Are Gated Communities Safe?

Did the Maginot Line stop the German invasion of France? 2 men killed, woman injured in baseball bat attack at Windermere home, police say.

Sure they offer some added protection. But are they a guarantee of safety? Of course not.

Windermere police said Ezekiel Emanuel Hopkins pushed the community’s gate open with his car then tried to steal a car from the home when he was confronted by the homeowners, John and Lisa Savey.

This story will not get national attention because there is no way to push the gun-control agenda. Do we need commonsense baseball-bat control? Would that be any more effective?

As we see from this story, gates and fences can be overcome in a number of ways. Sure, they provide security, and if you click thru you will see the gates came with lots of security cameras, but passive defenses only work so well.

And there are no guarantees in this life.

Hat tip to Wombat-socho and to Vox Day who notes “Gated communities won’t save you.”

The Norsk Hydro Ransomware Attack

A review of the 2019 ransomware attack on Norsk Hydro, for the geeks in the audience. How to Survive a Ransomware Attack Without Paying the Ransom.

For those who don’t follow these things… It has been called, “The worst cyberattack in Norway’s history.”

At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.

Norsk Hydro didn’t pay the ransom for all the reasons that you can imagine. Lack of guarantees. Making Norsk Hydro an attractive target for other attacks. Feeding the evil beast.

It ended up costing the company 60 million US dollars. Insurance paid 3.6 million. Oh, and they had a reasonable amount of security in place before all this started. They weren’t ignoring stuff and hoping for the best. Here’s the moral of the story…

Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.

The description of how things worked at an aluminum plant in Cressona, Pennsylvania is pretty fascinating. How people adapted to every computer at work being shut off.

Can’t Be Bothered to Secure Your Data…

Then you just might lose it. Ongoing Meow attack has nuked >1,000 databases without telling anyone why.

Note: The photo has nothing to do with the attack; I just love that image. (“I find your lack of password security disturbing.”)

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day.

Hey if you can’t be bothered to use a password, it must not be important. It isn’t clear to me whether or not data has been stolen. But again, it doesn’t seem to be important, though the original data was stolen, and then it was deleted.

The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details of the UFO VPN had been destroyed. UFO VPN had already been in the news that day because the world-readable database exposed a wealth of sensitive user information

A whole bunch of stuff, included plaintext passwords and usage logs, that UFO VPN “promised” not to keep, was stolen, and then the database was deleted by Meow.. (The moral of that story is, “NEVER use a free VPN.”)

Once Is Happenstance, Twice is Coincidence…

Three times is Enemy Action. In this case there were more than 3 times that something bad was done. Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data.

So there is a problem with Chinese-manufactured, Internet hardware being set up to spy on users. Color me shocked.

The researchers found seven problems with the firmware from C-Data. Each a major problem in its own right.

The vulnerabilities are as bad as it gets, but by far, the worst and most disturbing of the seven is the presence of Telnet backdoor accounts hardcoded in the firmware.

The accounts allow attackers to connect to the device via a Telnet server running on the device’s WAN (internet-side) interface. Kim and Torres said the accounts granted intruders full administrator [Command Line Interface] access.

And once in, they could retrieve the passwords of other Administration accounts on the machine, and do a host of other things.

This was not “responsibly disclosed” because the researchers don’t believe these are bugs. These are backdoors deliberately installed in the Fiber To The Home (FTTH) Optical Line Termination (OLT) devices. If your ISP offers “fiber service,” but your house is wired with copper, then there is a device like this somewhere nearby, not necessarily from C-Data, though they were a cheap solution. They also sold a lot of equipment to resellers, so it is hard to say how many of these things there are. Shodan probably knows.

One of the reasons that an organization would have purchased these things is because of cost. I understand cost-accounting as much as anyone in Information Technology and probably more than most, but there are times and places to cut costs and stuff that impacts the security of your entire network probably is not a good candidate.

The Security Nightmare of the Decade

So I’ve been trying to write a post on Ripple20. Quite unsuccessfully I might add. To explain what it is I need to immediately start talking about things like implementations of the TCP/IP communications stack. Or I can forget the tech details and just write about the implications. Neither is appealing.

And I don’t know that I can write about the implications without sounding like the sky is falling. Maybe it is. Maybe it has mostly fallen.

When the Cybersecurity & Infrastructure Security Agency (which was apparently named by the Department of Redundancy Department at DHS) says things are bad with medical devices, well things are not good. Ripple20 vulnerabilities affect IoT devices across all industries.

