We are in the security business and making money off of vulnerabilities is what we do. We search for vulnerabilities, we patch vulnerabilities, we implement workarounds for those that have no patches and we work to protect our clients against known and even suspected vulnerabilities. Vulnerabilities are what make us money. Without vulnerabilities in software and hardware we would have a lot less work. However, our goal is to protect our clients, not to exploit them for all that we can get, so when we find a vulnerability, the question of whether we report it to the manufacturer, or look to make as much money as we can off of it, is moot. Not so for all security firms.
Gizmodo reporter Christina Warren called it ‘bats*** insane’ in her post when security firm MedSec decided to partner with an investment firm and sell a manufacturer’s stock short before disclosing security vulnerabilities in the manufacturer’s products. MedSec tested a variety of medical products by manufacturer St. Jude. MedSec found security failures including a lack of encryption and the ability for other devices to communicate with pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. Very bad. ‘Denial of Service’ takes on a new meaning when the service is your pacemaker. Instead of reporting the findings to St. Jude, the normal approach to vulnerability disclosure in medical technology, MedSec partnered with Muddy Waters Capital and bought St. Jude stock before releasing the results of their findings to the public. MedSec’s Chief Executive Officer Justine Bone said St. Jude’s past record of ignoring warnings and the chance that it could sue MedSec to keep it quiet ‘precluded that approach’. MedSec and Muddy Waters cited a 2014 Homeland Security investigation into St. Jude and other device makers’ cybersecurity, reported by Reuters, as a warning that could have been heeded, but that St. Jude did not.
The CEO of MedSec defended her company actions in an interview with Bloomberg, but didn’t convince me one bit of their genuine efforts to protect patient safety. Watch the interview yourself and you will see a lack of due diligence, how Bone (the CEO) skirts the issue of their lack of process, says “the public has a right to know…” but did not report their findings to the public entity CERT, and then finally states the real reason for their tactic; “…we are looking to recover our costs…”.
There is a word for MedSec’s actions.
Shameful is the word I am thinking. Unethical does not go far enough. Scurrilous might fit, bordering on despicable. MedSec didn’t try very hard to contact, or convince the manufacturer of the seriousness of the findings and then tried (and maybe succeeded) to turn a profit on the venture. St. Jude responded to specific findings, defending their products and noting that many of the test situations outlined by MedSec don’t exist for devices in production. The MedSec findings report claimed that the pacemaker battery could be depleted remotely at a 50-foot range, but St. Jude responded that once the device is implanted into a patient, wireless communication has an approximate 7-foot range. To quote St. Jude, “In addition, in the described scenario it would require hundreds of hours of continuous and sustained “pings” within this distance. To put it plainly, a patient would need to remain immobile for days on end and the hacker would need to be within seven feet of the patient.”
In addition to their published response to the MedSec/Muddy Waters high-tech tactics St. Jude also responded in a low tech way, they filed suit. We’ll see how this plays out in court.
He does look a bit shifty, but, more likely, he is clumsy rather than dishonest. A survey of 3,000+ employees and IT practitioners across the U.S. and Europe by the Ponemon Institute. and sponsored by Varonis Systems, reported three out of every four organizations have been hit by the loss or theft of important data over the past two years. This is an increase over 2014 and is due in large part to compromises in insider accounts.
The survey reported that 76 percent of IT practitioners say their organization experienced the loss or theft of company data over the past two years, up from 67 percent in the 2014 version of the study. Respondents reported that insider negligence is more than twice as likely to cause the compromise of insider accounts as any other culprits, including external attackers, malicious employees or contractors. When a data breach occurs, 50 percent of IT respondents say insiders who are negligent and most likely to cause a compromise.
Other things to worry about:
- Outside attackers who compromise insider credentials worry 58 percent of IT respondents
- 55 percent of respondents say insiders are negligent
- 78 percent of IT respondents are extremely or very concerned about the threat of ransomware
- 15percent of the companies represented in this study have already experienced ransomware
- 54 percent were able to detect an attack within 24 hours (good news!)
88 percent of respondents say their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, software tools or other information assets. This is an increase from 76 percent of respondents in 2014. Apparently this is worrisome to those surveyed as 62 percent of end users say they have too much access to confidential corporate data.
