Category: Securitybreaches

Using Yahoo Email? Should You Notify Customers that Your Email is Breached?

Everyone listening to the news should know by now that Yahoo’s email service has been hacked.   CBSNews story: {Yahoo Confirms Massive hack of 500 million accounts, blames “state actor”}

In Yahoo’s terms of services section DISCLAIMER OF WARRANTIES:

19. b.

YAHOO AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS MAKE NO WARRANTY THAT (i) THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR REQUIREMENTS; (ii) THE YAHOO SERVICES OR SOFTWARE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE; (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE YAHOO SERVICES OR SOFTWARE WILL BE ACCURATE OR RELIABLE; (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR EXPECTATIONS; AND (v) ANY ERRORS IN THE SOFTWARE WILL BE CORRECTED.

 

I’m no legal analyst, but this disclaimer of warranty is not promising they will keep your stuff secure. when it says so in their disclaimer of warranty!!!

 

Are you using Yahoo mail as a business email account? Since Yahoo Mail was hacked and your account likely was one of them, you have to think about this as if a hacker has your account information:

The hacker could look at your email – what can they figure out from your email flow?

Do you use of your Yahoo email account as primary account on logging into other services?

Where do you log in with your yahoo account information (it is the primary email)  wherever that is could cause problems for you.

 

Unfortunately Yahoo is also the email service for many Phone, Cable and Internet service companies, and that means your home email account is now compromised.  For example this story in The Telegraph mentions 8 million accounts now affected in the UK.

 

A hacker could log into your Yahoo account and notice emails which create other hacks.

 

 

So if you re using Yahoo email think about all the places it is being used as a login account name and consider what happens when the hacker has that as well.

 

How are your risk management assessments when the hackers have usernames and passwords in your network?   In fact risk assessment should be changed with that in mind? Does your IT security keep that scenaio in mind?

Should you be looking in your network for data to be retrieved by accounts looking like normal traffic?  Are you reviewing standard traffic for exfiltration of company data?

Now that you know your email has been hacked when do you notify customers? If it was me, I would notify them that my Yahoo account is potentially hacked and will be moving to another company ASAP.

 

Being a little paranoid is not a bad thing in Cybersecurity.

 

Contact Us to discuss the changing liabilities in your Cybersecurity risk management framework with this Yahoo hack or any potential liabilities that you may not have thought of yet.

Password Manager Lastpass Has Security Flaw

Unfortunately another flaw in software for which we expect to have _none_, at least in security software written in ZDNet¹ post:

This just in 7/28/16 story by Cnet – http://www.cnet.com/news/big-security-bug-fixed-by-lastpass-password-manager/ Looks like Lastpass fixed another bug quickly…

zerodayinlastpass

Tavis Ormandy (a Google Project Zero hacker) used a couple of tweets to point out security flaws in Lastpass

LastPass is reportedly patching the problem… Forbes² seems to review more detailed problems with Lastpass as well since it looks like another hacker Mathias Karlsson also hacked Lastpass as noted in Detectify³ although Mathias’ hack was fixed.

 

So now what? Should we discontinue using password managers? Or how should we use our computers?

Definitely use different passwords on different sites:

Email(gmail), banks, Twitter, Facebook, LinkedIn, and many other locations ask for passwords and require us to create a unique password.

In Security one has to be aware of the news of zero day vulnerabilities, and ZDnet is #9 on our Top30 blogs to watch at our page: Security-News-Analyzed(4). The idea is to be a hawk on everything in your environment as to any potential problems so that you can watch and react if needed.

The password management problem is going to be with us until a new technology can remove this particular authentication issue.

Until then I recommend to keep several password managers and one additional “method” Use pen and paper for a few passwords. Make sure you have different passwords for all sites, and keep a few passwords ‘offline’.

 

Contact me to discuss how to help you protect your network even if you have Lastpass (there are ways to defend )  Tony Zafiropoulos 314-504-3974

 

 

  1. http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/
  2. http://www.forbes.com/sites/thomasbrewster/2016/07/27/lastpass-vulnerability-hacks/#36b2d2df3a65
  3. https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
  4. http://oversitesentry.com/security-news-reviewed/

 

 

IoT Botnet Can DDoS Your Webserver

Ok it happened as some predicted last year:

A botnet was found¹ (a collection of computers or in this case devices that are controlled by another computer) controlling a number of IoT (Internet of Things). These IoT devices were then told to attack a website thus causing a DDoS (Dynamic Denial of Service).  The website then crashed as it was too busy.

image from valuewalk.com²

Botnets_valuewalk

So let’s back up a bit what are IoT’s? http://iotlist.co/ has a list.