More than a dozen vulnerabilities, collectively named Ripple20, affecting the TCP/IP communication stack used in hundreds of millions of embedded devices paint a grim scenario for connected gadgets.

Some of the flaws are critical and can be exploited to gain remote control of all vulnerable devices on the network. They impact such a wide spectrum of products from so many vendors that it is easier to count those that are not affected.

Some of the stacks will be implemented in such a way as updating/replacing them will simply not be possible. Most will not be updated because of vendor and end-user apathy. I’m sure most reputable vendors, for things like medical equipment, will provide updates eventually. But medical equipment needs to be vetted by the FDA, and that won’t happen tomorrow.

So here’s some info on the problem as of the 24th. List of Ripple20 vulnerability advisories, patches, and updates.

If you have IoT devices in your home, and they are not keeping you alive, you might want to get rid of them, unless you can verify that they are not impacted. Good luck with that, because some of the vendors have gone out of business. The TCP/IP stack code, written in C is over 20 years old. (Do you know which TCP/IP stack implementation is in your color-changing light-bulbs that are so fun to change with your smartphone?) If you have stuff that is important, put it on a segmented network, and try to see what the vendor has to say.

Distributed Denial of Secrets Hits Law Enforcement

DDoSecrets is an alternative to Wikileaks. ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments.

The data is from Fusion Centers, and comprises nearly 270 Gigabytes.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

And as per usual in these cases, a single point of failure, shared among a large number of Fusion Centers. In this case a single service provider.

The data also includes some banking data, in the form a ACH transfer numbers.

What it probably doesn’t include is any data of interest to the Woke crowd about possible police misconduct. It might put some people’s lives in danger if they are cooperating, or have cooperated, with police on investigations.

Someday, people will take data security seriously. But today is not that day.

iOS security is f**ked

People still maintain that iOS is “more secure” than Android. Really? ‘iOS security is f**ked’ says exploit broker Zerodium: Prices crash for taking a bite out of Apple’s core tech.

Apparently the COVID-19 lockdown gave the hackers a LOT of time to ply their craft, and maybe a bit of financial incentive.

Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won’t pay anything for some iOS bugs due to an oversupply.

“We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors,” the company said via Twitter.

If you’re a hacker you can sell vulnerabilities to the SW/HW provider, or you can sell to Zerodium, and “feed the beast.” Zerodium pays more. Or at least they did.

They have SO MANY remote code execution bugs for iOS/Safari – the hackers dream vulnerability – that they won’t be accepting anything new. And yet people still try to convince me that iOS is more Secure than Android, because it is SECRET. Once again, obscurity does not equal security. Is it even necessary to state that anymore? The Enigma Machine the Germans used in WWII was obscure. It turned out it was not secure. Things haven’t changed that much since then. All the hard-coded back-doors into servers and routers that were put there in the early 2000s, because “How would anyone find this?” have been a problem since forever. But I’m sure the iOS issues are more of the software bug variety.

“There are likely a lot of hackers stuck at home with extra time on their hands, or perhaps who have lost their jobs or are in a financial squeeze, as is a large portion of the population,” said Wardle.

Add time and financial motivation, he said, and you get more bugs.

COVID-19. The gift that keeps on giving.

New York’s Recipe For More Crime

The video is infuriating. Elderly victim shoved by brute ‘fearful to walk the streets alone’.

A 31-year-old creep punches a 91-year-old lady in the head for no reason. Violent criminals don’t need a reason to be violent criminals.

Geraldine hit her head on a fire hydrant and started bleeding, she said. A passerby saw the assault, called 911 and an ambulance rushed her to nearby Beth Israel Hospital, she said.

The former teacher said her physical wounds were relatively minor and have since healed — but the mental toll has been much more severe.

As for the guy in question.

Brimmage was busted by cops Tuesday and charged with assault after investigators recognized him from video footage of the attack, authorities said.

The frequent offender has now been arrested 103 times since 2005 for petty crimes and sex offenses, sources said.

The creep was convicted of sexual misconduct in 2012, then arrested for two sex offenses in 2014, police sources said.

And with all of that he is walking down the street free to punch an old lady in the head. Click thru and see the video. I’m sure he thought he was a bad-ass striking a blow for some worthy cause. Click thru and watch video; it is only a few seconds. If she hit her head just a bit harder on the fire hydrant, he might be facing murder charges. As it is, his punishment won’t be enough.

