If You Think The Internet of Things Isn’t a Problem…

That only means you don’t work in hardware or software engineering. This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT. It isn’t just that they can spy on you. They can. They do. They can do more.

So a security researcher was asked to prove that this kind of thing can be done.

After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

Now why anyone needs a smart coffee maker is beyond me, especially if you see the price. And I paid quite a bit for a coffee maker that is certified by the Specialty Coffee Association. But then it is certified to make a good cup of coffee, not talk to my smartphone. And it didn’t cost $250.

So what happens when your door locks get hacked, or your car? But the main problem with the coffee maker in question is as toehold to the rest of your network.

But Hron says the implications of this kind of hack are much more concerning. Through this exploit, attackers could render a smart gadget incapable of receiving future patches to fix this weakness. He also argues that attackers could program the coffee maker or other Smarter appliances with this vulnerability to attack any device on the same network without ever raising any alarm bells. Given the years-long and even decades-long lifespan of traditional appliances, this also begs the question of how long modern IoT device vendors plan on maintaining software support, Hron points out.

The implications of how bad this can be in the long-run explain the image at the top of this post. (Click the image for a look at the fine print.)

Hat tip to Small Dead Animals: I, For One, Welcome Our New Self-Driving Overlords

Lack Of Computer Security Can Kill You

The last story presented below is of a ransomware attack on a hospital system that has been listed as being responsible for 4 deaths. By comparison, the other incidents are just annoyances.

First we have Ransomware. And there is a lot of it. The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

Companies still refuse to take security seriously, and as a result, the Forces of Ransomware™ are running amok.

The linked article is dismaying, with how many cases/varieties of Ransomware have been discovered. There was one bright spot, in that the insurance companies are not just blindly underwriting insanity, but insisting on some security.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

They have to do something, or they are going to put themselves out of business insuring companies that have limited security in place.

Then there is the continuing resistance to applying software updates. Over 247K Exchange servers unpatched for actively exploited flaw. I can’t even feel sorry for these people.

The systems in question have not been patched AT LEAST since February of 2020. So 7 months, soon to be 8 months.

Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4, after several proof-of-concept exploits surfaced on GitHub.

One week later, both CISA and the NSA urged organizations to patch their servers against the CVE-2020-0688 flaw as soon as possible given that multiple APT groups were already actively exploiting it in the wild.

That was back in March; here’s the situation today.

Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

And the numbers are almost as grim as they were before, with 61.10% (247,986 out of a total of 405,873) of vulnerable servers (i.e., Exchange 2010, 2013, 2016, and 2019) still being left unpatched and exposed to ongoing attacks.

The company’s researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers “have not been updated in six years.” [My emphasis. Z-Deb]

So you don’t update your systems for 6 freaking years. What exactly do you think is going to happen? I can’t even feel sorry for any of these people.

And finally we have the RYUK attack on Universal Health Services. UHS hospitals hit by reported country-wide Ryuk ransomware attack.

“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one of the reports reads.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

“We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”

And it isn’t just that a bunch of hospital employees can’t access their email, or billing records.

Four deaths were also reported after the incident impacting UHS’ facilities, caused by the doctors having to wait for lab results to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to the attack.

Look I get that modern medicine is dependent on computers for a whole bunch of stuff, but this incident demonstrates that we are not doing it correctly. Not by half.

The internet was fun while it lasted. (Hat tip Security Now.)

Espionage Attack on the US Government

Password credentials in the hands of hackers that granted access to a US government network. Feds Hit with Successful Cyberattack, Data Stolen

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA.

So here’s my guess as to the causes: Poor passwords. Reused passwords. No 2-factor authentication. Well done US .gov employees, you have less security on your official government stuff than I do on the email I use mainly to send jokes and memes to my friends.

Of course I could be wrong, and this could all be to a security flaw in a Microsoft Product. It’s not like THAT never happens. (Hat tip to Steve – thanks for the email!)

