Compromises in 2015

For the whole year there were over 553.6 million reported compromised in 909 reported incidents. Almost 56% of reported breaches do not know, or did not disclose, how many persons were affected. How many other breaches went un-reported? This is especially worrisome as over 95% (see 2 page PDF) US states and jurisdictions have a safe harbor rule such that if the data is encrypted (even if poorly encrypted) then you need not get told. See When do you get told your data was compromised?

In accounts affected and incident count non-financial compromises far outnumber financial accounts compromised. Why should you care? Because the compromised information can be used for identity theft which leads to financial problems that are not tracked by these breach reports. Any compromise of personally identifiable information (PII) is to be avoided.

The ACB is about 1,390,983 compromises per average incident.

01/01/2015 to  12/31/2015 ACB= 1,390,983
All Types Total Financial Non-Fin Unknown
Affected Count 553,611,281 71,082,258 482,529,023 ?
Incident Count *1 909 25 374 511
Avg per incident 2,901,317 1,291,912 ?
% by # affected 12.84% 87.16% n/a
% by incidents 2.70% 41.09% 56.22%
2015 was a mixed bag. The number of compromised accounts was way down from 2014, but still in line with the rising trend from 2006. The incidents of compromised accounts was the highest ever recorded. Even worse, the number of disclosed compromises without disclosure of the number affected may contribute to under reporting of the number affected. One thing is certain: this problem isn’t going to solve itself.
*1 One incident had both financial and non-financial compromises so the incident count total is reduced by one as both are counted in their respective categories.


Supplemental Information

Articles and items of note in chronological order.

1/01/2015 Need help responding to a breach or security incident?

Read these eight points and the references at the end. [ Ideally before the problems arise -ed ]

1/20/2015 Four Key Steps to Application Security

An article in DataBreachToday

1/20/2015 Infographic: Payment Card Breach Lifecycle

An article in DataBreachToday that shows the activities of provider (card-issuers), consumers and the crooks. Sometimes the crooks have a significant head start as the original compromise of confidential consumer credentials goes un-noticed and/or undisclosed for a considerable length of time.

1/29/2015 Maritime Cyber Attacks

The wind and the tide have been threats to vessels at sea for centuries. This century add maritime cyber warfare. Modern ships are highly automated, dependent on computer systems for safe and efficient operation. Crooks can infect these floating systems and hijack them to turn a large ship into a massive, albeit slow-moving, missile packing incredible kinetic energy as well as the bang-value of their cargo. For military vessels the possibility of their ordnance being appropriated is worrisome. The Department of Homeland Security (DHS) has Command, Control, and Interoperability Center for Advanced Data Analysis (CCICADA) to address readiness and preparation for such activities including GPS Jamming which could turn a tanker into something less benign unless alternate navigation systems were available and crews were ready to use them. More …

2/09/2015 US Smartphone Comscore

In the three months ending December 2014, 182 million people in the U.S. owned smartphones representing a 74.9% mobile market penetration. More …

2/12/2015 Gemalto 2014 Summary

For 2014 more than 1,500 data breaches led to more than one billion data records worldwide representing a 49% increase in data breaches and a 78% increase in data records that were either stolen or lost compared to 2013. “We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number” More…

2/18/2015 Your car, hacked by a 14 year old

Since 2012 Batelle has sponsored the Battelle CyberAuto Challenge, a five-day practicum-based camp designed to address cybersecurity in automobiles. Participants include students, engineers, scientists, policy leaders and white hat “hackers”. Today they released information about the accomplishments of a 14 year old during the Challenge of 2014. Without any guidance he got about $15 of parts from Radio Shack, stayed up late and built his own circuit board. Next morning, without ever touching the car, his device turned on and off windshield wipers, locked and unlocked doors, engaged remote start feature and got the headlights to flash on and off to tunes from his phone. Representatives from Delphi and Battelle confirmed the details.

Quite impressive for the kid. Quite unsettling for the car manufacturers. The card doors were unlocked and the remote start feature engaged. Please tell me the kid has been induced not to put the plans on eBay or the DarkNet? If this was from the July 2014 Challenge, why are we hearing about it six months later?

2/19/2015 Is that really your bank on line?

Using Hyper Text Transfer Protocol Secure (https) to log in to your bank on line is supposed to be, well, secure. Maybe not so much. A piece of adware installed in Lenovo computers has been discussed in their forums since September 2014. In January 2015 another post exposed that there was malware in that adware. Superfish is a root certificate that inserts itself between you and your bank. The net effect is that the malware can see all of the “secure” transmissions in plain text. Your security has evaporated. “Pinning” certificates, a technique used by Google and its Chrome browser, is ineffective in preventing this. Lenovo installed the adware on laptops shipped between October and December 2014. It is unknown if all the adware contained malware. In January 2015 the adware was no longer being loaded. The malware opens up that laptop to anyone who has extracted the Superfish private key (done and the password exposed) Think about this if you are on public Wi-Fi in a hotel, a restaurant, airports etc.

Are you affected? A simple [ https://filippo.io/Badfish ] test was created that will tell you yea or nay.