If you think that you have access to more data than you need, ask your sys admin to cut you off. It’s like trimming your nails; keep pruning until it hurts a little, then stop. We should also be warning our clients about giving too many permissions away to users who do not need them. If we want to be truly proactive, we can run scripts that report which users are active and which ones have admin permissions, then review the results with the customer.
You can review the whole enchilada of survey results out in the wild here.
Eeny meeny miny moe, I’ll steal your data then I’ll go! A recent study by the Ponemon Institute, reports that more than 50% of Small to Medium Businesses (SMBs), that’s every other business folks, were breached in the past year. The study was sponsored by password management provider Keeper Security and consisted of 600 IT leaders at businesses with between 100 and 1,000 employees. The study found the following:
- Confidence in SMB security is low, with 14% of the companies surveyed rating their ability to mitigate cyber-attacks as highly effective.
- 50% of respondents reported that they had data breaches involving customer and employee information in the last 12 months.
- Three out of four survey respondents reported that exploits have evaded their anti-virus solutions (social engineering?).
- 59% of respondents say they have no visibility into employees’ password practices and hygiene.
- 65% do not strictly enforce their documented password policies.
- Insufficient personnel, budget and technologies are cited as the primary reasons for low confidence in cybersecurity.
The causes for most of the breaches were negligent employees and contractors, though for almost one third of the companies surveyed the root cause of their data breach was a mystery. What can we take away from this? Stress, re-stress and repeat more of the basics to our clients:
- Create and enforce a comprehensive employee decommissioning process so that credentials for former employees are disabled or removed as soon as the employee is no long with the firm.
- Limit access for employees and contractors to only what they need and no more. Stop handing out administrative rights left and right. Right?
- Set and enforce a comprehensive password policy that forces employees to change their passwords. If forced to change passwords on a regular basis, employees will be less likely to use their Facebook password as their employee password.
- Start and continually run a phishing awareness program. The program has to be sustainable and continuous in order to be effective.
- Separate company and guest wireless traffic. Allowing guest devices onto the one and only wireless network is an invitation to share digital diseases with someone’s personal phone.
More information on the Ponemon survey can be found here.
The U.K.’s National Crime Agency (NCA) warned in its Cyber Crime Assessment 2016 that cybercrime is now more prevalent than other crime in the U.K. Cybercrime was reported to be the largest proportion of total crime in the U.K. in 2015 with “cyber enabled fraud” at 36% of all crime reported, and “computer misuse” at 17% of all crime reported. One explanation for the growth of cybercrime is that tracking of cybercrime has improved, and, also, the U.K. Office of National Statistics started including cybercrime for the first time in 2015 in its annual Crime Survey for England and Wales.
Per the NCA’s report:
“The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015”
Another explanation for the growth of cyber fraud and computer misuse in the U.K. is due to convenience as much of the cybercrime comes out of Russia which is only two time zones ahead of the U.K.
“Why would you want to stay up all night doing online fraud against banks in the U.S. when you’d rather be out drinking with your buddies?”, says Avivah Litan, a fraud analyst with Gartner Inc.
Because Bad Actors like to have drinks with their friends too, I guess. For more detailed information, please take a look at the write-up by the ever-prolific Brian Krebs here.
A group of researchers from Georgetown University and UC Berkeley have demonstrated how voice commands hidden in YouTube videos can be used by malicious attackers to compromise smartphones. The attack works against phones that have the Google Now, or Apple Siri voice command feature turned on. The researchers demonstrated that verbally obfuscated voice commands that sound unintelligible to human listeners can be embedded in videos and interpreted as commands by smartphones. The infected video can be from any source that plays out loud within detection range of the smartphone. Sources tested include a laptop, a computer, a smart TV, another smartphone, a tablet, or even a speakerphone as demonstrated in this video. The attack will even work with background noise. The video demonstrates the use of a mechanical voice, translating written commands, through a speakerphone ten feet from a phone that has the “OK, Google” voice command feature enabled. More details about the attack and possible defenses can be found in this paper, and more attack demos can be found on this site. Even more information can be found in this article here by Help Net Security, or even more-more information can be found from our Sophos friends here.
