Per a recent updated report from the FBI and CISA, the telecomm hacks that had been previous announced (and most likely missed amidst the election and holidays) are now being regarded as much worse than previously thought, and that there is no anticipated ETA as to when the hackers can be evicted from the various compromised infrastructures. As such, the FBI and CISA are recommending everyone avoid unencrypted communications methods on their mobile devices, which includes SMS messaging between Android and Apple phones, and carrier-based cellular voice calls (which have never been encrypted).
What this means for you
If you are like 95% of the world, you are probably thinking, “Well, if China wants to know about the grocery list I texted to my spouse, they are welcome to it,” or “I’ve got nothing to hide,” or even more naively, “I’ve got nothing worth stealing.” Most people do not consider just how much they communicate via unsecured text – banking two-factors, prescription verifications, medical complaints to doctors, passwords to coworkers, driver’s license pictures, credit card pins – the list is endless, and extremely valuable to threat teams like Salt Typhoon, the APT allegedly behind this huge compromise. The reason that this is a big deal is that we as a society (at least in America) have grown overly comfortable with this lack of privacy, and on top of that, the market has encouraged a fractured and flawed approach to communications between the various community silos we have created for ourselves online. What you might not know is that messaging from iPhone to iPhone, and Android to Android, are fully encrypted, as well as messages in WhatsApp, Facebook Messenger and Signal, but as you consider your circle of family and friends, how many of them are on the same platform and use the same messaging apps to communicate? How many of your two-factor codes arrive via SMS?
To address this latter issue, you should move any multi-factor codes to an app like Microsoft or Google Authenticator (if the platform even allows it – many banks do not yet support apps). This process will be painful and tedious, but probably most important in terms of improving your personal safety. The messaging problem is not so “easily” solved at least from a friends and family perspective, but for business communications, you should consider moving everything to a platform like Microsoft Teams, Google Workspace, Slack, etc. And stop sharing passwords via text. More information to come as we learn more about the severity of this telco hack.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
In case I haven’t scared you enough about the technology innovations that make our lives easier at the cost of security, here’s another worry to add to the growing pile. Automobile security researchers (a growing subset in the security industry) in Germany have published their findings on using wireless amplification technology to trick certain makes and models of cars into thinking their owner is nearby, unlocking the doors and in some cases, starting the engine for the hacker, all while the actual proximity key fob is supposedly safe and secure in the owner’s pocket, purse or home. Though this method has been known for at least several years, this most recent publication noted that the technology is much cheaper to build, and the number of cars vulnerable to this hack has grown significantly.
What this means for you:
If you are the proud owner of one of these cars, you may want to consider keeping your key fob in the freezer:
- Audi A3, A4 and A6
- BMW’s 730d
- Citroen’s DS4 CrossBack
- Ford’s Galaxy and Eco-Sport
- Honda’s HR-V
- Hyundai’s Santa Fe CRDi
- KIA’s Optima
- Lexus’s RX 450h
- Mazda’s CX-5
- MINI’s Clubman
- Mitsubishi’s Outlander
- Nissan’s Qashqai and Leaf
- Opel’s Ampera
- Range Rover’s Evoque
- Renault’s Traffic
- Ssangyong’s Tivoli XDi
- Subaru’s Levorg
- Toyota’s RAV4
- Volkswagen’s Golf GTD and Touran 5T
At the moment, this is the list of confirmed vulnerable models. The researchers allege that many other makes and models that use similar technology could very likely be vulnerable to this exploit as well. If your car unlocks automatically based upon your proximity to the car, then it may be possible to exploit this convenient bit of technology. And there is even anecdotal evidence to support that this hack is already being used “in the wild” to burgle cars. Basically, would-be thieves work with a pair of devices – one near your car, and the other near your key fob. The devices work in tandem to amplify the signal put out by the key fob to trick the car into thinking the fob is in unlock range, and happily opens up for the thief. In the above mentioned case, the unlucky victim ended up storing his fob in the freezer to protect against this hack, but I’m sure most of you keep your keys right near the front door – easily within range of someone with this device. Perhaps it’s time to start storing the keys next to the milk? Call us if you have any concerns – we’re not car experts but we can always help you become more secure.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
As if Volkswagen didn’t have enough to worry about with the emissions scandal, European security researchers have demonstrated a proof-of-concept exploit that can allow an attacker to covertly disable airbags (and other systems) in the German manufacturer’s autos. Unlike the more dramatic wireless hacking demonstration of Jeep vehicles that caused a massive recall, this particular exploit requires actual contact with the car, either via a compromised laptop or malicious USB device connected to the vehicle’s diagnostics port. To demonstrate the hair-raising potential of this exploit, the hackers were able completely disable the airbag, but have the onboard software continue to report the system as functioning properly. For now, the hackers limited their hacking to this proof-of-concept, but they believe that with further testing and research someone could develop malicious code capable of executing more serious system disruptions while the vehicle was in motion, and perhaps long after the infecting device was removed.