A Cybersecurity Directive From Dept of Homeland Security Is Usually of Interest

When the DHS says “all civilian federal agencies” must take some action relative to security, it usually means something interesting is going on. Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

To be vulnerable to this issue, you must NOT have applied the patch that was issued by Microsoft in August. That is from more than 6 weeks ago.

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.

I assume that folks currently employed in the security arena know about this already, but whenever DHS says do something “Now!” my curiosity is heightened.

Here are the directives from DHS Cybersecurity. Under the law, civilian federal agencies have to do this.

1. Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,

  1. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.
  2. By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.

Now I know that patches on Patch Tuesday can cause problems. But if you have this vulnerability un-patched, you are going to have many more problems than a few disgruntled users.

Your Tax Dollars At Work – Utah Division

Actually the insurance policy paid, but I can’t help but thing that cyber insurance is a bad bet for the underwriters to take. University of Utah hit by ransomware, pays $457K ransom.

The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack.

In a ‘data security incident’ notification posted today, the University of Utah disclosed that they were attacked by ransomware on Sunday, July 19, 2020.

The data breach exfiltrated student and staff information from the College of Social and Behavioral Science. Hence the ransom.

The university states that their cyber insurance policy paid a ransom of $457,059.24 USD and that no “tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”

But hey, it’s OK to feed the beast because they are not alone. UC San Francisco paid 1.4 million bucks, so it must be OK.

Ransomware Roundup

You could spend your whole life writing about ransomware. Maybe that is an exaggeration. Maybe.

First up, Carnival Cruise Lines. World’s largest cruise line operator Carnival hit by ransomware

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” the cruise line operator stated in their filing.

Employee and customer data was probably stolen as part of the attack.

Konica Minolta was hit. Business technology giant Konica Minolta hit by new ransomware.

Business technology giant Konica Minolta was hit with a ransomware attack at the end of July that impacted services for almost a week, BleepingComputer has learned.

The company that produces Jack Daniels whiskey, Brown-Forman, was also hit, but they seem to be doing something right. U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen.

Sodinokibi (REvil) ransomware operators were able to steal data, but apparently failed to encrypt systems.

“Brown-Forman was the victim of a cybersecurity attack. Our quick actions upon discovering the attack prevented our systems from being encrypted” – Brown-Forman spokesperson

Brown-Forman is not negotiating with REvil, so any data stolen is likely up for sale.

At least some of the people are taking security seriously, but there is still work to be done.

Companies never like to talk about “what happened?” Or “How did this happen?” so there aren’t many lessons to be learned.

NSA Discloses Russian Malware

When the “Never Say Anything” agency has something to say, I usually pay attention, if only for the novelty. NSA discloses new Russian-made Drovorub malware targeting Linux.

The NSA today released a technical report (a joint effort with the FBI) detailing Drovorub’s capabilities and offering detection and prevention solutions. The agency says that the framework includes a kernel module rootkit that makes it difficult for network-wide security solutions to catch it.

Probably means it is serious, it is active, and it is attacking people who the NSA would rather were not under attack.

Your Phone Is Spying on You

And the NSA is worried about phones spying on .gov agents. The NSA on the Risks of Exposing Location Data.

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible.

One of the things they talk about is the risk introduced by vehicles that have “remote communication” features. But every vehicle since 2006 (?) has had wireless tire-pressure sensors, which you can use to track vehicles. Try getting rid of those!

Are Gated Communities Safe?

Did the Maginot Line stop the German invasion of France? 2 men killed, woman injured in baseball bat attack at Windermere home, police say.

Sure they offer some added protection. But are they a guarantee of safety? Of course not.

Windermere police said Ezekiel Emanuel Hopkins pushed the community’s gate open with his car then tried to steal a car from the home when he was confronted by the homeowners, John and Lisa Savey.

This story will not get national attention because there is no way to push the gun-control agenda. Do we need commonsense baseball-bat control? Would that be any more effective?

