The “complete collapse of Bluetooth security”

One day, we will have good security, but that day is not today.

So I’m behind on security. Bluetooth pairing flaw exposes devices to BIAS attacks.

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

It is a specification-level vulnerability. That means EVERY Bluetooth device is vulnerable. Some will eventually be patched; many will not. The updated specification will be available “in the future.” (That’s the best info we have.)

But how often does the software in your car’s entertainment system get updated? Are there low-energy Bluetooth devices sprinkled around that won’t get updated? Of course there are.

The title of the post comes from the Show Notes for Security Now, episode 768. The notes are at this link. The video can be found at this link. The relative part of the video starts at about 1 hour, 4 minutes and a couple of seconds in. The quote of the day…

Our attacks are “standards compliant.”

Bluetooth is in literally billions of devices.

From the researchers…

To confirm that the BIAS attacks are practical, we successfully conducted them against 31Bluetooth devices (incorporating 28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

Every Bluetooth front door lock is currently vulnerable. Many, will probably remain vulnerable for all time.

Beware of Free VPNs

I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.

If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.

And it isn’t just the unknown players that you need to beware of.

For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.

But their “privacy policy” says that they keep info about the apps you use, the websites you visit, in addition to aggregate statistics. That sounds like fairly detailed usage logs to me.

After the break find a table that details some of the VPNs and how they are not guarding your privacy.

Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous

Continue reading

Third Payment Processor Has Security Breach This Year

Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.

The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.

The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.

TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.

Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.

So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.

Anti Semitic Attacks Were Taking Place While You Were Distracted With Quarantine

First up the University isn’t a safe space. Yale University Rabbi Abused and Beaten in Antisemitic Robbery Praises Swift Police Response.

Rosenstein had been making a call on his cellphone while standing outside the Yale Chabad House when he was approached by two teenage boys, one of whom told him, “Give us everything you have, you f__ Jew.”

Then there is the vandalism in Alabama. Huntsville Synagogue vandalized with swastikas.

A Huntsville synagogue has been vandalized with swastikas and other anti-Semitic graffiti at the start of Passover. News outlets report that Huntsville police are investigating after the Etz Chayim temple was desecrated Wednesday night.

And with everyone using Zoom, the haters are also using it. Zoombombing: New Frontier of Anti-Semitism?

The hijacking and disruption of video teleconferencing on the popular platform Zoom, which has become known as Zoombombing, is a growing concern to those who fight crime and hate, including the FBI and the Anti-Defamation League. It’s especially troubling considering the ubiquitous use of the app for business, education and group meetings during the coronavirus.

There are things you can do to avoid Zoombombing. And you should, or you risk getting bombed with everything from porn to hate.

Because People Still Refuse to Use a Password Manager

Zoom has been in the news, but this really isn’t their fault. People use their pet’s name, or their birthday, or whatever as a PW, and then are victims of credential stuffing. Over 500,000 Zoom accounts sold on hacker forums, the dark web.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Free? Who says hackers don’t like to have fun.

If you use the same password on multiple sites, stop. Change them. I don’t want to say “especially if you use Zoom,” but that is the story of the day. Select and use a password manager. LastPass is very popular. I use KeePass. I know exactly 1 person who selected 1password. As always, you are responsible for your own choices. And, as Rush pointed out, not choosing is also a choice.

You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that’s clear
I will choose freewill

Zoom Security Is Worse Than You Thought

Because security it hard. Security and Privacy Implications of Zoom.

Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. [SNIP]

They’re also lying about the type of encryption.

So the short story is, they don’t give a rat’s ass about security.

And then there is privacy. (What’s that?) First they lied about it. Then they tried to be coy. But privacy is not high on their list of priorities.

Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising.

But then security and privacy are expensive, and if you give a person a chocolate bar, there is good chance they will give you access to their online banking system.

The COVID-19 Outbreak Hasn’t Stopped Computer Crime

The combination of hospitals and security has been a longstanding issue. So of course it goes on being an issue during COVID-19. Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks.

Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.

As part of their tracking of various groups behind human-operated ransomware attacks, Microsoft has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network.

With the health care industry already under pressure, I can’t imagine what the loss of their record-keeping would do.

Working From Home and Security Problems

I haven’t had anything on security for a while, but in everyone’s rush to work from home, there are a number of problems.

First, people decided to enable Remote Desktop Protocol (RDP), so they could work from home. RDP and VPN use skyrocketed since coronavirus onset. Which would (maybe) be OK, if they weren’t exposing RDP services to the public internet.