An IoT can be many things – camera is one, espresso machines, samsung VR headset, indoor night light,wifi smart plug, speakers, indoor air quality monitor, samsung galaxy connected screen, keypad, oven, watch, light switches, and many more.

Director of National Intelligence (DNI) James Clapper Feb 25 hearing in congress:

“I want to briefly comment on both technology and cyber specifically. Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities,” he said. “The Internet of things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems and potentially disrupt labor markets.”

threat_hearings_3

 

So our esteemed leaders are keeping an eye on IoT’s but what are they really?

The attack happened from CCTV devices connected to the Internet (which have a specific bug noted below that can be exploited by criminal hackers).

KerneronSecurity³ wrote about this in March 22, 2016.   70 CCTV vendors have a remote code execution bug. And apparently this has been going on since 2014.

So this is a big problem and will continue to be one it looks like will not be fixed until the vendors of most CCTV devices fix this issue.

 

goldeneyeIRcamera

GoldenEye IR camera http://www.goldeyecctv.com/

technomate

http://www.technomate.com/categories/Products/Security/Cameras/

 

Above are just 2 of the supposed 70 according to KerneronSecurity that are susceptible to this big Cybersecurity problem.

This blog post does not imply that the above 2 vendors (GoldenEye and Technomate) have the bug as i have not independently verified these 2 models with  that specific remote code execution.

I imagine the criminal hackers are working on new attack angles with this many potential attack points.

In fact according to Google – 5.9 mil in Britain CCtv’s and 245 million in world. Likely most of them are susceptible to this attack.

securitycamerasinworld

As it seems that over 25,000 attack points came into the website DDOS attack. There seems to be a potential for much bigger mischief.

You may not realize this, but the hackers also have problems with their software, especially since it is custom built, and thus they cannot come into controlling hundreds of thousands of devices, first have to control 25,000.

So what to do if we know a major Cyberstorm is coming?

According to Kerneron Security these devices all are white label devices coming from TVT a Chinese company.

TVT  5F,North Block,CE Lighting House, Hi-Tech Park, Nanshan District, Shenzhen,GuangDong,P.R.China

And I have found an actual CVE 2013-6023 that explains this Cross Web Server vulnerability(4)

And specifically check Exploit-db.com

Which discusses the directory traversal vulnerability.

 

Now if we try to find the actual market share of TVT devices (H.265) then we find:

chinatvttakeslead

from https://technology.ihs.com/api/binary/520143

It looks like most vendors are coming from China and the market in 2013 was $13.5Billion  for professional video surveillance.  So as usual Security not as important as sales.

 

My recommendation? If you have TVT video camera – REPLACE it. with a technology that is different than this one. As it seems the TVT devices are not security tested.Run your own security tests.

It looks like you have to test and fix this problem.

Contact me to discuss

This is what I do as a security vulnerability analyst among others… https://fixvirus.com/sigma-service/

 

 

1)https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

2)http://www.valuewalk.com/2015/12/iot-based-botnets-will-be-major-problem-by-2017-iid/

3)http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6023

Cybersecurity and Internet: Too Complicated?

Brian Krebs- KrebsonSecurity¹ has a story of Cici’s Pizza with a data breach on June 3rd .

krebsonseccicipizzabreach

 

 

This credit Card breach story is interesting but not what I want to discuss.

Instead let’s discuss “Todd”‘s response in the comments

1st response:

todd1stresponse

So obviously Todd wrote this response as an immediate reflex action and does not have an understanding of how Internet Cybersecurity works.

He keeps trying to impugn the integrity of Brian Krebs  and reduce the actual faults (which he acknowledges) on his ‘placeholder’ website.

This is the problem Todd:  Even a placeholder can be an attack vector and obviously Todd does not understand this. Also have you heard of watering hole attacks? Where a website is attacked and compromised, the subsequent visitors on the website would then get attacked not knowing that happened.

Almost like saying please hack us we don’t pay attention to this site (last updated in 2012).

The other thing is – when PR is concerned if you don’t know what to say – saying nothing is better.

Now let’s go to Todd’s 2nd response:

todd2ndresponse

This response just confirms Todd’s inexperience and naivete.

But the worst is yet to come….

 

Yes – 3rd response:

todd3rdresponse

His last response does all the wrong things again –  admits to not caring about their website and so what if we had adware injections to potential customers or our customers.

