Tag Archives: Security

Tips to Keep Remote Workers Safe(Safer)

As my son likes to say, nothing it bulletproof – it all depends on the size of the bullet.  Likewise, nothing is 100% secure (except the computer that has never been taken out of the box)  but your actions can improve the odds dramatically.

Here are some recommendations from Dark Reading.  Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more.  Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

So here are the tips:

  1. When working remotely, use two computers – one for work and one for personal stuff.  Besides the fact that malware on one might not infect the other, there are many other reasons that you might want to do this (like not wanting your boss to snoop on your personal stuff or backup your nude selfies on the company backups).
  2. Use only approved software on your company computer – many companies won’t let you install other software but many do let you.  There is a reason they approve the software that they do;  it goes through a vetting process.  It might be inconvenient, but so is getting breached.
  3. Don’t rely on a consumer-grade router, Wi-Fi hotspot or Firewall – I could go on all day about this one.  If your router, Wi-Fi or firewall is provided by your home Internet provider, you can assume that it is the best equipment that your provider can buy for $5 or $10.  Some Internet providers require that you use their equipment but there are no rules that say that you can’t put your own  firewall between the box your Internet provider uses and your computers.  That is what I do.  My firewall cost me $200.  But it runs the same software that you use in your office.  This is a case of you get what you pay for.  My Internet provider has not patched their firewall since 2013.    I am sure that there were no bugs fixed in the last 6 years.
  4. Ensure that your Firewall is configured securely – Your Internet provider will configure any equipment that they provide to minimize the number of support calls that they get.  That saves them money.  If that happens to make things more secure, that is a coincidence.  Mostly, it will make things less secure.  YOU are responsible for the security of your home network.
  5. Connect to your corporate network using a VPN – Using a VPN will definitely improve the security of your connection.  If you are a techie and you manage cloud servers from home, use a VPN connection to manage those as well.  Again, many free VPN services are worth exactly what you pay for them.  And some of them are even run by China – I am sure those are very secure.
  6. Be wary of public Wi-Fi – I am sure that your local coffee shop has all the best intentions when they offer you FREE Wi-Fi, but again, you get what you pay for.  Their IT department likely manages the network in between grinding and serving coffee.
  7. Harden your wireless access point(s) – There are lots of ways to improve the security of your Wi-Fi, especially when you are located in a high density location.  A friend of mine lived in New York and never paid for Internet, he only mooched off neighbor’s Wi-Fi.  Wi-Fi 6 is coming soon as is WPA-3.  Both will improve your security but both will require either software or hardware upgrades.
  8. Keep a very close watch on your stuff when you travel – I recently did a TV interview discussing a poor fellow who got his credit cards stolen while he was in the grocery store.  90 minutes later the crooks had racked up $23,000 worth of charges on his cards.  Hotel rooms and hotel safes are notoriously insecure.  If you don’t need to take it when you travel LEAVE IT AT HOME!  Otherwise, secure it as best you can.
  9. Update system and software patches regularly – this includes your phone and your tablet, in addition to your computer and ONLY update from a secure location – NEVER from public Wi-Fi.  Note that this includes all of your apps in addition to your operating system.
  10. Update your system’s firmware – do you even know what firmware is?  It is the software that runs the software that you see.  Almost nothing is done in pure hardware these days.  That includes updating the firmware in your firewall, router, Wi-Fi and especially your phone.  Some equipment can be configured to automatically update (Apple is really good about this) and while that might, occasionally cause problems, overall, auto-update is the way to go.

Come back tomorrow for more tips.  That’s all for now.

Facebooktwitterredditlinkedinmailby feather

DoD Releases Draft CMMC Guidelines

The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.

It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it.  For example, China stole the plans for the F-35 and built the J-31 (see news item here).  Unfortunately, that is far from an exception.

The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).

The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.

This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.

The plan is that all DoD suppliers will be required to be certified by a third party. Every year,

While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.

  • There are 18 domains
  • The domains are comprised of capabilities
  • The capabilities have processes and practices
  • Certification runs from level 1 to level 5
  • Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
  • Level 5 is advanced security practiced in an optimized fashion
  • There are 35 practices for level 1
  • For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
  • Very few companies will need to be certified at level 5

Click here to review the overview document for version 0.4.

For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.

The problem is that a large number of defense suppliers are small businesses that have no security program at all.  For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party.  This could come as  a shock to some.

While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this.  WE. SHALL. SEE.

The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September.  Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.

A complete copy of the draft can be found here.

My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now.  If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.

DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this.  Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.

Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.

 

China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.

 

Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

The Unpatchable Bug In All Modern Cars

We have seen a number of hacks of cars including the hack of a Jeep driving down the highway at 60 miles an hour – from miles away – on 60 Minutes, but now researchers have come up with a new attack – one that cannot be patched.

The CAN bus or Controller Area Network bus, is the main communications highway in all cars built, at least, in the last 25 years.  The standard, designed in 1983 and in use since 1989 has not really changed very much since then.

In 1983 no one really worried about hackers so the bus has no security, no authentication and no encryption.

Today, almost every single car and light truck is controlled by the CAN buses in it.

Researchers from Trend Micro, Politecnico di Milano and Linklayer Labs discovered that you can overwhelm the bus with error messages.

Right now, today, the attack requires local access to your car.  That was the case with the Jeep attack – until attackers figured out how to do it remotely.

The attack injects error messages onto the bus which can, eventually, cause devices like the anti-lock brake controller or the airbag system to go offline and deactivate.  Since almost all car functions from the brakes to the engine control are computerized and attached to one of the CAN buses, if you can cause those devices to go offline, you will disable those functions.

Worse yet, without redesigning the CAN bus protocol, there is very limited remediation that car manufacturers can make.  On top of that, it is UNLIKELY that any cars currently on the road will ever be fixed because this is not a bug – it is, basically,  a feature.

SO, next time you get into your car… Well, I am not what you can do.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

How are public restrooms and public computers alike?

There is an article in Slate that suggests that we should treat public computers like we treat public restrooms – very cautiously.

I had never made that analogy before, but I do like it.

Both public restrooms and public computers may harbor germs and viruses.  Both may have been frequented in the recent past by people of dubious character and you don’t know what you might catch if you visit either one of them.

The article talks about hackers installing key logging software on hotel business center computers, thereby grabbing every keystroke you type – including userids and passwords, of course.  The article is based on a US Secret Service advisory from early July 2014, so I am guessing that the Secret Service found some infected computers.  Obviously, this type of attack is not limited to Hotels – schools, libraries and any other place where shared computers are available are susceptible to this kind of attack.

I know that on those rare occasions that I use public computers, I sort of touch them gingerly and would never use them for anything important – like online banking or paying bills for example.

The article says, and I would agree with it, that it is not hard to install such software on most business center computers, although it is also fairly easy to make it more difficult to do.  (It is impossible to make something bullet PROOF.  On the other hand, bullet RESISTANT is definitely possible).  In the old days, you just stuck a wedge on the parallel port and came back later to retrieve it.  Now all you do is log on to your internet connection and harvest the data.

Unfortunately, there is not the equivalent of the sheet of tissue paper to put down before you use the public computer, so beware.

M

Facebooktwitterredditlinkedinmailby feather

iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.

M

Facebooktwitterredditlinkedinmailby feather