How many affected? Some report that Superfish was installed on Lenovo computers since late 2012. Lenovo shipped over 100 million computers since then. Electronic Frontier Foundation found more than 40,000 Superfish certificates run at some point by users of the Mozilla’s FireFox browser.

Sources: [ https://filippo.io/Badfish ] Quick Test  Ars Technica   Forbes  EFF  ErrataSecurity

Update 2/22/2015 Superfish was not the first

The race to the lowest level of computer infection, far removed from consumer anti-virus scanners, started at least two decades ago. A laboratory virus was designed to prove the concept. It was set to strike on the anniversary of a nuclear disaster, hence its name. “Chernobyl” escaped its confines and spread to millions of computers around the world. A decade later “Mebromi” modified the basic-input-output-system (BIOS) which would re-infect any cleaned system.

Malware at lower levels controls anything that lower level controls. That is, everything. Your passwords are exposed, encryption keys revealed, replace any web page (or part of one) you think you are reading with another one. What is exposed? All of it. (source where one comment observed that if an individual can create such an infection it is more than reasonable to believe that government sponsored cybersecurity departments can.)

Even without affecting the underlying technology consumers can have their communications systems completely exposed. Read what SlotBoom did in 20 minutes at a public WiFi spot.

Update 2/24/2015 What does Lenovo say (and do you believe them?)

Peter Hortensius, Lenovo’s chief technology officer, was interviewed on Tuesday. Compliments to the interviewer who pressed him on details. For example: He said Superfish had an opt-out at startup. No one seems to recall it. Read the early comments.

2/19/2015 Cell Phone Encryption Hacked by … US?

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe … The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The article has good narrative, graphics and links to supporting information.

Update 2/20/2015 SIM Maker Investigating

Gemalto, the world’s biggest maker of SIM cards, said today that it is investigating reports of mass compromise by intelligence agencies. If the cards were compromised those agencies can access large volumes of mobile voice and data communications without asking for judicial permission or asking for it from telecommunications providers.   NYTimes  Reuters  ZDNet

2/28/2015 How do you know you’ve been hacked?

A new item under References

3/16/2015 Tools Crooks Use

With increases in card present security crooks are increasing their concentration on electronic presence commerce. Merchants can almost uniquely identify each user, not by password, but by the dozens of elements that create an almost unique configuration. What are the elements? Some you know: operating system, the OS version, the language setting, the browser type, browser version and the time zone. Some you might not realize are available to the browser include the processor, the versions of browser plug-ins, and more. So a merchant can exclude some potential consumers because that consumer is known to be a fraudster. Now some evil genius has created a tool to allow a user to change all of these parameters. Read an article at KrebsOnSecurity.

3/27/2015 Are law firms exempt from hacking?

Based on studies since 2005 it appears that the legal profession rarely gets hacked. Or, at least rarely reports being hacked. The absence of reporting contributes to an under-estimate of hacker impact on our society. In February 2015 Citigroup’s cyberintelligence center published an internal report which included:

“… Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise … (source)”

Are they being hacked? Yes. Mandiant (a division of security firm FireEye) worked with “ half-dozen unidentified law firms that were victims of a breach or other attack.” (source)

Update: 9/02/2015  80% were hacked

“The American Bar Association estimates that 80 percent of the 100 largest [ law ] firms in the U.S. have been breached …”. That is a huge percentage. Are these breaches regularly reported? Not that I can find. (source) 80%? A 8/30/2015 article Lawyers Are Prone to Fall for Email Scams in American Lawyer reported

Maybe lawyers aren’t so clever after all. In fact, many of them might be a bit thick. … The truth hurts, but that’s what Verizon’s 2015 Data Breach Investigations Report seem to suggest. … that a company’s legal department is “far more likely to actually open [a phishing] e-mail than all other departments.” Holy cow. That means lawyers (at least those who work in-house) are a lot more gullible than those business stiffs! What an ego blow. [ highlighting ours – ed. More at the source ]

Update: 4/07/2015  Why hack law firms?

Willie Sutton, a bank robber of the early 1900s, was once asked why he robbed banks. “Because that’s where the money is.” That morphed into Sutton’s law which says to consider the obvious, the most likely, before investigating every conceivable possibility. (probably not true, but makes a good point)

So, why hack law firms? Because that is where the secrets are. Read what can be done to protect digitally archived historical records at Databreach Today. See also the 2016 Panama Papers

4/09/2015 Motorola/Arris SURFboard SBG 6580

The SURFboard SBG 6580 made by Motorola and also sold under the “Arris” brand name is a DOCSIS/EuroDOCSIS 3.0-capable cable broadband modem. It has THREE documented vulnerabilities one of which is a hardcoded access allowing outside attackers to take control and cause a computer inside the protected zone to become exposed to the world.