You can turn off the “OK, Google” feature by following these steps:
- Open the Google app.
- In the top left corner of the page, touch the Menu icon.
- Tap Settings > Voice > “OK Google” Detection.
- From here, you can disable your phone to listen when you say “OK Google”.
You can disable Siri using these steps:
- Open the Settings app in iOS and go to “General”
- Tap on “Siri” and near the top of the screen, toggle the switch next to “Siri” to the OFF position.
- Confirm that you wish to disable Siri completely by tapping on “Turn Off Siri”
- Exit out of Settings
These features come automatically enabled on most smartphones, so please check yours and warn your clients.
Below are leaks that were reported last week.
Wendy’s Continued – Now over 1025 restaurants – Reported last week, leaked data was credit card data (maybe yours!) from transactions at Wendy’s restaurants. This breach began in the Fall of 2015 and wasn’t discovered until early this year. Wendy’s confirmed this week that even more restaurants are involved and you can now find out if the restaurant that you visited was hit using this handy web page. How nice of them.
Datadog – Number of records is undisclosed – Leaked data was usernames, passwords and e-mail addresses; all of them, apparently. Multiple servers at Datadog were breached, including a database server that housed the login info. Customer listed as Datadog users includes big dogs like Spotify, PBS, Slashdot, Samsung, Imgur, Coursera, The New York Times, and Ziff Davis. Passwords were stored using a unique salt for each password and then each password was encrypted with bcrypt which is resistant to brute-force attacks. Despite the strong storage methods used for the passwords, Datadog has invalidated all stored passwords and sent e-mails to all users with reset instructions. More info can be found from our friends at Sophos here. Yes, that’s a blatant plug.
Omni Hotels – Number of records is undisclosed – Leaked data includes Point of Sale (POS) data which includes credit card cardholder name, credit/debit card number, security code and expiration date. The data was discovered missing on May 30, 2016, according to Omni Hotels, which wrote up the breach details on their own website. The cause of the breach was due to malware that infected POS systems and only affected customers who physically presented their credit cards at one of the effected hotels between December 23 2015 and June 14 2016. More information can be found here.
Baton Rouge Police – 50,000 records – The contents of the leaked data were not disclosed, but the leak was due to a security failure in the police department’s website which allowed Bad Actors access to login credentials for a police Oracle database. The website operators have not confirmed the breach through outside security researchers claim they have. More information can be found here.
Ubuntu Forums – 2 million users – Leaked data includes usernames, email addresses, and IP addresses associated with the Ubuntu Forums. The attacker was able to exploit an SQL injection vulnerability in an add-on used by an older version of the vBulletin forum software used by Canonical, the folks that develop Ubuntu and run the forums. Ubuntu has wiped, rebuilt, and hardened the attacked servers, and passwords were changed. Also, the forum software was fully patched, which, and we can brag a bit here, would have already been fully patched had we managed their servers. Harrumph! More information, without the self-congratulatory tone, can be found here.
When does being older give you an advantage besides a discount at Denny’s? When it comes to being targeted by hackers. A recent UK study shows people in the UK aged 30 years, or younger, are the most targeted by hackers for identity fraud. In 2015, there was a 52% increase in fraud for victims aged 30 or younger, according to Cifas, a UK fraud prevention service.
The report showed that:
- Only 34 per cent of 18-24 year olds say they learned about online security when they were at school
- 50 per cent of the 18-24 year olds surveyed believe they would never fall for an online scam (compared to the national average of 37 per cent)
- Only 57 per cent of 18-24 year olds report thinking about how secure their personal details are online (compared to 73 per cent for the population as a whole)
- Adults aged 18-24 years are less likely to install anti-virus software on their mobile phone than the national average (27 per cent compared to 37 per cent)
With 86% of identity fraud in the UK for 2015 committed online, Cifas’ data shows that young people are the most exposed to losing personal data such as their name, date of birth, address and bank account info through social media. To highlight the problem, they even published a short video about it which can be found here. Using a black van in the video adds to the creepiness. </shudder>. Some additional insight and info can be found here.