As we see from this story, gates and fences can be overcome in a number of ways. Sure, they provide security, and if you click thru you will see the gates came with lots of security cameras, but passive defenses only work so well.

And there are no guarantees in this life.

Hat tip to Wombat-socho and to Vox Day who notes “Gated communities won’t save you.”

The Norsk Hydro Ransomware Attack

A review of the 2019 ransomware attack on Norsk Hydro, for the geeks in the audience. How to Survive a Ransomware Attack Without Paying the Ransom.

For those who don’t follow these things… It has been called, “The worst cyberattack in Norway’s history.”

At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.

Norsk Hydro didn’t pay the ransom for all the reasons that you can imagine. Lack of guarantees. Making Norsk Hydro an attractive target for other attacks. Feeding the evil beast.

It ended up costing the company 60 million US dollars. Insurance paid 3.6 million. Oh, and they had a reasonable amount of security in place before all this started. They weren’t ignoring stuff and hoping for the best. Here’s the moral of the story…

Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.

The description of how things worked at an aluminum plant in Cressona, Pennsylvania is pretty fascinating. How people adapted to every computer at work being shut off.

Can’t Be Bothered to Secure Your Data…

Then you just might lose it. Ongoing Meow attack has nuked >1,000 databases without telling anyone why.

Note: The photo has nothing to do with the attack; I just love that image. (“I find your lack of password security disturbing.”)

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day.

Hey if you can’t be bothered to use a password, it must not be important. It isn’t clear to me whether or not data has been stolen. But again, it doesn’t seem to be important, though the original data was stolen, and then it was deleted.

The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details of the UFO VPN had been destroyed. UFO VPN had already been in the news that day because the world-readable database exposed a wealth of sensitive user information

A whole bunch of stuff, included plaintext passwords and usage logs, that UFO VPN “promised” not to keep, was stolen, and then the database was deleted by Meow.. (The moral of that story is, “NEVER use a free VPN.”)

Once Is Happenstance, Twice is Coincidence…

Three times is Enemy Action. In this case there were more than 3 times that something bad was done. Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data.

So there is a problem with Chinese-manufactured, Internet hardware being set up to spy on users. Color me shocked.

The researchers found seven problems with the firmware from C-Data. Each a major problem in its own right.

The vulnerabilities are as bad as it gets, but by far, the worst and most disturbing of the seven is the presence of Telnet backdoor accounts hardcoded in the firmware.

The accounts allow attackers to connect to the device via a Telnet server running on the device’s WAN (internet-side) interface. Kim and Torres said the accounts granted intruders full administrator [Command Line Interface] access.

And once in, they could retrieve the passwords of other Administration accounts on the machine, and do a host of other things.

This was not “responsibly disclosed” because the researchers don’t believe these are bugs. These are backdoors deliberately installed in the Fiber To The Home (FTTH) Optical Line Termination (OLT) devices. If your ISP offers “fiber service,” but your house is wired with copper, then there is a device like this somewhere nearby, not necessarily from C-Data, though they were a cheap solution. They also sold a lot of equipment to resellers, so it is hard to say how many of these things there are. Shodan probably knows.

One of the reasons that an organization would have purchased these things is because of cost. I understand cost-accounting as much as anyone in Information Technology and probably more than most, but there are times and places to cut costs and stuff that impacts the security of your entire network probably is not a good candidate.

The Security Nightmare of the Decade

So I’ve been trying to write a post on Ripple20. Quite unsuccessfully I might add. To explain what it is I need to immediately start talking about things like implementations of the TCP/IP communications stack. Or I can forget the tech details and just write about the implications. Neither is appealing.

And I don’t know that I can write about the implications without sounding like the sky is falling. Maybe it is. Maybe it has mostly fallen.

When the Cybersecurity & Infrastructure Security Agency (which was apparently named by the Department of Redundancy Department at DHS) says things are bad with medical devices, well things are not good. Ripple20 vulnerabilities affect IoT devices across all industries.