CVE-2015-0964 A vulnerability in the firewall configuration page allowing Javascript injection for hackers to do almost anything. CVE-2015-0965 Which lets a log in without consumer knowledge or approval. CVE-2015-0966 A hard-coded “backdoor” access letting user “technician” log in with password [see source below for password, we’re not posting it here -ed]. The Common Vulnerabilities and Exposures (CVE) numbers cited have been reserved by researchers and will be made public in the future. Look via search function on Mitre.Org web site (source) -ed]

4/23/2015  The store is tracking you

Walking in a store, every step tracked via your cell phone. Did you know? Of course there is an option to opt-out, but the company and the store sorta forgot to tell you about it. You wouldn’t know either that the system tracks people who walk by and don’t even enter the store! The FTC complaint (4 page PDF) and more at Ars Technica.

6/05/2015 MalumPOS discovered by Trend Micro

MalumPoS is new malware designed to collect data from POS systems running on Oracle® MICROS® According to Oracle there are more than 300,000 sites running MICROS, mostly in the US. This malware is configurable so other systems are at risk. MalumPOS hides under a simple cloak of a display driver, often as “NVIDIA Display Driv3r”, the real version is common in POS installations. The configuration options allow it to select from the cards used and only export the cards it desires. More

6/11/2015 Not just large merchants at risk

Smaller businesses tend to have less sophisticated security defenses and are more vulnerable to hackers seeking to exploit weak spots in the point-of-sale systems used by companies to process credit card payments. (See Eataly)

Many attacks against small companies go unreported because the businesses are not bound by the same disclosure requirements as publicly traded companies. The National Small Business Association report half of the 675 small businesses surveyed reported being victims of hackers’ attacks last year, up from 44 percent in 2013. Of those that were hacked 68 percent said they had been victimized at least twice. The price tag: an average hacking cost the typical small business $20,752, up from $8,600 in 2013, per the National Small Business Association. (Source)

Dyre/Upatre & Hacked Home Wireless Routers

Do you have a process named “Google Update Service” running? Surprise! (and a bad one). You may be running Dyre (sometimes tagged as Upatre), a multi-pronged, multi-plane Trojan attacker that first automatically disables your protection including AVG, ESET, MalWareBytes, Microsoft Antimalware and Windows Defender. Then it will intercept your web requests, vector you someplace that looks like where you want to be, and sucks out your credentials. Then your machine gets turned into a ‘bot to do the same to others. There are at least seven related exploits.

The Overview:
A significant upsurge in activity over the past year has seen Dyre emerge as one of the most dangerous financial Trojans, capable of defrauding customers of a wide range of financial institutions across multiple countries.

Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers.

Dyre is a multi-pronged threat and is often used to download additional malware on to the victim’s computer. In many cases, the victim is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat further afield. (Source: Symantec Report 32 page PDF)(see the attack chain graphic on page 5)

According to Krebs on Security “researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.” More at KOS.

Virtual Machines Decoy & Track Intruders

By using virtual machines a security company can create real devices designed to lure intruders deeper and deeper into a company information architecture. The concepts creates fewer alarms and uses information gained as the intruders move deeper and deeper into decoys. Setup time is reported to be hours. (source) (company web site)

Survey says!

A survey by MasterCard found Americans were anxious about personal information security, but exhibited a contrast between what they say and what they do to protect that information.

77% of consumers are concerned about their financial information being stolen

compare that to
62% are concerned about email being hacked
59% are concerned about their houses being robbed
46% are concerned about being pick-pocketed

55% of Americans would rather have naked pictures of themselves leaked
rather than have their financial information stolen or compromised.

Yet, 92% of consumers feel they take precautions to protect their financial information, but 46% rarely, or ever, change the passwords in their financial accounts.

Source: MasterCard press release at BusinessWire

7/15/2015 Crime Pays, or at Least Does not Punish

He was found guilty of more than 50,000 cybercrimes, including breaches, fraud, operating a huge botnet and calling in bomb threats. Yet, because he was in Finland and 17 he received a two-year suspended sentence and ordered to forfeit about $7,200. Julius Kivimäki was a reported member of the Lizard Squad who claimed responsibility for using Adobe’s Cold Fusion weaknesses (see 4/11/2014 LaCie / Seagate). Apparently without remorse his Twitter description is “untouchable hacker god” (to see it for your self. Go to Twitter and click on his name to the description). The absence of a meaningful sentence brings no solace to his victims and emboldens other under age miscreants. A sad surprise waits them if they continue their behaviours to the age of majority. (Source: KOS)

7/21/2015 Hacking your car from … anywhere

Back in February 2015, a 14 year old hacked cars with $15 of parts from Radio Shack. Earlier in 2010 and 2011 Dr. Tadayoshi Kohno of the University of Washington reported successfully hacking cars without ever touching them.

Today, two security researchers released a video showing they can hack a Chrysler Jeep’s air conditioning, radio, windshield wipers, steering, transmission or brakes. How? Manufacturers are trying to make your automobile work like a smartphone. An internet connection feature in hundreds of thousands of Chrysler cars, SUVs, and trucks allows access to more sensitive features from anywhere on the internet if the hacker knows the car’s IP address which you can find via active scanning. The attack appears to work on any Chrysler vehicle with the internet connection feature from late 2013 through early 2015. An estimated 450,000+ cars are vulnerable.