What this means for you:
We are rapidly approaching a future where most of the devices upon which we rely will have embedded computers. Here’s a short list of items that already appear in homes and have this capability right now:
- Thermostats
- Burglar alarms
- Surveillance systems
- Major appliances (refrigerators, ovens, washing machines)
- Door locks
- Lighting systems
- Televisions
- Electrical meters
- Gas meters
- Fire and life-safety systems
As the researchers of the Volkswagen were quick to point out, the problem wasn’t with Volkswagen’s engineering, but a weakness in a third-party diagnostic system, an easily compromised laptop – mechanic’s don’t have special devices, they use the same gear we use – and our willingness to plug things into our devices without specialized knowledge or assurances of security and safety. Many of the items listed above are easily accessible by visitors, repairmen and sometimes complete strangers, and even though the infecting agent may be completely unaware the device they are connecting to your devices is compromised, the damage is already done once it gets plugged in. Once again, the weakest link is the human, either us or some hapless mechanic. It’s important to be aware of all the systems with which you surround yourself, as well as who is servicing them, and whether they themselves are taking the necessary precautions to stay safe.
Remember a couple weeks ago when the adultery website Ashley Madison and assorted “sibling” sites were hacked? The alleged hackers were holding the data hostage and demanding (parent company) Avid Life Media be held accountable for what the hackers claimed was the fraudulent business practice of offering website “patrons” the opportunity to pay have their data completely erased. The data has been released (including the supposedly erased data), it is now searchable thanks to websites like Have I Been Pwned, and it’s wrecking lives like, well, a proverbial home-wrecker. It doesn’t take much imagination to envision why this is happening – marriage as an institution in America has been on some fairly rough ground lately, but you don’t come to this blog for that kind of gossip…
So here’s my IT angle on the whole mess:
- Just one, simple piece of data in the wrong place at the wrong time can be a game changer. In the case of the above, finding someone’s email address in the database separate from any other context can utterly destroy trust. And this doesn’t have to be a spouse or a family member: it can be a congregant, constituent, employee, employer, customer, client, prospect, competitor, adversary or worse – a true enemy. Many have said that their accounts were created for research (I didn’t even put that in quotes), and many probably were and even have official documentation backing up that claim, but when data is released without context, the victims don’t have any control over how the data is viewed or used.
- Most agree that Avid Life Media’s IT team had more that adequate protections and data encryption in place, but like every other business, they were fighting a losing battle. As I’ve said repeatedly (as has most of the industry), the current battle against digital intrusion is a war of attrition, and the attackers have the upperhand. They only have to succeed once to win, but we, in defending our organizations, cannot stumble even once. In case you are having trouble envisioning why this is, imagine a game of soccer where you are the goalie and the hacker is the other team. It’s just you versus the entire team, and there are multiple balls in play. They only have to score once to win. You, on the other hand, can only hope to get one of the opposing team out on penalty to slow them down, but guess what? They have a rather deep bench. And there are no time outs.
- Do your employees or vendors have access to data or systems to which they shouldn’t? Some believe the hack was an inside job. Keep in mind that you have to trust someone at some point to manage your security. Though it may be difficult or even painful to examine your operations for disgruntled employees or customers, unethical or inhumane practices reap as they sow, as Avid Life Media is perhaps experiencing first hand.
- Things done on the internet can never be erased. Even if you pay someone to do so, and they make an honest attempt at it, the internet never forgets. Want to keep something secret? Keep it as far away from the internet as possible. Can’t (or won’t) do that? Count on it not being secret and at least you’ll be prepared for when it does become public. Also, there are very few levels of obscurity on the internet, in most cases, things are merely forgotten or overlooked, but they never truly disappear from view.
