Tag Archives: VCRM

Security News for the Week Ending July 5, 2019

This is What Spies Do

It has come out that western (read one or more of the five eyes countries) inserted malware into Yandex (Russia’s equivalent of Google) in order to steal administrative credentials.  The purpose was, apparently, to read emails of interest to the western spies.  We need to understand that we do it to them and they do it to us, but the idea is to make it hard for them and easy for us.  Source: Reuters.

Firms That Claim to be Able to Reverse Ransomware Sometimes Lie

Another so called “Data Recovery” firms that claim to be able to recover from ransomware just pay the ransom and mark the cost up.  The most recent firm to be outed is Red Mosquito Data Recovery was outed when they were the target of the sting.  The researcher played the role of both the victim and the ransomer and discovered what Red Mosquito was doing.  Remember that if you do pay the ransom, you still need to rebuild your systems from the ground up because you do not know what time bombs or back doors the ransomer left behind.   Source: Propublica,

Trump Changes His Mind – Huawei Not a National Security Threat?

After Tweeting for months that Huawei is a national security threat; that their equipment needs to be banned in the US and abroad and that existing equipment needs to be removed — to it is okay if we sell Huawei parts.  This happened the day after he met with Xi at the G20 and it is reported Xi told him that the trade war would continue until the ban was removed.  While not removed, it is a hole wide enough to drive a tractor trailer through.  Source: The Register.

One Terabyte of Police Bodycam Video Available on the Dark Web

In another example of companies not requiring vendors to have adequate cybersecurity programs in place, researchers found a terabyte (that is 1,000,000,000,000 bytes) of police bodycam video from Miami and other cities available on the dark web.  It is likely this video has been copied and sold.  Miami PD is not talking.  Probably a good time for the police to plead the Fifth.  The problem is linked back to 5 IT vendors who did not protect the data.   Either police departments did not care (worst cast) or do proper due diligence (best case).  I hope they have a bunch of insurance because you know that there will be lawsuits.  At some point people will figure out that even though vendor cyber due diligence is hard, getting sued and defending yourself is even harder.  Source: The Register.

If China Can’t Buy Memory Chips From the US, it will Get into the Memory Biz and Compete Against Us

In the trade wars are hard department, the Chinese just convinced the Godfather of Japan’s DRAM business to come to China and head up a company that plans to build its own memory chips.  This is likely the result of the current trade war.

If successful, the result will be that western memory chip makers will lose all of their sales to China, but more importantly, China might flood the market with cheap memory chips, damaging the worldwide multi-billion dollar memory business.  Source: The Register.

Microsoft to Require CSPs to Use Multi-Factor Auth

In light of the recent leak of details on Cloud Hopper, Microsoft is becoming very visible and requiring their O.365 resellers to use multi-factor authentication in order to reduce the risk that they represent to the ecosystem.  This is a proactive effort on their part – likely – as  they have not been publicly named as a cloud hopper victim, but they certainly are a target.  Source: Brian Krebs.

 

Presidential Alerts Spoofable

Okay, no jokes about our current President’s love of twitter.

Researchers at the University of Colorado (CU) have demonstrated how easy it is to spoof the Presidential alerts – assuming you even get them (you may remember they tested the system last year and lots of people, including me, didn’t get the test).

In this case, the CU researchers say that 4 low power base stations could target every person in a football stadium of say 50,000, causing mass panic.    While it might be hard to get these briefcase size devices inside a football stadium, it would be pretty easy to get it into soft targets like office buildings or shopping centers and depending on the message (Ex: Inbound nukes from China; will detonate here in 10 minutes), could cause mass panic.  Source: BBC

Facebooktwitterredditlinkedinmailby feather

Supply Chain Attacks Are Going Strong

This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.

The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways.  PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.

These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.

The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.

Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.

What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.

If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.

One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers.  If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.

Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.

Ultimately, the problem is with the vendor.  Somehow they were compromised.  And the compromise was not detected.

In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.

MAYBE they will be compensated.  Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win).  That is all a function of how well their Vendor Cyber Risk Management process works.

Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day.  That is, until they are hacked.  At which point they throw millions at it.  Not a great strategy  – for YOU or for YOUR CUSTOMERS.

Source:  Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather

Vendor Risk Management Common Misconceptions

If yesterday’s post (on Asus) and many of my posts in the past are any indication,  supply chain risk is a huge problem and not very well handled at many companies.  Part of the reason why is all of the misconceptions we have.  Here are a few and why they are misconceptions:

The vendor is a large company; surely they have a great security program.

Equifax was a vendor to thousands of companies.  No problem here.

Marriott was a vendor to millions of customers.  Any problems?

The DoD Office of Personnel Management had 25 million customers.

You get the idea.

We haven’t given the vendor any Non-public Personal Information (NPI) so there is not much risk.

More states are shifting the standard of care to personally identifiable information (PII).  That is a much bigger footprint.  If the vendor has your customer’s PII and the vendor has a breach, guess who is on the hook legally?  Answer: you.  Because you picked the vendor.

The vendor is privately held, so we can’t get any information on them.

Even if the vendor is privately held you can ask for information.    You can ask for an accountant’s statement.  You can ask about their cybersecurity program.  You can ask for a lot of information.  Do so.

We don’t give our vendor data in electronic format, so there is not much risk.

While paper is lower risk, it is not no risk.  Your shredding service only gets paper.  Likewise your document storage vendor.  Consider each situation carefully.

The vendor’s security is probably good because they are well known.

Target is well known.

Home Depot is well known.

Marriott is well known.

And hundreds of others.  Any questions?

Our vendor was hacked, but they say that they fixed the problem.

Maybe, but maybe not.  It depends.  Did they put a band-aid on the problem or did they fix the systemic issues underlying it.  Ask questions.  This will likely take a bit of digging, but do it anyway.

This vendor has a breakthrough product; surely their security is good too.

Again maybe, but maybe not.  Sometimes breakthrough features are deemed to be more important than security and privacy.  Don’t assume.

The vendor won’t give us what we ask for so we are out of luck.

Maybe.  How important is what you are asking for?  Should you consider a different vendor?  Will they let you look at it but not keep it  (maybe in person or maybe over a web conference)?  Is there alternative information that would work?  They do likely want your business, so engage them to help you figure it out.

The vendors security program looks strong, so their third parties (our fourth parties) are strong too, right?

Maybe, but that is a bit of a stretch.  Review their vendor cyber risk management program first before you make that assumption, especially if the fourth party has your sensitive data.

I would never fall for a phishing attack so I am sure that our vendor wouldn’t either.  We don’t need no stinkin’ training and neither do they.

That is so wrong on so many levels.  We have many stories of businesses that didn’t need training that fell for phishing scams, lost sensitive data or even lost hundreds of thousands of dollars.  While training doesn’t fix everything, it is important.  Don’t skip the training and training is not a one time event.

These are just a few of the misconceptions, there are many more.

If your vendor has a breach, you are on the hook.  Maybe they are too, but you are first and foremost.  Your customers look to you to protect their data.

If you need help with your vendor cyber risk management program, contact us.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather