Smith & Wesson’s Website Hit with Magecart

It happens to a lot of companies, but even so, I want to be extra pissed. Smith & Wesson Web Site Hacked to Steal Customer Payment Info.

Gun manufacturers are going to be a target of a lot of people.

American gun manufacturer Smith & Wesson’s online store has been compromised by attackers who have injected a malicious script that attempts to steal customer’s payment information.

This type of attack is called Magecart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker’s control.

If you have purchased anything from Smith & Wesson you should contact your bank about your credit card info.

It isn’t good. But it is life in the 21st Century.

Your After Holiday Security Update

Medical facilities are still getting hit with ransomware. Ransomware Locks Medical Records at Great Plains Health.

On Tuesday, GPHealth announced that it was canceling a large number of non-emergent patient appointments and procedures. This decision does not affect surgeries and select imaging procedures, which continued as planned.

Mel McNea, GPHealth chief executive officer, says that there is no reason to suspect that patient data was accessed but the organization will do a full audit, nevertheless.

My take is still that doctors refuse to follow procedures outlined by IT security professionals. They are not doctors!

In the ironic story of the week… Ryuk Ransomware Forces Prosegur Security Firm to Shut Down Network.

Spanish multinational security company Prosegur announced that it was the victim of a cybersecurity incident disrupting its telecommunication platform.

eCards are a problem? Color me shocked. Beware of Thanksgiving eCard Emails Distributing Malware. OK, I’m not that shocked, since eCards have ALWAYS been a bad idea.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

Companies in The Netherlands are targeted. Dutch Govt Warns of 3 Ransomware Infecting 1,800 Businesses.

The three ransomware strains named by the NCSC are LockerGoga, MegaCortex, and Ryuk. All of them have been involved in attacks against businesses.

Yet another reason to not store passwords in your browser. New Chrome Password Stealer Sends Stolen Data to a MongoDB Database. This is actually a fairly common occurrence.

This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

Yet Another School Hit By Ransomware

Is this even if news anymore? When do we start looking at the number of schools not hit with ransomware? Livingston School District in New Jersey Hit With Ransomware.

Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.

There is little other real information. The district made some “reassuring statements” that didn’t cross over into lies, but were probably close.

“Our understanding is that these criminals do not typically steal data, but rather render the systems unusable”

While true, is not an assurance that no data was stolen. And then of course Bleeping Computer cites an instance were encrypted data was stolen, and released because no ransom was paid.

DNS over HTTPS – or – Why is your ISP spying on you?

UPDATED: to reflect a newer version of the VPN list from Torrent Freak.

Or DoH has been in the news, because it turns out, your Internet Service Provider, or your Cellphone Carrier if you are using them, is spying on your internet access. Everything you do on the internet. Why aren’t you using a VPN? If you EVER do ANYTHING on a public WiFi, you should have a VPN that you trust. (Hint: You CANNOT trust a VPN that is Free. You also can’t trust all of them that you pay for. TorrentFreak is your friend.) A video version of the story is at this link: Security Now Episode 740. And the Show Notes are at this link.

Incidentally, you can bypass all of this nonsense on Android and iOS by downloading and running the 1.1.1.1 app. (Available in both stores.) This is Cloudflare’s solution. And while that means you are trusting Cloudflare, Mozilla has done a credible job of vetting them, and will keep them on their toes. And they are certainly more trustworthy than Comcast, Verizon, et al. Note that 1.1.1.1 is NOT a complete VPN. If you run a VPN (see the Torrent Freak link) this problem of your ISP spying on you is less of an issue.

DoH prevents the ISPs from doing some simple spying, which is why Comcast is so upset, they have to spread Fear, Uncertainty and Doubt all over the place. Six of the seven major web browsers are implementing DoH, it just isn’t on by default yet. Well as usual, it isn’t clear what Apple is doing, since they almost never answer questions.