More exploits are expected to be revealed at the Black Hat hacker conference in August 2015 and Congress is considering minimum cyber security requirements for cars. Source: Wired on line includes a video.

7/27/2015 BitCoin, preferred ransom payment mode

According to security firm Sophos just one group of hackers collected about $16.5 million in Bitcoins in a little over a month. Believed to be based in the Ukraine and Russia the crooks collected primarily from victims in the US. The threat isn’t going away. In late 2014, Dell SecureWorks reported CryptoWall alone (there are multiple variants) had infected over 800,000 computers (more). Read from 11/11/2014 on how a county sheriff paid ransomware and what the 1907 Literature Laureate had to say on the practice.

08/05/2015 Square Vulnerable

Three undergraduates Alexandrea Mellen, John Moore, and Artem Losev, from Boston University’s Department of Electrical and Computer Engineering presented a paper (7 page PDF) at BlackHat 2015 which found the Square, even their most recent version, to be vulnerable to hardware and software exploits.

In our analysis, we have uncovered several attack vectors in software and hardware: (1) we have identified that older, deprecated Readers were still usable in the wild until July 2015 despite lacking encryption; (2) we have discovered a way to perform a playback attack to initiate unauthorized transactions; (3) we have implemented a hardware encryption bypass that allows a malicious merchant to successfully convert the latest encrypted Square Reader, the model S4, into an unencrypted Reader without tamper evidence. [ Item III on page 2 ]

The implication is that although each Reader device contains a transaction counter, Square is not checking whether swipes decrypted on its servers are occurring in the proper order. It is thus possible to stockpile the audio recordings of encrypted swipes and later play them back to initiate transactions, even many days after the swipes are recorded, and even after having processed an arbitrary number of transactions with the same reader in the intervening days. [ page 3 ]

The accompanying slides (39 page PDF) describe a playback attack (page 18), SwordPhish (page 19) which assists in the attacks, and a hardware encryption bypass (page 14). In summary, there are multiple ways an evil merchant can compromise a consumer’s card.

Gas Station Storage – Hacked!

Automatic Tank Gauges (ATG) are internet accessible devices that monitor storage tanks at more than 5,000 stations in the United States. Monitoring fuel level and other parameters the ATGs are designed to transmit alerts when appropriate. As with other devices on the Internet-Of-Things (IOT) these devices were not designed with security in mind. ATGs can be hacked to report false fuel levels and perform other undesirable actions.These properly functioning monitor devices are critical to avoiding explosions and fire.

TrendMicro examined some monitoring systems and confirmed they had been attacked. As described above virtual machines were created to decoy and track intruders TrendMicro created GasPot which appeared to be a ATG, specifically the Guardian AST gas tank monitoring systems, and were deployed in the United States, Brazil, the United Kingdom, Jordan, Germany, the United Arab Emirates, and Russia. Some were visible to search engines, some were hidden. The results were presented 8/5/2015 Black Hat security conference in Las Vegas. Most observed activity were basic connection attempts. Some valid commands were also applied. 44% of the targets were in the United States, followed by 17% in Jordan (17%). Last place was Germany, where no GasPots were attacked. (Source & More)

Knowledge is power … and profit

What stock trader wouldn’t like news before it is public? Requests were sent to hackers in Ukraine who would hack press release companies such as Business Wire, Marketwired and PR Newswire before information was released to the public. Hackers would then deliver instructions on how to access the information. Knowing prior to public release falls under “insider trading” statutes. Over five years of activity about 150,000 releases from 30 companies were stolen allowing some 32 persons to take more than $100 million in this combination of hacking and trading. More at the source. (Source: Associated Press via NYTimes)

Update 09/14/2015  A settlement for some

In an example of our multi-level justice system one of the charged has agreed to pay $30 million dollars to “settle” allegations by the SEC. A deep pocket gets no “guilty” and no jail time. Others are in jail while working on raising $3 million dollar bail. (Source NY Times)

Update 10/05/2015 Fantasy Sports suffer insider trading

In late September 2015 DraftKings acknowledged that information regarding what players were most used had been exposed in advance to select few instead of being embargoed until lineups for all games are finalized. Getting the information early (and exclusively) is a significant advantage. “… employees of both companies have won big jackpots playing at other daily fantasy sites.” How much? The manager who exposed the information won $350,000 at another fantasy sports site that same week. Employees are forbidden from playing on their own site, but not others. More …

Update 10/14/2015 FBI investigates Fantasy Sports

“The Federal Bureau of Investigation has begun an inquiry into the practices of booming daily fantasy sports sites after players and lawmakers made allegations of predatory tactics and questioned the use of inside information, according to players who said they have been contacted by investigators.” More at the source NY Times…

Update 10/15/2015 Fantasy Sports Betting – some details

October 13, 2006 saw a new law, the Security And Accountability For Every Port Act Of 2006 (80 page PDF) also called the SAFE Port Act. It started as House Resolution 4954 where it was considered and passed on May 4, 2006, sent to the senate who created their own (resolutions 2008 and 2459 in 2006). They were amended, reconciled and agreed to by September 29, 2006 and signed into law by President George W. Bush on October 13, 2006, which was a Friday.

Most of the SAFE Port Act refers to maritime security, but, being the Congress of the United States, it also included a bit of unrelated business. Little public scrutiny, debate or non-legislative branch review was focused on “Title VIII – Unlawful Internet Gambling Enforcement”. Section 802 amends Chapter 53 of of Title 31 USC “Money and Finance” by adding §5361 (page 70) to §5367. Of interest is §5361 “Definitions”

(1) BET OR WAGER .—The term ‘bet or wager’—
  (E) does not include—
    (ix) participation in any fantasy or simulation sports game or educational game or contest. [ see page 71 highlighting ours – ed ]

this creating an exemption. An interesting narrative of fantasy sports betting including shadow banking so funds get around domestic prohibitions against using charge cards on gambling. That includes using companies whose name indicates activities other than gambling or gaming. Also how winners can’t seem to get paid. Much more at the source: NY Times …

Update 10/15/2015 (more)  Fantasy blocked in Nevada

Nevada gaming regulators block fantasy sites pending licensing as gambling, not games of chance setting up a state-vs-federal conflict with the SAFE Port Act of 2006 as described above.

Nevada regulators on Thursday ruled that playing daily fantasy sports should be considered gambling, not merely a game of chance, and ordered websites like DraftKings and FanDuel to stop operating immediately in that state until the companies and their employees receive state gaming licenses. The decision by the Nevada Gaming Commission was the latest blow to a booming yet unregulated industry that has faced intense scrutiny in recent days, including federal and state inquiries into the business practices of the two major companies. [ more at the source: NY Times highlighting ours – ed]

Update 10/26/2015  Pinnacle Sports dot com

“Are the successes of law enforcement tantamount to cutting off a lizard’s tail only to see it grow again, and if so, is the battle even worth fighting? Is the better way — with gambling increasingly woven into the fabric of American sports — to simply legalize it so it can be regulated?” An in-depth look at one internet site by PBS/Frontline and the NY Times from creation, through hiding profits, adapting to the growing internet, overnight relocations and more.

That US law has been avoided/evaded/circumvented/skirted is not a new phenomenon. See an article from the NY Times dated 1/31/1998. As a reference, consider that the world-wide-web was invented by Sir Tim Berners-Lee in 1989 with Information Management: A Proposal (the whole document in HTML and an article)

Update 11/10/2015  NY AG stops Fantasy Sports betting

Eric T. Schneiderman, New York State attorney general, issued a cease-and-desist order to fantasy sports companies DraftKings and FanDuel to stop accepting bets from New York residents, saying their games constituted illegal gambling under state law. “It is clear that DraftKings and FanDuel are the leaders of a massive, multibillion-dollar scheme intended to evade the law and fleece sports fans across the country,” “Today we have sent a clear message: not in New York, and not on my watch” More at the source: NY Times.

[ ummm, Mr. Schneiderman has been attorney general for the state of New York since November 2, 2010. His “watch” started five years ago. What took so long? -ed ]

Update 11/18/2015  NY AG targets Yahoo?

The investigation into daily fantasy sport sites expanded with a subpoena to Yahoo, of Sunnyvale, California. Yahoo has continued to allow New Yorkers to play daily fantasy games. More at NY Times article …

Update 12/19/2015  Data Source & Conflicts

Fans and betters love data. Does providing it break US law?

In the “old” days scouts would eyeball players. Listen for the crack of a bat connecting with a ball. Timing the speed of a football player running the 100 using a stopwatch. No more. Big data has arrived in many ways from spotters in the stands texting scores, to legions of data transcribers watching the game on live broadcast, to data transmitters actually on the players. The data race runs parallel to the game. If the data does not reach the bookmakers quickly an observer at the game could know the score had changed and make a mid-game bet before the odds could change. A decided advantage for those making wagers.

A potential problem awaits the National Football League (NFL) who has taken a strong public position opposing all sports gambling. Why? Because they made a deal with SportRadar, a relatively new data provider, headquartered in Switzerland and controlled by a private equity firm.

Not only is the NFL providing them access, but got an equity position in the company effectively profiting as use of SportRadar rises. Many NFL teams have deals with fantasy sites and some owners have equity in fantasy gaming sites which are coming under increasing scrutiny as illegal gambling. Some of the big name owners with equity in SportRadar include Mark Cuban / Dallas Mavericks and Michael Jordan / Charlotte Hornets.

The web of connections takes a little following. SportRadar has an affiliate named BetRadar that has more than 400 clients who “make book”. Where do they provide bookmaking? In the US? That would be illegal. One client is BetCRIS named in several indictments and whose agents, not all, have been convicted. BetCRIS says it “does not allow U.S. located persons to open or maintain accounts” yet reporters were able to log on to BetCRIS from US locations. More at the NY Times

Update 12/23/2015  Illinois: Fantasy Sports Betting Illegal

According to Illinois Attorney General Lisa Madigan fantasy sports betting is illegal gambling. Illinois law bans gambling either based on luck or involving skill.

[ Source: CBSNews. So why is the lottery, a game of luck, legal? -ed ]

Update 12/24/2015  Illinois Attorney General sued

In a pushback against the recent IL AG ruling DraftKings sued. Why? Illinois residents, “hundreds of thousands” of them, are 10% of their customer base. Their argument: this is a contest with prizes, not gambling. Source: CBSNews

6/13/2016 Update  FanDuel / DraftKings Merger?

FanDuel and DraftKings, the two largest “fantasy sports” business, each had a value of over a billion dollars, have been looking to merge for several months even amid their legal problems. See Bloomberg. The odds for a sustainable and successful joint business model remain long. See NY Times

8/04/2016 Update  FanDuel / DraftKings legal?

In opposition to his own attorney general, the governor of New York signed into law a bill that legalized fantasy sports betting. That it walks like a duck, quacks like a duck, etc means nothing. The law says it is a goose. Besides, we’ll get money from it. More at NY Times

[ Orwell is laughing in the great beyond. Ducks are now geese! Does this mean that betting on insider information will stop because the industry is now legal? Methinks not. Let us remember, Nevada, the home of legal gambling in the United States, has made fantasy sports gambling illegal. -ed ]

Corvette hacked with text message

Modern cars are appearing to be more and more insecure. Earlier in 2010 and 2011 Dr. Tadayoshi Kohno of the University of Washington reported successfully hacking cars without ever touching them. Back in February 2015, a 14 year old hacked cars with $15 of parts from Radio Shack. In July 2015 two researchers hacked a Jeep via the entertainment system using wireless internet meaning the hackers could be almost anywhere.

In August 2015 hijackers were able to apply and disable the brakes of a Corvette by sending a text message to a easily-available device connected to the car’s diagnostic port. Source: CBSNews

Is Encryption the Silver Bullet?

Yes and no. Encryption makes it harder and this stops some crooks who lack the motivation or skills. Yet, encryption only as secure as how the password or passphrase is secure. Some law enforcement efforts obtained physical access to a computer and planted keylogging malware to obtain the keys. Crooks could do that too. Also, humans are not too good at memory and it is possible to crack the passphrase to unlock the encrypted data. A passphrase that is “passphrase” is a good example.

TrueCrypt was a freeware utility, discontinued in mid-2014, used for on-the-fly encryption. It continues to be used in many places and has posed formidable obstacles to attempted decryption. Pretty strong it also has some weaknesses. One big weakness is the keys are stored in RAM which can be scraped with malware. Because the keys are highly transitory through memory a technique involves lowering the temperature to keep the readable keys in memory just a little longer.

Longevity and implementation can create concerns. Something encrypted with the state of the art a decade ago may be approaching child’s play to crack. Even worse, the greatest encryption, improperly implemented gives the appearance without the actual protection. More at SecurityCurrent.

8/24/2015  FTC & CyberSecurity Jurisdiction

In the case of Federal Trade Commission v Wyndham Worldwide Corp et al heard in the 3rd U.S. Circuit Court of Appeals, case 14-3514 (47 page PDF) the court said the Federal Trade Commission has authority to regulate corporate cyber security and may continue a lawsuit against Wyndham Worldwide Corp (which includes Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge) for three incidents when hackers stole charge card and other details from over 600,000 consumers. FTC considered that the Wyndham computers “unreasonably and unnecessarily” exposed data to the risk of theft. (Source: Reuters)

12/09/2015 Update  FTC & Wyndham “settle”

3 years ago the FTC took action against Wyndham for 3 major breaches. Today Wyndham “settled”

Wyndham Worldwide, (the brand includes Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge) was changed by the Federal Trade Commission (FTC) for failing to protect customers’ personal information and their charge card data. Over three years Wyndham litigated including trying to show that the FTC did not even have jurisdiction over them. On 8/24/2015 the 3rd U.S. Circuit Court of Appeals affirmed the FTC has authority to regulate corporate cyber security (see article above). So Wyndham, rather than continue litigation, agreed to a settlement that requires Wyndham to perform annual security audits for the next 20 years and more.

The FTC chairperson: “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security. Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

[ sources: 12/9/2015 FTC Press Release 12/21/2015 BankRate article. The big takeaway is the FTC has authority to regulate cyber security on behalf of consumers -ed ]

127k+ Android Apps infected by malware/MassVet

Security researchers from Indiana University, Penn State University and the Chinese Academy of Sciences created an application to massively vet Android apps for unknown malice (such as harvesting user data without user knowledge or consent) using a much simpler technique than in common service today and significantly increase the speed of detection. Test runs found previously unreported, but suspicious, applications indicating MassVet can detect zero-day exploits. In analyzing 401,549 apps on Google Play, 30,552 were found to be malicious. 400 of those malicious apps had been downloaded more than a million times each. The MassVet approach removes public libraries and other known benign code from the app. What remains can be compared to other applications. (Source)

How many users suffered from this? No one knows. 400 malicious apps, downloaded a million each, could be 400 million infections. In the MassVet paper (16 page PDF) Table 5 in the appendix shows the app stores investigated, the number of malicious apps found, the number of apps studied and the percentage of malicious apps. In the worst case almost 39% of the apps were malicious. In the best case it was 0.6%. Google was 7.6% malicious. Amazon 5.9%, Baidu 3.9%. There are many more.

McAfee Threat Report 2015 Q2

McAfee, part of Intel Security, prepares a quarterly Threats Report (40 page PDF) which shares information from their recurring effort to stop the bad actors. Some of the charts and numbers are not for happy computing. Malware for mobile users (page 31) is up for the fifth straight quarter and total mobile malware samples is over 8 million and grown every quarters since 2013-Q3. Global mobile malware infection rates (page 32) are down since 2014-Q1, but this may be more related to the growth of mobile users.

McAfee Labs maintains a “zoo” of malware which now contains over 433 million samples, growing steadily over every quarter since 2013-Q3. New malware (page 33) is appearing at about 40,000,000 instances per quarter. Perhaps most disturbing is the incredible growth of ransomware (page 35) which has grown from about 1.3 million instances in 2013-Q3 to about 4.2 million instances in 2015-Q2. The rate of growth has also increased from under 100,000 new ransomware programs in 2014-Q2 to over 1.2 million NEW ransomware programs in 2015-Q2.

Interestingly it appears the volume of email is declining (page 38) from a peak of about 15 trillion messages per quarter (includes 10T spam) in 2014-Q3 to about 7T per quarter (includes 4T spam) in 2015-Q2. This is likely related to the increase in text messaging.

Android Supply Chain installs malware

After the phones leave the factory, but before they reach the consumer, Android phones are being diverted, infected and sent along their way. Some of the phones are smaller brands such as Alps, Xiaomi and one called “NoName” and from big names including Huawei and Lenovo. Over two dozen lines are known to be infected. In February 2015 Lenovo had a similar problem with SuperFish getting loaded on laptops. (source)

Is your baby monitor tapping your home net?

A research case (17 page PDF) from Rapid7 found ten new vulnerabilities in baby monitors which disclosed to CERT and assigned CVE-2015-2880 through -2889 on April 3, 2015. The manufacturers involved were informed and the vulnerabilities, and manufacturer responses, were made public at the High Technology Crime Investigation Association (HTCIA) conference on September 2, 2015, five months later.

It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel. If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target – like the video baby monitors covered in this paper – can quickly provide a path to compromise of the larger, nominally external, organizational network [ source: page 3 of the case. Highlighting ours -ed ]

Starting on page 8 there are descriptions of six common vulnerabilities. For a summary see Secure Computing Magazine.

This isn’t a new thing. See related article 7/4/2014 about LIFX IoT bulbs that exposed WiFi credentials. With vulnerabilities continuing to be built in, the Internet of Things (IOT) is turning into Incredible Destruction from the Internet of Things (IDIOT).

10/26/2015 Update IoT: still raw

The rush to establish a product in this new field led to shaving some features and security was never a basic ingredient. In 2014 Open Web Application Security Project (OWASP) published the “Internet of Things Top Ten Project” which described the top ten IoT security problems and how to prevent them. Seem those problems are still around. Read one journalist’s opinion at Sophos.

9/01/2015 Seagate Wireless Drives – hard coded credentials & more

In Vulnerability Note VU#903500 CERT reports that Seagate and LaCie wireless storage products contain multiple vulnerabilities since at least firmware in October 2014 to Those vulnerabilities include undocumented access capability with easily guessed credentials, and default configurations that allow unrestricted upload and download capabilities to anonymous users.

CWE is Common Weakness Enumeration, a community developed dictionary of software weakness types maintained by MITRE.ORG

CWE-798: Use of Hard-coded Credentials – CVE-2015-2874 Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of [ we’re not reporting that detail here -ed ] as username and the default password.

CWE-425: Direct Request (‘Forced Browsing’) – CVE-2015-2875 In a default configuration, some Seagate wireless storage products provide unrestricted file download capability to anonymous attackers with wireless access to the device.

CWE-434 : Unrestricted Upload of File with Dangerous Type – CVE-2015-2876 In a default configuration, some Seagate wireless storage products provides a file upload capability to anonymous attackers with wireless access to the device’s /media/sda2 filesystem which is reserved for file-sharing.

The vulnerability note has been updated several times.

Update: 9/07/2015  Seagate FAQ & TheRegister article

Seagate published a FAQ suggesting users access Seagate’s Download Finder to identify firmware updates because “Seagate currently has firmware updates for certain drive families.” The FAQ is undated. [ before updating firmware we have three suggestions: backup, Backup and BACKUP! -ed ]

The Register (Biting the hand that feeds IT) article was not exactly praising the situation. [ we’d like to know how a hard coded credential vulnerability made it into a consumer device in 2014 and continued so long. -ed ]

US Smartphone Comscore

For the three months ending in July 2015, 191.4 million people in the US owned smartphones representing a 77.1% mobile market penetration. More…

A little good news in Cops vs Crooks

European law enforcement have arrested alleged key players behind sophisticated banking malware. The players were outside their native countries and are now facing extradition to the United States. More at KrebsOnSecurity.