More than a dozen vulnerabilities, collectively named Ripple20, affecting the TCP/IP communication stack used in hundreds of millions of embedded devices paint a grim scenario for connected gadgets.

Some of the flaws are critical and can be exploited to gain remote control of all vulnerable devices on the network. They impact such a wide spectrum of products from so many vendors that it is easier to count those that are not affected.

Some of the stacks will be implemented in such a way as updating/replacing them will simply not be possible. Most will not be updated because of vendor and end-user apathy. I’m sure most reputable vendors, for things like medical equipment, will provide updates eventually. But medical equipment needs to be vetted by the FDA, and that won’t happen tomorrow.

So here’s some info on the problem as of the 24th. List of Ripple20 vulnerability advisories, patches, and updates.

If you have IoT devices in your home, and they are not keeping you alive, you might want to get rid of them, unless you can verify that they are not impacted. Good luck with that, because some of the vendors have gone out of business. The TCP/IP stack code, written in C is over 20 years old. (Do you know which TCP/IP stack implementation is in your color-changing light-bulbs that are so fun to change with your smartphone?) If you have stuff that is important, put it on a segmented network, and try to see what the vendor has to say.

Distributed Denial of Secrets Hits Law Enforcement

DDoSecrets is an alternative to Wikileaks. ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments.

The data is from Fusion Centers, and comprises nearly 270 Gigabytes.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

And as per usual in these cases, a single point of failure, shared among a large number of Fusion Centers. In this case a single service provider.

The data also includes some banking data, in the form a ACH transfer numbers.

What it probably doesn’t include is any data of interest to the Woke crowd about possible police misconduct. It might put some people’s lives in danger if they are cooperating, or have cooperated, with police on investigations.

Someday, people will take data security seriously. But today is not that day.

iOS security is f**ked

People still maintain that iOS is “more secure” than Android. Really? ‘iOS security is f**ked’ says exploit broker Zerodium: Prices crash for taking a bite out of Apple’s core tech.

Apparently the COVID-19 lockdown gave the hackers a LOT of time to ply their craft, and maybe a bit of financial incentive.

Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won’t pay anything for some iOS bugs due to an oversupply.

“We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors,” the company said via Twitter.

If you’re a hacker you can sell vulnerabilities to the SW/HW provider, or you can sell to Zerodium, and “feed the beast.” Zerodium pays more. Or at least they did.

They have SO MANY remote code execution bugs for iOS/Safari – the hackers dream vulnerability – that they won’t be accepting anything new. And yet people still try to convince me that iOS is more Secure than Android, because it is SECRET. Once again, obscurity does not equal security. Is it even necessary to state that anymore? The Enigma Machine the Germans used in WWII was obscure. It turned out it was not secure. Things haven’t changed that much since then. All the hard-coded back-doors into servers and routers that were put there in the early 2000s, because “How would anyone find this?” have been a problem since forever. But I’m sure the iOS issues are more of the software bug variety.

“There are likely a lot of hackers stuck at home with extra time on their hands, or perhaps who have lost their jobs or are in a financial squeeze, as is a large portion of the population,” said Wardle.

Add time and financial motivation, he said, and you get more bugs.

COVID-19. The gift that keeps on giving.

New York’s Recipe For More Crime

The video is infuriating. Elderly victim shoved by brute ‘fearful to walk the streets alone’.

A 31-year-old creep punches a 91-year-old lady in the head for no reason. Violent criminals don’t need a reason to be violent criminals.

Geraldine hit her head on a fire hydrant and started bleeding, she said. A passerby saw the assault, called 911 and an ambulance rushed her to nearby Beth Israel Hospital, she said.

The former teacher said her physical wounds were relatively minor and have since healed — but the mental toll has been much more severe.

As for the guy in question.

Brimmage was busted by cops Tuesday and charged with assault after investigators recognized him from video footage of the attack, authorities said.

