Tag Archives: Samsung

Security News for the Week Ending October 18, 2019

Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy

In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results.   54 state agencies did not respond to the audit.   38% of those responding did not encrypt sensitive data.  22 agencies had not conducted a third party security risk assessment.  11 did not even have a cybersecurity policy plan.  Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law.  State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money.  I wonder how typical this is in other states.  Source: Govtech

 

Karma Wins

Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,

BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you.  In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months).   If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.

But now hackers hacked the hacker and stole 26 million credit cards from them.  Needless to say, BriansClub can’t ask the cops for help.

Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.

Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.

Source: Brian Krebs

 

Hotel [NON] Security

Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes.  I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.

On the other hand, why bother to change the backdoor combination from all zeros.  See the video on YouTube.

 

One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack

One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain.  Trump’s website is one of hundreds that have left the tool enabled.

The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug.  How long the data on the site was exposed is unknown.  Source: Threatpost.

 

Samsung Issues Alert for Fingerprint Reader Fail

Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.

Samsung’s response was that you should only use official Samsung accessories.  FAIL!!!   Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem.  Why fix the problem if you can die cut the screen protector for a whole lot less?

Samsung is working on a fix, but this is another example of convenience over security.  Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security.  In fact, biometrics should never be used to authenticate you, only to identify you.  Source: Ars

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Smart TVs And Your Privacy

 

Samsung made some news last week.   As we know, some smart TVs are always listening to the talking in the room.  The way the software works is that it captures all voice and looks for the trigger words.  Samsung, in it’s privacy policy, said

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

So if you talk about your health, marital situation, a terrorist plot or anything else, that will be sent to Samsung and to the third parties that they use.

After the freak out ended, Samsung attempted to clarify what happens by saying this:

“If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.”

It is not clear that this “clarification” made anyone feel any better.

So who does Samsung share your information with?

  • Affiliates – Samsung owned companies
  • Business partners
  • Service Providers
  • Law Enforcement

We don’t know what other TV makers do with your voice, but it is likely similar.

In addition, that data may be kept forever.  Their policy doesn’t say how long they keep it.

If we shift the conversation to the fight between Apple and the Department of Justice, maybe we need to ask if the San Bernadino shooter had a smart TV.

Likely, as in other Patriot Act warrants, the TV makers would not be allowed to tell you that the Feds want your conversations.  In very general terms, they could tell everyone about the range of the number of warrants they have received, after the fact.

There is a simple solution of course – don’t buy a smart TV or don’t enable the voice feature on it.

 

Information for this post came from SecureWorldExpo.

Facebooktwitterredditlinkedinmailby feather

Android Security Is Improving – But Not As Good As iPhone

The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning.  The challenge is that unlike Apple, where there is one master in control, the Android community is fractured.  The only one who has any hope of pulling off a solution is Google.  They have the size (money) and the motivation to fix the problem.

Two examples popped up today.

First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time.  Some vendors, such as Oracle, choose to announce patches quarterly.  The advantage of that is that you only have to make 4 updates a year.  The disadvantage is that the patch releases are monstrous – with hundreds of patches  in each one – so many companies just ignore them.  Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details.  Also, the bugs are fixed sooner with monthly releases.  I vote for monthly.

In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright.  This is number 3.  Expect more – they are announcing them as they fix them).  There are also 3 other patches in this month’s collection.

Owner’s of Google Nexus phones will get these patches quickly.  Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.

I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.

The other article is about Android Bloatware or Crapware.  Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors.  In most cases, they are so sure that you want this garbage that they do not give you a way to remove it.  In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it.  This is another advantage that Apple has.  They control the phones.  Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone.  This is one reason why Apple phones are more expensive than Android phones.

Google has a research team that hunts for bugs.  Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones.  This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware.  These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone.  Who did Samsung make a deal with for this particular phone.

The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions.  That is where these bugs, for the most part, were found.

The good news is that Samsung has fixed these.  The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.

The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.

One more point.  The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x).  Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found.  Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.

In their defense, Apple does the same thing.  They patch the current release and one release back typically.

For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.

As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.

Just food for thought.

Information for this post came from two articles in Network World – here and here.

Facebooktwitterredditlinkedinmailby feather