Brave

Tom Lowenthal, Product Manager at Brave for Privacy & Security told ZDNet: “We absolutely want to implement it. Implementing DoH is far more than just the technical work, though. We need to decide on sensible and protective defaults for the vast majority of people who don’t think about their DNS configuration while making sure that we don’t break things for the people and organizations who have carefully tuned their setup.” Because Brave is built on top of the Chromium open-source browser codebase, DoH support is available. However, the Brave team has yet tweaked the feature so that it works exactly the way they wish. So DoH is already there in the codebase the way the Google Chrome team designed it to work, as we’ve previously described. DoH in Brave can be enabled at: brave://flags/#dns-over-https

Chrome

As we know, Google Chrome is the second browser after Firefox to add DoH support. DoH isn’t yet enabled by default for everyone since Google is currently running a limited experiment with a small number of users to see how DoH fares in a real-world test. As we’ve noted, they take an adaptive approach, first honoring the user’s existing DNS provider to see whether it supports DoH and using it it possible. If not it follows various heuristic paths. DoH in Chrome can be enabled at: chrome://flags/#dns-over-https

Edge

A Microsoft spokesperson told ZDNet that they were supportive of DoH, but they couldn’t share their exact plans. However, like Brave, the soon-to-be-released Chromium-based version of Edge already supports DoH. DoH in Edge can be enabled at: edge://flags/#dns-over-https Additional thoughts, tips and tricks from an Edge developer are here: https://textslashplain.com/2019/11/06/thoughts-on-dns-over-https/

Firefox

As we know, Firefox was the first out of the gate with DoH and took some undeserved, in my opinion, arrows in its back for simply standardizing upon Cloudflare as their DoH provider. No one took the time to understand how rigorously Mozilla vetted Cloudflare. And many people who don’t listen to this podcast might mistakenly believe that Cloudflare is just another CDN. But anyone who can erect a large wall of Lava Lamps and use their video images to generate true random numbers definitely stands out as an innovator. Which is what we know them to be. DoH can be enabled in Firefox through its Settings UI.

Opera

Opera has already rolled out DoH support. The feature is disabled by default for all users but it can be enabled at any time in the stable release, and it works without users going through any additional steps. The flip side of the “no additional steps” is that Opera has followed Firefox’s lead and simply routes all DoH traffic to Cloudflare’s 1.1.1.1 DoH resolver. Users of Opera’s popular VPN should not, however, that the two are incompatible and the VPN must be disabled for DoH to work. On the other hand, if you’re using a VPN you already have a privacy-encrypting tunnel which zips right past your ISP or service provider, so DoH is not needed in VPN mode. DoH can be enabled in Opera at: opera://flags/opera-doh

Safari

ZDNet was unable to obtain any reply from Apple about Safari but ZDNet notes that since Apple has recently been investing in user privacy-focused features, the chances are good that DoH will eventually appear in Safari.

Vivaldi

Being yet another Chromium-based browser, Vilvadi also works like Chrome. DoH can be enabled in Vivaldi at: vivaldi://flags/#dns-over-https

Hospital Ransomware Attacks Cause Deaths

What a shock. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Do you think that security is worth anything? Do you think that doctors will actually follow recommendations from someone who isn’t a doctor?

BlueKeep Is a Threat. Not That Systems Will Be Updated

But just like the idiots who ignored the warnings before WannaCry took down a couple of business and UK’s NHS, I predict that people won’t heed this warning. Microsoft Warns of More Harmful Windows BlueKeep Attacks, Patch Now.

BlueKeep is out there in the wild. What has been seen to date is cryptomining malware. But really once you’re in, you can do anything, so everyone in the know is betting that ransomware is on the way.

So if you haven’t updated your systems… well I hope you enjoyed the internet while you could.

Does a Hospital Getting Hit with Ransomware Count as News?

I’m leaning toward not news. Brooklyn Hospital Loses Patient Data In Ransomware Attack.

The hospital provided very little information, except to say that the attack happened in July. There was an investigation, and attempts to recover the files in the intervening months.

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Does it need to be stated again? Organizations have decided that backups are not needed. (People have decided that as well, both are wrong.) Or in other cases, they have a backup server which is online to their network, and that gets encrypted as well. At least some of the backups need to be offline.

Does a School Getting Hit with Ransomware Qualify as News?

And are they ever going to learn? Ransomware Attack Causes School ‘District-Wide Shutdown’.

At least the Las Cruces Public Schools didn’t cancel classes because the computer network was shut down.

Swift action does not save the day

The district activated the crisis response team and is working to restore critical services. It is unclear at this point how long the systems will be down.

The IT department discovered early Tuesday morning (7 a.m.) that some servers were compromised and reacted quickly by shutting down the entire computer network of the district.

Communication with schools in the district is done via phones and handheld radio stations.

However will they survive without the Internet?

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.

Adware Found in Google Play Store Apps

Because of course it is. New Google Android Malware Warning Issued To 8 Million Play Store Users.

Adware is a type of malware that hides on your device so it can serve you unwanted adverts, including scam ads. On top of this, adware-containing apps can drain battery resources, increase network traffic and gather your personal information.