Hat tip to The Other McCain who notes, We Found Another Joe Biden Voter.

What Happens If You Try to Tell a City They are Under Attack?

Under attack by ransomware, that is… So you try to tell a city they are under attack by ransomware, and they ignore you for 24 hours, tell you they have stuff under control, and then go toes-up. Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity.

It is hard to feel sorry for them at this point.

The initial call was on May 26th.

My call was transferred to no fewer than three different people, none of whom seemed eager to act on the information. Eventually, I was routed to the non-emergency line for the Florence police department. When that call went straight to voicemail, I left a message and called the city’s emergency response team.

That last effort prompted a gracious return call the following day from a system administrator for the city, who thanked me for the heads up and said he and his colleagues had isolated the computer and Windows network account Hold Security flagged as hacked.

Read that again. Isolated “the computer” because ransomware only ever attacks one person at a time…

They are going to pay $291,000.

Florence Mayor Steve Holt confirmed that a cyberattack had shut down the city’s email system. Holt told local news outlets at the time there wasn’t any indication that ransomware was involved.

However, in an interview with KrebsOnSecurity Tuesday, Holt acknowledged the city was being extorted by DoppelPaymer, a ransomware gang with a reputation for negotiating some of the highest extortion payments across dozens of known ransomware families.

The payment is apparently to stop exfiltrated data from being sold on the dark web, though it doesn’t say what that data may be.

“Gone Phishing”

Bets on whether either campaign is ready for this? Iran- and China-backed phishers try to hook the Trump and Biden campaigns | Ars Technica.

State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns

I doubt that the campaigns are ready for determined spear phishing. I just don’t believe either the Republicans or the Democrats, and especially campaign staffers, understand the threats. I’m sure the younger members of the campaign understand, so they won’t be the targets.

Another Data Breach

Someday we will have good security, but that day is not today. San Francisco retirement program SFERS suffers data breach.

While SFERS states that no Social Security Numbers or bank account information was contained in the breach, there was enough personal information exposed that could be used by threat actors in attacks.

According to the notification, the types of information that was exposed is different depending on whether a member is retired or if they had registered on the web site.

The leaked information for all members includes a member’s name, address, date of birth, and beneficiary information.

All because a vendor set up a test environment that included real data, but without real security.

They are offering the obligatory 1 year of credit monitoring, which is a sham, because the risk will last more than 1 year.

The “complete collapse of Bluetooth security”

One day, we will have good security, but that day is not today.

So I’m behind on security. Bluetooth pairing flaw exposes devices to BIAS attacks.

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

It is a specification-level vulnerability. That means EVERY Bluetooth device is vulnerable. Some will eventually be patched; many will not. The updated specification will be available “in the future.” (That’s the best info we have.)

But how often does the software in your car’s entertainment system get updated? Are there low-energy Bluetooth devices sprinkled around that won’t get updated? Of course there are.

The title of the post comes from the Show Notes for Security Now, episode 768. The notes are at this link. The video can be found at this link. The relative part of the video starts at about 1 hour, 4 minutes and a couple of seconds in. The quote of the day…

Our attacks are “standards compliant.”

Bluetooth is in literally billions of devices.

From the researchers…

To confirm that the BIAS attacks are practical, we successfully conducted them against 31Bluetooth devices (incorporating 28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

Every Bluetooth front door lock is currently vulnerable. Many, will probably remain vulnerable for all time.

Beware of Free VPNs

I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.

If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.

And it isn’t just the unknown players that you need to beware of.

For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.

But their “privacy policy” says that they keep info about the apps you use, the websites you visit, in addition to aggregate statistics. That sounds like fairly detailed usage logs to me.

After the break find a table that details some of the VPNs and how they are not guarding your privacy.

Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous

Continue reading

Third Payment Processor Has Security Breach This Year

Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.

The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.

The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.

TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.

Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.

So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.

Anti Semitic Attacks Were Taking Place While You Were Distracted With Quarantine

First up the University isn’t a safe space. Yale University Rabbi Abused and Beaten in Antisemitic Robbery Praises Swift Police Response.

Rosenstein had been making a call on his cellphone while standing outside the Yale Chabad House when he was approached by two teenage boys, one of whom told him, “Give us everything you have, you f__ Jew.”

Then there is the vandalism in Alabama. Huntsville Synagogue vandalized with swastikas.