- Privacy and security are hard won, and increasingly so as time progresses. Expect the costs of maintaining these things to continue to rise.
With all the recent, high profile hacks it’s hard to not be a “Debbie Downer” when it comes to the current state of security and privacy – but don’t fool yourself into thinking that things aren’t as bad as they might seem. Taking a realistic view on internet privacy and security is important in achieving a balanced perspective when making decisions on what to spend (both in dollars and energy) on defending yourself and your business. It’s not the end of the world. Not nearly. But it’s rough out there, and likely to get worse before it gets better. Be prepared, be realistic: plan for the worst and hope for the best.
As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
Last week, over 4 million people had their PII (Personal Identifying Information) exposed. Suggestive humor aside, this is still scandalous as this breach came by way of the Office of Personnel Management (OPM – the government’s HR department), an agency supposedly being protected under the watchful eye of the Department of Homeland Security’s (DHS) $4.5B National Cybersecurity and Protection System (NCPS), aka “Eienstein”. I’m sure that the real Einstein would be horrified to know that his good name was being sullied by a multi-billion dollar boondoggle. Adding insult to injury, the PII exposed wasn’t your “run of the mill” variety either – OPM databases housed information on security clearance investigations which also contains information on family, neighbors and close associates of any government employee who went through that process – meaning a lot more than “just” 4 million people were affected. Not quite disturbed enough yet? The OPM data infrastructure was housed in a “shared data center” which provided services to many more government agencies, all of whom could have been breached as well. US government officials have made noises that the Chinese are to blame, and of course, China called those allegations “irresponsible” and “baseless”.
What this means for you:
What this event demonstrates is that stupid amounts of money can’t buy security if you are always playing catch-up. DHS’s Einstein is only able of detecting attacks that have been seen before – it’s basically a monstrously expensive filter that looks for “signatures” that are based on – that’s right – previous attacks. Once the hack gets past the gate and they are able to “own” the system by using legitimate credentials (either stolen or created through their initial hack), the attackers can transact business through normal protocols and transactions, making detection extremely difficult. It’s the equivalent of looking for a needle on a conveyor belt full of hay – and you don’t know even know what the needle looks like, other than “not hay”. It seems that we will need a real Einstein to develop a system that can detect attacks that have never been seen before.
I can hear you say, “If the government can’t secure themselves with $4.5B, how am I supposed to do it with my modest means?” Well, if a nation-state is targeting your organization, probably no amount of money you could reasonably spend is going to protect you. Fortunately, nation-states and advanced persistent threat (APT) groups usually have bigger fish to fry. The “garden-variety” malware you and your employees will encounter can be stopped by a combination of up-to-date antimalware software, a good firewall, and training. In the case of our government, technology advances are hampered by an alphabet-soup of bureaucracy and glacial culture adoption, something attackers count on. Don’t let red tape slow down your organization on this issue – security should be at the top of your list and a budget priority, no matter your industry or size.
According to security and censorship watchdog Great Fire, the latest iPhone just made its debut in China, and already new owners are being hacked by what appears to be a state-sponsored “man in the middle” attack. Though there have been many other allegedly government-backed attacks on US-based companies, presumably for commercial or political gain, this appears to be aimed at gaining iCloud identities of its own citizens, and its hard to not draw a dotted line to the recent Hong Kong protests, images and news of which were widely disseminated by mobile devices like the iPhone.
What this means for you:
Unless you are a Chinese citizen that has somehow managed to find your way to this modest blog, this particular event won’t have much impact on you. The hack is actually being perpetrated by China’s “Great Firewall” and only affects a specific, Chinese-only browser called 360 Secure Browser made by a company called Qihoo. Use of this browser is apparently mandatory for all education institutions in China. Seeing as other browsers not under the control of the Chinese government like Firefox and Chrome appear to be unaffected by the hack, it’s hard not to jump to some obvious conclusions. While the more conspiratorial among you may whisper that the American government is only a few steps behind the Chinese in this egregious breach of privacy, it’s important to note that unlike China, US-provided internet is not gated by a single, government-controlled firewall like China’s Great Firewall, nor our are students and teachers mandated to run a (allegedly) state-backed browser. However, this does not mean you should be less vigilant in protecting your security and privacy, as its quite apparent that US agencies like the NSA have no problems snooping on its citizens anyways.