Use of RDP went up 41 percent to over 400,000 instances, according to Shodan. Those are only services listening on the default port, 3389. And there are services listening on 3388, where some “clever” sysdamins are hiding. Not so much really.

Microsoft has never been able to make this secure, and it should NOT be exposed to the public internet. Steve Gibson, of Security Now, called this situation “horrifying.” Expect to see an outbreak of ransomware and other issues, like data breaches, because of stupid sh#t like this in the near term.

Using Zoom to handle meetings? Good luck with that. Zoom Lets Attackers Steal Windows Credentials via UNC Links.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file.

When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.

That’s not the only problem with Zoom. If you are using Zoom, ZDNET and others have guides for how to do so securely.

And because the month wouldn’t be compete without a data breach… Marriott Reports Data Breach Affecting Up to 5.2 Million Guests.

From sometime in January until the end of February it appears that hackers had the credentials of 2 employees at a “franchise location” and were able to access the information.

Although an investigation of this incident is ongoing, Marriott says that currently there is no “reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

Since their last breach impacted more than 300 million people, this is small potatoes.

I have a dream that someday corporations will treat security seriously, but it is only a dream, and it is not likely to come true during 2020.

Someday Corporations Will Take Security Seriously

It’s a dream I have. But it won’t be realized anytime soon. Hackers can clone millions of Toyota, Hyundai, and Kia keys.

Keyless cars have been subject to hacks (relay attacks) for a while.

Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

It isn’t a great hack, you need to scan the key with an RFID reader from a few inches (though I bet someone is working on range extenders even now…) But it is level one. And once they have the code there is still some work to do, but for the right car that work might be worth it.

Toyota, Hyundai, and Kia are vulnerable to this hack. Tesla released a firmware upgrade to make the Model S immune. But like I said, this is only the first iteration of the attack. And I doubt the other manufacturers are immune, they just happen to use a different system.

Virgin Media Hacked

Of course they were. Virgin Media Data Breach Exposes Info of 900,000 Customers.

Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database.

Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at December 31, 2019, according to the company’s preliminary Q4 2019 results.

The breach lasted for most of a year. From April of 2019 until February of this year.

The company also says that the unsecured database was not used to store customer passwords or financial details, like bank account numbers or credit card information.

Well that makes it OK then. Or something. Enough to start phishing, and maybe enough for identity theft.

Ransomware Paid: $140 Million

That is a pretty big payday for the bad guys. FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips.

At the RSA security conference this week, FBI Special Agent Joel DeCapua explained how he used bitcoin wallets and ransom notes that were collected by the FBI, shared by private partners, or found on VirusTotal to compute how much money was paid in ransom payments over 6 years.

According to DeCapua between 10/0/1/2013 and 11/07/2019, there have been approximately $144,350,000 in bitcoins paid to ransomware actors as part of a ransom. This money does not include operational costs related to the attack, but purely the ransom payments.

Still think it isn’t worth spending the resources on? I’m sure there is someone in some E-suite somewhere saying he doesn’t believe they will be targeted.

At Some Point, You Deserve What You Get

“It can’t happen to me,” is the stupidest statement you can make when it comes to computer security. Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security.

If you’re going to ignore warnings, from software and from people who support your business, and you’re going to ignore the recommendations from people who know what they are talking about, how exactly do you expect to avoid becoming a victim of hackers?

While analyzing the recently reported ransomware incidents, the Swiss cybersecurity body identified a number of weaknesses that allowed attackers to successfully breach the companies’ defenses (all of them can be mitigated by MELANI’s recommendations):

• Virus protection and warning messages: Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers).
• Remote access protection: Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
• Notifications from authorities: Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies.
• Offline backups and updates: Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted.

There are more things that have been suggested and ignored.

Either turn off or secure RDP. Update your operating systems, and other software. Pay attention to warning messages (both from software and from people). Otherwise you too can find out what it’s like to be the victim of ransomware.

Who Thought Controlling Lights From a Smartphone Was a Good Idea?

Because security won’t ever be an issue with a lightbulb. Until it is. The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb.

This is a long, somewhat technical article. The TLDR version is if you have Philips IoT lightbulbs, then you need to have auto-update enabled on the bridge (the central box) and you need to update the bulbs. (Turn them on and wait an hour. They may turn on and off.) Otherwise the bulbs are a gateway into your wifi, for stuff like Ransomware to work their way into your systems. And note that not all of the Philips hubs support auto-update, which means you HAVE TO MANUALLY UPDATE.

