Sometimes it takes the feds a little while to realize what we have known for years.  Remote Desktop Protocol or RDP is a Microsoft mechanism for remotely logging in to another computer.  Sometimes people (not very wisely) enable this capability over the Internet.

RDP was designed for LAN administrators to remotely access a user’s computer or a server on the same network, so security considerations were never a top priority.  Over the years Microsoft has improved the security of RDP but still – my opinion – it is foolish to enable this so that a hacker in Timbuktu can try to hack into your network.

Finally, after several years of these widespread attacks, the FBI has issued an alert telling people this is not a good practice.  There are ways to secure that RDP connection, the easiest of which is to require remote users to establish a VPN connection first.  Source: Homeland Security.

Adobe Patches 85 Vulnerabilities in Acrobat and Reader

Adobe has released patches for 85 vulnerabilities in Acrobat and Acrobat Reader for both Windows and Mac.  85 is a pretty big number.  Some of the vulnerabilities allow for remote code execution while others allow for information disclosure or privilege elevation.  In other words, an entire buffet of problems.

This points to why it is so critical to understand what apps you have installed and make sure that they are patched quickly.  Every single time patches are released.  On every device in the network.  Desktops.  Laptops.  Servers.  Phones.  Tablets.  Everywhere.  As of today, Adobe says they are not being exploited in the wild – that they know of.  Tomorrow, at a minimum, every foreign intelligence agency in the world will have reverse engineered them and figured out how to use them as a weapon.  That doesn’t count the hackers.  Source:  The Register.

FBI Forces Child Abuse Suspect To Look at His Phone

In August, for the first time ever that we know of, the FBI obtained a warrant to force a person to look at his iPhone X to unlock it using Apple’s face recognition.  A month later he was charged with receiving and possessing child porn.

While no sane person is going to suggest that the judge should not have issued the warrant in this case, it points to the assumption that people have that stuff on their mobile devices is private.  A bad guy could put a gun to your head and that would likely have the same effect as the warrant.

Privacy is a relative term and as long as everyone understands that, we are all good.  Source: Forbes.

DoJ Indicts 7 Russian Hackers;  Odds of Them Standing Trial Are Almost Zero

The Department of Justice announced criminal charges against 7 Russian intelligence operatives this week, charging them with wire fraud, money laundering, identity theft and hacking.

Russia is unlikely to hand them over to the United States to stand trial and unless the Intelligence agents are not very intelligent, they will never visit any country that has an extradition treaty with the U.S.

That being said, a couple Russian criminal hackers (who are likely not as intelligent as GRU officers) have been known to visit countries friendly to us, so it is, technically possible, that they could wind up on trial in the U.S.  Just not very likely.

These indictments add more fuel to the fire that Russia is hacking us, although this is not specifically tied to the elections.  Source: CNN

 

Given that the President has

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

Facebooktwitterredditlinkedinmailby feather