No one seems to be able to produce a simple list of the apps in question. Everyone is just reproducing the image published by ESET. So here’s a link to the image at Forbes.

Even legitimate apps seem to collect an awful lot of data, usually by way of their integration with F*c*book, and even if you aren’t logged into FB, or even if you don’t have an account. Malware is of course over the top.

All of the impacted apps have been removed from the Play Store, but some are available from other locations.

Since I had a story on the Apple problems yesterday…

German Cybersecurity Agency Recommends Firefox

News you can use. German Cybersecurity Agency Picks Firefox As Most Secure Browser.

Bundesamt für Sicherheit in der Informationstechnik (BSI), OR The Federal Office for Information Security for the German government, evaluated a group of browsers. Google Chrome, Apple’s Safari, Microsoft Edge and Internet Explorer, and Mozilla’s Firefox. (Their testing criteria is listed at the bottom of this post.)

Firefox was the only one that passed.

The details of the things BSI was looking for are available in the Show Notes for Security Now #737. And I can recommend the Security Now Podcast episode 737. They are included after the break.

Continue reading

iOS Malware Trojan Found on Apple App Store

Though it is a relatively small number of apps. iOS Clicker Trojan Malware Found in 17 Apps in Apple’s App Store

More than a dozen iOS apps infected with clicker Trojan malware and distributed via the Apple App Store were found to perform ad fraud-related tasks in the background, using the command and control servers of a similar Android ad fraud campaign.

The malware was distributed in apps that were diverse. Body Mass Index calculator. Travel. Speedometer. And more.

The Cyber-attack on the 2018 Olympics

Bigger and badder hacks to come. The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History.

Just as the opening ceremonies were getting underway in Seoul, Korea, the attack struck. Sang-jin Oh, 47-year-old civil servant and director of technology for the Pyeongchang Olympics got a call he didn’t want. They were under attack.

As the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens of massive puppets and Korean dancers entered the stage. Oh saw none of it. He was texting furiously with his staff as they watched their entire IT setup go dark. He quickly realized that what the partner company had reported wasn’t a mere glitch. It had been the first sign of an unfolding attack. He needed to get to his technology operations center.

As Oh made his way out of the press section toward the exit, reporters around him had already begun complaining that the Wi-Fi seemed to have suddenly stopped working. Thousands of internet-linked TVs showing the ceremony around the stadium and in 12 other Olympic facilities had gone black.

Russia was banned from the 2018 Olympics.

For years in the lead-up to that verdict, a state-sponsored Russian hacker team known as Fancy Bear had been retaliating, stealing and leaking data from Olympics-related targets. Russia’s exile from the games was exactly the sort of slight that might inspire the Kremlin to unleash a piece of disruptive malware against the opening ceremony. If the Russian government couldn’t enjoy the Olympics, then no one would.

If you’re interested in computer security, and what hackers can do, it’s an interesting read. And the techniques are getting better, and the so-called good-guys are still hampered by the “security is expensive” issue. Those damn folks in IT, always want to spend money on something. Except when the manure hits the rotating air-moving-machine, everybody points their fingers at IT. “I told you so,” never works with bureaucrats or lawyers.

Anyway, go read the whole thing, but it isn’t a quick read. Grab a coffee first.

It Isn’t Just Amazon and Google Spying on You

As if that wasn’t enough. Alexa and Google Home abused to eavesdrop and phish passwords.

By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google.

Privacy is such a 20th Century concept.

Ransomware vs 911 Call Center – Nobody Wins

Hard to quantify the cost of an outage when it can cost lives. Ransomware attack may be affecting 911, emergency dispatch in Jasper Co.

Earlier this week it was confirmed Jasper County had a cyber attack on their countywide systems, including email and emergency response systems.

At that time, county officials said 911 and emergency dispatch services were not having any issues as a result of the cyberware attack. Now, that may not be the case.

Color me shocked. A politician isn’t telling the truth. OR, a politician who doesn’t actually know what is going on.

A system that was formerly automatic (in terms of locating addresses) is now reverted to manual. Causing delays.

First responders say every second the county or city response teams are not responding to a call, someone’s life could be put at risk.

“To do that by hand, to take that extra time it could cost someone their life.”

At least the system wasn’t knocked out completely, as it was in other areas. Still, it might be good to have a plan B. Like know some first aid, or have the local police and fire numbers in your phone.