You can watch 15 minutes of video, from this week’s Security Now. The relevant portion of the video starts at 1 hour, 11 minutes and 16 seconds in. (Not that you won’t learn something if you watch the whole thing….) The show notes can be cound at the following link. Security Now Episode 754 Notes. (Info on the version of firmware required to be safe, is in the notes.) The section of the video that deals with this issue is about 15 minutes long. Enjoy.

The moral of the story? Why the frack do you think you need to be able to control lighting via your smartphone? You don’t. And stuff like this says that trying to do so is just inviting trouble. What could go wrong?

Ministry of Truth is Created in the UK

More like Airstrip One everyday. UK Govt. Approves Net Censorship – Free Speech Dies – Liberty Nation.

The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet, effectively creating regulation that will limit freedom on the last frontier of digital liberty. In a move that has the nation reeling, Prime Minister Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from “harmful and illegal content.”

Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content.

Western Civilization was nice while it lasted. (Hat tip)

The IRS thinks your security sucks

They probably have a point. IRS Urges Taxpayers to Enable Multi-Factor Authentication.

“Already, nearly two dozen tax practitioner firms have reported data thefts to the IRS this year,” the IRS said. “Use of the multi-factor authentication feature is a free and easy way to protect clients and practitioners’ offices from data thefts.”

But Deb, security is hard. And this guy promised me a chocolate bar if I gave him my banking password, and I was hungry. </sarcasm>

See also Signal. And if you are sending documents to your CPA over regular email, then you deserve everything that happens, since email is NOT secure, UNLESS you are using public key encryption including for the attachments.

Why Aren’t You Using Signal?

Because security is important. Signal is finally bringing its secure messaging to the masses | Ars Technica.

Or are you comfortable living in a state like the old East Germany under the Ministerium für Staatssicherheit, or the Stazi?

But Deb, they make it so hard to share emojis and security is hard, and I really want a chocolate bar, and to get one all I have to do is turn over my life to Google, or F*c*book, or Apple or the NSA, or – Oh look! a squirrel! </sarcasm>

Marlinspike has always talked about making encrypted communications easy enough for anyone to use. The difference, today, is that Signal is finally reaching that mass audience it was always been intended for—not just the privacy diehards, activists, and cybersecurity nerds that formed its core user base for years—thanks in part to a concerted effort to make the app more accessible and appealing to the mainstream.

So there really is no excuse.

Cybercrime Will Cost You Real Money

And yet people will tell me that security is too hard, or too expensive. Until it isn’t. FBI: Cybercrime Victims Lost $3.5 Billion in 2019.

[FBI’s Internet Crime Complaint Center (IC3)] says that it has received 4,883,231 complaints since its inception in May 2000, with an average of around 340,000 complaints per year and over 1,200 complaints per day during the last five years.

Phishing heads the list and non-delivery of goods is high on the list.

The most financially costly complaints involved business email compromise, romance or confidence fraud, and spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information.

Don’t trust email, even if it looks like it came from someone you know. Pick up a phone and call. I know right. Actually talking to someone is SOOO 20th Century.

“Criminals are getting so sophisticated,” [Donna Gregory, the chief of IC3] added. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

“In the same way your bank and online accounts have started to require two-factor authentication — apply that to your life. Verify requests in person or by phone, double-check web and email addresses, and don’t follow the links provided in any messages.”

Trust No One.

30 Million Credit/Debit Cards Info For Sale

From the Wawa data breach. Wawa Breach May Have Compromised More Than 30 Million Payment Cards.

Wawa announced the breach in December and tried to reach impacted customers. If you haven’t gotten a new card by now, well, what are you waiting for?

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

Joker’s Stash has started to sell the card information stolen from Wawa.

This is the kind of thing that happens when chip readers for cards are not active. Chips are not 100 percent safe, but they are much better than the magnetic stripe.

Bets on Whether the Swamp Will Restrain the NSA?

Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.

The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.

  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.

Health Care Hacks

Because security is expensive. Critical MDhex Vulnerabilities Shake the Healthcare Sector.

Critical vulnerabilities have been discovered in popular medical devices from GE Healthcare that could allow attackers to alter the way they function or render them unusable.

So far the vulnerabilities only impact monitors and servers. (Not that servers aren’t a cause for concern.) But no medical devices have been impacted.

GE Healthcare says that it is not aware of reported incidents as a result of exploiting these vulnerabilities.