When is a breach not a breach? When there are too many unanswered questions, apparently. Have I Been pwned (HIBP), the database of breaches, is owned and operated by Troy Hunt who performs due diligence on each breach before adding it to HIBP. A recent supposed breach of Badoo account information was presented as a breach to Hunt who then did his normal checking and cross checking of the data to verify its veracity. Hunt, unfortunately, could not come to a definitive conclusion about whether the data actually came from Badoo. Per Hunt:
“[S]ometimes there are breaches where I just can’t be certain of the authenticity, yet there are many indicators which point to an actual breach. The incident sits in that grey area between “very unlikely to be legitimate” and “almost certainly legitimate”.”
Hunt’s post on the analysis of the ‘Badoo’ data and his introduction of ‘unverified breaches’ can be found here, but whether a breach is a verified or unverified breach seems to boil down to these basic factors:
- The service provider confirms (or denies) there was a breach
- The data itself is consistent and has sufficient detail (or not)
- There is confirmation (or denial) of data accuracy from breached users
- Testing of the data against the site’s password reset tool is successful (or not)
If it does not pass all of these tests but looks like data from something then best be safe and report it, even if it has to be qualified as unverified.
What does this mean to end users? Despite the new ‘unverified breaches’ category, I see the end result for the user as the same; you need to change your password and change it now. Changing your password because it might be used by someone else has now become the Internet equivalent of turning around at the end of the block and driving back home to see if you left the iron on. Just do it, it’s usually really simple, and you’ll sleep (and drive) better.
The U.S. Court of Appeals for the Ninth Circuit has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.
David Nosal, and two other former employees at executive search firm Korn/Ferry International, used a password shared by Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux, to download confidential data. Nosal did not himself access or download any information from the Korn/Ferry database, but was held liable for the conduct of his colleagues who acted on his behalf and at his request. Nosal had set up his own competing firm and hired two other Korn/Ferry employees. Before leaving their employment at Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new business. Although the former employees were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies, the U.S. Court of Appeals for the Ninth Circuit said in its opinion. The former employees tried to cover their tracks by using the login credentials of Froehlich-L’Heureaux, Nosal’s former assistant. The assistant gave her username and password to Nosal’s colleagues to use. Per the court:
“Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access,” according to the opinion, which said that the access falls squarely within the CFAA’s prohibition on access “without authorization.” Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign, the court said.
The dissenting judge on the three judge panel wrote that this case is about password sharing, and that “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”. What does this mean for end users? It looks like it means that in order for a company to get the protection of the CFAA, there must be a “no-sharing passwords” policy in effect and employees, old and new, will need to acknowledge this in writing. This would put the “authorization” test in place and allow the CFAA to apply. Employees who break the password sharing rule could then be subject to the penalties of the CFAA. It also it means don’t share your password! The full legalese can be found here.
Security researchers have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network. The malware, dubbed Backdoor.MAC.Eleanor by the folks at Bitdefender, is distributed as a file converter application through websites that offer Mac software.
The application infected with ‘Eleanor’ that users download from these sites is called ‘EasyDoc Converter’. Once installed, ‘Eleanor’ displays a fake ‘EasyDoc Converter’ interface where users can supposedly drag and drop files for conversion, but no file conversion is done. ‘Eleanor’ then launches a shell script In the background that installs components in a folder called “/Users/$USER/Library/.dropbox.” No interaction with the Dropbox for Mac client has been found and it appears that this is a ploy used to thwart discovery. ‘Eleanor’ then launches a Web service with a PHP application, a hidden service that allows attackers to connect to the affected systems over the Tor network, and an agent that posts the Tor access URLs for infected systems to a Pastebin website. Attackers can then send commands through the URLs to affect the infected Macs.
The Tor network, also known as The Onion Router because of its’ many layers, is a series of servers running route anonymization software so that one’s route cannot easily be traced. Tor has been used for years by users who wish to protect their privacy, but has lately been leveraged by Bad Actors to hide their location from the Good People of the Internet.
Users are alerted to the malware when they try to install it since the ‘EasyDoc Converter’ app is not digitally signed with an Apple-approved certificate. Users will see security warnings if they try to install it. If the user has OS X 10.11 (El Capitan) they would also need to perform a manual override in order to install the application. More information can be found here.