The third response proves that his responses are just reactionary and not well thought out – even though the first started June 5, 2016 at 1:45 pm   then 2nd at June 6, 2016 at 12:25 am with final at June 5, 2016 at 10:47 pm  (so obviously the  responses were quickly being sent while Brian was making sure this was not spam and he finally allowed them to go on the site) But there was at least 9 hours and finally almost 12 hours between responses (explains why there were no substantive changes in his response)

 

Even though Todd claims to be part of  a POS (Point of Sale) technology company apparently Todd believes there is no correlation with being up-to-speed with your unimportant (in his eyes) website that discusses POS technology. Confirming it was not updated for 4 years is not a plus.

 

Also claiming  to “have a home page” because we have to have one. Misses the point of cybersecurity. You must protect all your assets not just the ones 1 person is aware of.

Or at least fix them, update them on a regular basis. Not every four years (i.e. when we get around to it).

So what can we learn from this Todd vs Brian exchange?

I would say do not try to engage with journalists even if they are wrong unless you have a crafted response and stick to your points.

the points should not be

A. We did not do it that badly  (this is a bad argument on all accounts)

B. Our xyz property is not important – and none of our customers got hacked as a result of our mistake.

 

It is better to figure out the right response and maybe even ask someone else before actually responding.

 

Forgive me but I want to point out the obvious –  Saying we did not screw up so bad is not what should be said. If you will accept blame apologize without saying someone else is at fault. then fix the problem ASAP and say that.

Tell us how you will keep things together in the future, don’t start arguing with the journalist on minor semantics just to win a small battle.

But most of all remember to do risk analysis and the following concept(your limited impact items are likely already hacked – and thus the attacker is already in the network trying to attack more interesting targets):

failed-risk_management_model

And more info in this past post² (Feb 8th, 2016)

So contact me to review your “non-essential” properties before they get hacked.

 

Finally – realize that the Internet is 24/7/365 – if you don’t get that would you accept no more Netflix at 2am on a Saturday? It is at 2am when you get attacked. Don’t whine about writing a story on Friday and needing a response at 2pm on Friday.  Now we know why your company has problems.

 

Also it looks like Brian’s comment software had a hiccup in orienting the comments when Brian took a little while (Friday evening) in sorting the comments once approved.  I took them to be 1st , 2nd , and 3rd responses as they are listed top to bottom.

  1. http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/
  2. http://oversitesentry.com/not-patching-in-time-can-hurt/

Script Kiddie Breaks Into v3.9 WordPress

What happens when an enterprising young person is in front of a computer too long?

Oh yes one thing leads to another and WordPress is something to conquer.

It does require patience and diligence.  Every day somebody is finding new vulnerabilities in new and old software (this problem was uncovered by ‘speckz’ poster on reddit).

wordpressscriptkiddieattack

So in the image above (which are snippets of the website¹ that speckz placed). I did not place the details of his analysis because I do not want to get in the weeds (php code etc).

That is what a criminal and good hacker does.  Diligently pursue code snippets until they reveal more information about the website technology.

 

 

The idea is for you to have someone that will keep an eye on your security, preform vulnerability analysis and more.

Either way you will pay some money to someone… Either to ethical hackers or as in the next point from unethical extortionist hackers.

Threatpost² has a story which tells of 30 unsolicited bug poaching incidents.  Here is where the ‘bug poachers’ are telling companies: “You have a bug in xyz software or system” on your premise. Oh and by the way we already stole all your data.

So what you need to do is give us(the poachers) $10,000 so we will tell you where the problem is and we will not use the data we stole for nefarious deeds.

So do you believe these unethical criminal elements?

Paying Extortion is bad because guess what – it will happen again.

What you really need is to spend more money and resources on fixing all IT process problems that are causing this problem in the first place.  How can I say this with certainty?

Here is a quote from the Threatpost post:

“So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn
It is a shame that some IT orgs don’t have the wherewithal  to get the resources in place.
 ostrich-head-insand
Am I being too critical? Are we as humans too weak to get the right info tech help that will cause us to have a good defensive umbrella? Is management just incapable of making good long term decisions?
The right methods in my opinion are the following:
A Next Gen Firewall,
Patching your systems within 30-60 days after new patches come out –(all patches should be performed after a good test)
Testing everything even though every function has been performed – there is no way around this “testing” as stuff happens and there is too much at stake for mistakes.
The problem is 1 mistake causes problems and problems turn into breaches … and extortion, ransomware etc.  script Kiddies are coming and they are not stopping… Because they can.
  1. https://notehub.org/5zo2v
  2. https://threatpost.com/hackers-find-bugs-extort-ransom-and-call-it-a-public-service/118360/

 

Contact Us to discuss