The First Lady of Naval Cryptology

[UPDATE: Some folks seem to think I spelled Cryptography incorrectly in the title to this post. But that isn’t how Agnes Meyer-Driscoll was known. See Remembering the First Lady of Naval Cryptology. I originally referenced the NSA’s site, because why not. Maybe I should have used the Navy’s site.]

Agnes Meyer Driscoll sounds like an extraordinary woman. She was born July 24, 1889 and passed away on September 16, 1971.

In June 1918, about one year after America entered World War I, Agnes Meyer enlisted in the United States Navy. She was recruited at the highest possible rank of chief yeoman and was assigned to the Code and Signal section of the Director of Naval Communications. Except for a two-year hiatus, when she worked for a private firm, Agnes Meyer Driscoll (she married in 1924) would remain a leading cryptanalyst for the U.S. Navy until 1949.

She worked to break the Japanese naval codes of the 1920s, 1930s and 1940s. She worked to break the cipher of the Orange Machine, which wasn’t quite the Japanese Enigma. And she did work on Enigma, though that code was broken by the British.

In 1949 she transferred to the Armed Forces Security Agency, which became the National Security Agency in 1952. She retired in 1959.

Hat tip to Coffee or Die (which is becoming one of my favorite reads). 7 Badasses in the U.S. Navy — Who Aren’t SEALs! Which is worth your time in its own right. (Beach Jumpers, the USS Seahorse, and more.)

Alabama Hospital Pays Ransom

But it’s OK, because they have insurance. Alabama Hospitals Back Online 10 Days After Malware Attack.

The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.

So they did what the FBI has been telling people not to do, which is pay the ransom. I wonder if they will take any action to prevent a repeat attack, or if the bad guys are just keeping a list for places to revisit next year. I also wonder how long insurance will be available. You can get homeowners’ insurance because house fires are relatively rare occurrences. If half of your neighborhood burned every year, insurance would be harder to come by, or it would cost a whole lot more.

Is Ransomware Getting Worse? Yes

The FBI sees the writing on the wall. Will anyone listen? FBI warns of major ransomware attacks as criminals go “big-game hunting.

Where certain attacks have behaved like opportunistic attacks – Baltimore is mentioned – that is changing as the bad guys get better, or worse. Better at being bad guys, anyway.

Data from CrowdStrike has shown a rise in what the firm refers to as “big-game hunting” over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.

And the FBI, though they didn’t give much info, thought the situation warranted a warning. Not that anyone will listen. Actually preparing for such an attack costs money, and means we have to change the way I do things, in ways that I don’t like, and besides those damn IT folks are always wanting to spend money some crazy thing. And what can it cost, anyway?

What Is the Cost of a Ransomware Attack?

In the case of Demant (a Danish company), the costs are high. Ransomware incident to cost Danish company a whopping $95 million.

While they had an insurance policy, it will not cover a quarter of that bill. And there are worries that while they were down, and unable even to support retail sales, customers switched brands, and will not be back.

And the company isn’t saying “ransomware.” Though Danish media is reporting it that way, and it “sure did look like one from the outside.”

Most of the losses have come from lost sales and the company not being able to fulfill orders. The actual cost of recovering and rebuilding its IT infrastructure were only around $7.3 million, a small sum compared to the grand total.

So what part of that $7 million has the IT department been pleading for? But as they say, there is much more.

Furthermore, “in our hearing aid retail business, many clinics across our network have not been able to service end-users in a regular fashion.”

These business upheavals have been a disaster for the company’s bottom line. In a message to its investors, Demant said it expects to lose somewhere between $80 million and $95 million.

So, for that $7 million, could the IT folks have made themselves immune to ransomware? Probably not. But they might have been able to mitigate the cost, and it’s not like the company didn’t end up spending the money anyway. The difference is between a scrambling emergency, that impacts customers, as well as both top-line growth and the bottom-line, and a planned implementation.

Other incidents from 2019 include…

defence contractor Rheinmetall, airplane parts manufacturer Asco, aluminum provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi Schmidt, Arizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.

Hat tip to Security Now episode #735.

Alabama Hospitals Pay Ransom

So that will encourage the people keep executing attacks. DCH pays hackers responsible for ransomware attack.

The DCH Health System has made a payment to the hackers responsible for the crippling attack on its computer system that’s impacted operations at its three hospitals since early Tuesday morning.

Because it is easier to pay ransom to a bunch of criminals than spend the money to secure and backup your systems ahead of time. Besides, at least for now, you can buy insurance for these kinds of hacks. I can’t believe that the insurance companies can keep this up forever.