The frequent offender has now been arrested 103 times since 2005 for petty crimes and sex offenses, sources said.

The creep was convicted of sexual misconduct in 2012, then arrested for two sex offenses in 2014, police sources said.

And with all of that he is walking down the street free to punch an old lady in the head. Click thru and see the video. I’m sure he thought he was a bad-ass striking a blow for some worthy cause. Click thru and watch video; it is only a few seconds. If she hit her head just a bit harder on the fire hydrant, he might be facing murder charges. As it is, his punishment won’t be enough.

Hat tip to The Other McCain who notes, We Found Another Joe Biden Voter.

What Happens If You Try to Tell a City They are Under Attack?

Under attack by ransomware, that is… So you try to tell a city they are under attack by ransomware, and they ignore you for 24 hours, tell you they have stuff under control, and then go toes-up. Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity.

It is hard to feel sorry for them at this point.

The initial call was on May 26th.

My call was transferred to no fewer than three different people, none of whom seemed eager to act on the information. Eventually, I was routed to the non-emergency line for the Florence police department. When that call went straight to voicemail, I left a message and called the city’s emergency response team.

That last effort prompted a gracious return call the following day from a system administrator for the city, who thanked me for the heads up and said he and his colleagues had isolated the computer and Windows network account Hold Security flagged as hacked.

Read that again. Isolated “the computer” because ransomware only ever attacks one person at a time…

They are going to pay $291,000.

Florence Mayor Steve Holt confirmed that a cyberattack had shut down the city’s email system. Holt told local news outlets at the time there wasn’t any indication that ransomware was involved.

However, in an interview with KrebsOnSecurity Tuesday, Holt acknowledged the city was being extorted by DoppelPaymer, a ransomware gang with a reputation for negotiating some of the highest extortion payments across dozens of known ransomware families.

The payment is apparently to stop exfiltrated data from being sold on the dark web, though it doesn’t say what that data may be.

“Gone Phishing”

Bets on whether either campaign is ready for this? Iran- and China-backed phishers try to hook the Trump and Biden campaigns | Ars Technica.

State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns

I doubt that the campaigns are ready for determined spear phishing. I just don’t believe either the Republicans or the Democrats, and especially campaign staffers, understand the threats. I’m sure the younger members of the campaign understand, so they won’t be the targets.

Another Data Breach

Someday we will have good security, but that day is not today. San Francisco retirement program SFERS suffers data breach.

While SFERS states that no Social Security Numbers or bank account information was contained in the breach, there was enough personal information exposed that could be used by threat actors in attacks.

According to the notification, the types of information that was exposed is different depending on whether a member is retired or if they had registered on the web site.

The leaked information for all members includes a member’s name, address, date of birth, and beneficiary information.

All because a vendor set up a test environment that included real data, but without real security.

They are offering the obligatory 1 year of credit monitoring, which is a sham, because the risk will last more than 1 year.

The “complete collapse of Bluetooth security”

One day, we will have good security, but that day is not today.

So I’m behind on security. Bluetooth pairing flaw exposes devices to BIAS attacks.

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

It is a specification-level vulnerability. That means EVERY Bluetooth device is vulnerable. Some will eventually be patched; many will not. The updated specification will be available “in the future.” (That’s the best info we have.)

But how often does the software in your car’s entertainment system get updated? Are there low-energy Bluetooth devices sprinkled around that won’t get updated? Of course there are.

The title of the post comes from the Show Notes for Security Now, episode 768. The notes are at this link. The video can be found at this link. The relative part of the video starts at about 1 hour, 4 minutes and a couple of seconds in. The quote of the day…

Our attacks are “standards compliant.”

Bluetooth is in literally billions of devices.

From the researchers…

To confirm that the BIAS attacks are practical, we successfully conducted them against 31Bluetooth devices (incorporating 28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

Every Bluetooth front door lock is currently vulnerable. Many, will probably remain vulnerable for all time.