A Huntsville synagogue has been vandalized with swastikas and other anti-Semitic graffiti at the start of Passover. News outlets report that Huntsville police are investigating after the Etz Chayim temple was desecrated Wednesday night.

And with everyone using Zoom, the haters are also using it. Zoombombing: New Frontier of Anti-Semitism?

The hijacking and disruption of video teleconferencing on the popular platform Zoom, which has become known as Zoombombing, is a growing concern to those who fight crime and hate, including the FBI and the Anti-Defamation League. It’s especially troubling considering the ubiquitous use of the app for business, education and group meetings during the coronavirus.

There are things you can do to avoid Zoombombing. And you should, or you risk getting bombed with everything from porn to hate.

Because People Still Refuse to Use a Password Manager

Zoom has been in the news, but this really isn’t their fault. People use their pet’s name, or their birthday, or whatever as a PW, and then are victims of credential stuffing. Over 500,000 Zoom accounts sold on hacker forums, the dark web.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Free? Who says hackers don’t like to have fun.

If you use the same password on multiple sites, stop. Change them. I don’t want to say “especially if you use Zoom,” but that is the story of the day. Select and use a password manager. LastPass is very popular. I use KeePass. I know exactly 1 person who selected 1password. As always, you are responsible for your own choices. And, as Rush pointed out, not choosing is also a choice.

You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that’s clear
I will choose freewill

Zoom Security Is Worse Than You Thought

Because security it hard. Security and Privacy Implications of Zoom.

Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. [SNIP]

They’re also lying about the type of encryption.

So the short story is, they don’t give a rat’s ass about security.

And then there is privacy. (What’s that?) First they lied about it. Then they tried to be coy. But privacy is not high on their list of priorities.

Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising.

But then security and privacy are expensive, and if you give a person a chocolate bar, there is good chance they will give you access to their online banking system.

The COVID-19 Outbreak Hasn’t Stopped Computer Crime

The combination of hospitals and security has been a longstanding issue. So of course it goes on being an issue during COVID-19. Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks.

Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.

As part of their tracking of various groups behind human-operated ransomware attacks, Microsoft has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network.

With the health care industry already under pressure, I can’t imagine what the loss of their record-keeping would do.

Working From Home and Security Problems

I haven’t had anything on security for a while, but in everyone’s rush to work from home, there are a number of problems.

First, people decided to enable Remote Desktop Protocol (RDP), so they could work from home. RDP and VPN use skyrocketed since coronavirus onset. Which would (maybe) be OK, if they weren’t exposing RDP services to the public internet.

Use of RDP went up 41 percent to over 400,000 instances, according to Shodan. Those are only services listening on the default port, 3389. And there are services listening on 3388, where some “clever” sysdamins are hiding. Not so much really.

Microsoft has never been able to make this secure, and it should NOT be exposed to the public internet. Steve Gibson, of Security Now, called this situation “horrifying.” Expect to see an outbreak of ransomware and other issues, like data breaches, because of stupid sh#t like this in the near term.

Using Zoom to handle meetings? Good luck with that. Zoom Lets Attackers Steal Windows Credentials via UNC Links.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file.

When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.

That’s not the only problem with Zoom. If you are using Zoom, ZDNET and others have guides for how to do so securely.

And because the month wouldn’t be compete without a data breach… Marriott Reports Data Breach Affecting Up to 5.2 Million Guests.

From sometime in January until the end of February it appears that hackers had the credentials of 2 employees at a “franchise location” and were able to access the information.

Although an investigation of this incident is ongoing, Marriott says that currently there is no “reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

Since their last breach impacted more than 300 million people, this is small potatoes.

I have a dream that someday corporations will treat security seriously, but it is only a dream, and it is not likely to come true during 2020.

Someday Corporations Will Take Security Seriously

It’s a dream I have. But it won’t be realized anytime soon. Hackers can clone millions of Toyota, Hyundai, and Kia keys.

Keyless cars have been subject to hacks (relay attacks) for a while.

Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

It isn’t a great hack, you need to scan the key with an RFID reader from a few inches (though I bet someone is working on range extenders even now…) But it is level one. And once they have the code there is still some work to do, but for the right car that work might be worth it.

Toyota, Hyundai, and Kia are vulnerable to this hack. Tesla released a firmware upgrade to make the Model S immune. But like I said, this is only the first iteration of the attack. And I doubt the other manufacturers are immune, they just happen to use a different system.