If you thought you had data breach fatigue, prepare to be exhausted this week:
- Hacker tries to scam Internet with fake DropBox password database – DropBox refutes the claim, noting the “proof of hack” provided consisted of known stolen passwords from other sources.
- Kmart Hacked – Undisclosed Quantity of Credit Card Numbers Stolen – Sears-owned retail outlet may have been a victim of known point-of-sale malware “Backoff”, says no identity info stolen, just credit and debit card numbers.
- SnapChat denies it was source of potential racy photo leak – Third-party addon app “SnapSaved” blamed for providing an avenue for hackers to save pictures from SnapChat. SnapSaved admits to security breach, but downplays claims that hackers could provide a “searchable” database of photos.
- NATO Summit Gets Breached by Russian Hackers – Hackers whom security analysts believe to be Russian exploited a Zero-day flaw in Windows operating systems through a spearphishing campaign targeting Ukrainian government workers, leading to breaches on government servers and probably information leaks from Summit proceedings.
- Google Documents Flaw in SSL 3.0 Protocol – Google documents a serious flaw in encryption protocol SSL 3.0, immediately removes it from Chrome web browsers. Though outdated, SSL 3 is still widely used as a fallback protocol when newer protocols fail to function.
- 850K Records Exposed in Oregon Employment Dept Website Breach – State-run website exposes personal information on hundreds of thousands of job seekers. No financial information was exposed, but leaked info could lead to identity theft.
After the massive security breach Target experienced in 2013, Home Depot management had the best intentions in immediately planning for a similar attack being directed at them. Unfortunately, they were about only a quarter of the way through their plans to beef up security at their stores when the big-box DIY chain recently announced that they’ve been hacked, with potentially tens of millions of customers exposed. To add insult to injury, its beginning to look like hackers penetrated Home Depot point-of-sale systems as far back as April.
What this means for you:
By now, you probably realize that there’s not much you can do other than what you’ve already been doing: use credit cards, not debit cards, wherever possible, and always keep an eagle-eye on your purchase history. Credit card companies are already doing a pretty good job with their fraud-detection algorithms – don’t ignore those automated calls when you get them. Given the massive number of breaches happening, it’s very likely that your credit card number has been stolen (or soon will be) if you shop at most large chain-based retailers.
As a business, you can take a lesson from Home Depot’s woes: move quickly. Home Depot’s implementation was likely hampered by both logistical complexity (hardware replacement at thousands of locations scattered across a gigantic area) as well as “traditional” corporate bureaucracy. There’s not much to be done for the first part except to take it into account when combating the second part, which while understandable, will lead to disastrous consequences. Cyber criminals aren’t slowed by corporate chain-of-command – don’t let your decision making process expose you to a damaging security breach.
Though no comment has been forthcoming from Apple yet, the mainstream press has been awash in reports that dozens of Hollywood celebrities had their iCloud accounts hacked over the Labor Day holiday weekend and, as you might have guessed, explicit images and videos have surfaced on the internet. News of the breach first surfaced on infamous website 4Chan where an unidentified individual offered to share the explicit material in exchange for bitcoin donations. Representatives for some of the celebrities confirmed the legitimacy of the material, and threatened legal action against both the hackers as well as the various websites where the the photos and videos started appearing. As of now, authorities are still trying to identify the party or parties responsible.
What this means for you:
Despite the numerous, very public incidents of famous people taking explicit photos of themselves and reaping the consequences (good or bad), everyone – famous and not – continues to underestimate the weakness of technology security on mobile devices and cloud platforms, as well as the fact that erasing a file on your smartphone does not necessarily equate to destroying it permanently. Both iOS and Android devices are designed to upload any photos or videos you take with your device to their respective cloud storage platforms, ostensibly to back them up in case of device loss, as well as to facilitate the ability to share them via the internet. What most don’t realize is the default for both platforms is to allow this, and you have to pay attention when setting up your device at the very start to disable this functionality. If you quickly punch “OK” through this process, you can easily miss this very important setting.
As always, if you need to store important information must remain confidential, cloud storage (iCloud, Dropbox, OneDrive, Google Drive, etc.) is a very high-risk option that should only be considered with eyes wide-open to the worst-case scenario. The terms of service/use for most of these platforms indemnify them from these types of breaches, so if even if your information was leaked through no personal fault of your own (as might be the above mentioned hack), it’s highly unlikely you will be able to hold anyone accountable aside from yourself.
- 1
- 2