Are you accidentally resetting your network switch?

The RJ-45 connector on many network cables has a well known problem with the plastic locking tab – it gets caught (snagged) on many other cables and often breaks. A “snagless” connector was designed that has a rubber boot around the clip. The clip can still be depressed but the coverage of the boot prevents the clip from being snagged. To cover the clip the boot is necessarily larger than the clip. Well, back on October 30, 2013 Cisco reported on a small design problem affecting the popular C3650 or C3850 Series switches. If installed in Port 1 of any 48-port version the boot can press and hold the “Mode” button, which invokes Express Setup and reboots the switch. In other ports the boot can partially obscure port LEDs, air vents, and USB ports. So, simply plugging in the cable can reboot the switch. Ooops! Remember, this was from 2013 so the software may have been updated to not automatically reboot the switch. Pictures and part numbers are on the URL above as are recommended solutions.

9/07/2015  Hacking Pacemakers

A group of undergraduate students at the University of South Alabama hacked a medical grade human simulation to see what would happen if your pacemaker was hacked. The simple answer: you can die. Source: Motherboard. See also Hospital Internet of Things for a lot of other things that can get hacked in a hospital.

Are you using Microsoft Office?

Remote Code Execution (RCE) allows an attacker to execute code on your machine. That code can access or damage your system or cause it to become a ‘bot for attacking other systems.

MS15-097 details vulnerabilities in the Microsoft Graphics Component (MGC), which could allow RCE if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts. A recent patch for MGC is for the buffer overflow vulnerability (CVE-2015-2510). The patch is rated critical for some versions of Office and operating systems. Once infected an attacker can install programs; view, change or delete data; and create new accounts, with full user rights. MS15-099 (fix announcement  KnowledgeBase) describes another RCE vulnerability affecting all supported versions of Microsoft Office exposing the machine if a user opens a malformed EPS image file. See source for more. TechTarget via RICIS, Inc.

TSA Master Keys Exposed

Ever wonder why the Transportation Security Administration (TSA) wants your bags locked with their “Travel Sentry luggage locks”? It is because TSA has the master keys and can open them. Good for them, but kinda bad for your security especially since the master keys have been compromised. Yep, while professional locksmiths and other pickers can open locks with some twiddling it is a lot faster to use a key. The story and the Keys.

This exposure isn’t new. Suitcases have lost their integrity for security purposes. (Think on that). There is a way to get into many a “locked” bag without ever attacking the lock. The high tech tool is a … ball point pen. (YouTube Video 3m 01s)

That master keys at all pose a different kind of security threat for computers has been documented since at least 2002.

On a side note: Is discussion of security weaknesses harmful or helpful? This is not a new topic having been discussed by Alfred Charles Hobbs, an American locksmith in his book Locks and Safes: The Construction of Locks (Charles Tomlinson, editor. Published by Virtue & Co., London, in 1853). What he wrote about physical locks is just as applicable to the electronic locks about which some manufacturers prefer to practice security by obscurity.

A commercial, and in some respects a social doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. [ highlighting ours -ed Source ]

Hobbs was no stranger to great feats having picked the Chubb Defender in public, twice. Since its patenting in 1818 by Jeremiah Chubb the lock was considered impossible to pick.

We need to move from “better” and more complex locks to a new concept where the prize isn’t even in the vault.

Impossible simply means it hasn’t been done yet.

09/09/2015  Stop Self Driving Cars with laser pointer

Self driving cars use a number of sensors to perceive the world around them. Many active sensors send out a pulse. How that pulse comes back can be interpreted to derive information. Chaff, thin strips of aluminum foil or mylar coated with aluminum, can confuse the return from radio waves emitted by RADAR (radio detection and ranging). LIDAR (light detection and ranging) works on the same concept with different principles. A researcher recorded LIDAR pulses and beamed them back using a laser pointer. The LIDAR interpreted those signals as representing objects and the self driving car slowed, stopped, or maneuvered to avoid them. The attack could come from any side. Total price of his equipment was $60. More on the story and the paper Potential Cyberattacks on Automated Vehicles (sign in with Facebook, Google+ or email required to download PDF)

FBI warns on the “Internet of Things”

In alert I-091015-PSA The Federal Bureau of Investigation warned the “Internet of Things Poses Opportunities for Cyber Crime” “The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.” See also this article from Fortune Magazine.

[There are Inherent Dangers on the Internet Of Things. Don’t be an IDIOT! -ed ]

Security Firm Enjoined from Releasing Vulnerability Findings

ERNW, a German cyber security firm, identified multiple vulnerabilities in the FireEye software. FireEye obtained an injunction barring the release indicating that the information included proprietary and other information not related to the vulnerabilities. (More at the source: Secure Computing Magazine article)

9/14/2015 Ads CoOpted by Malware for Weeks

For three weeks, sites including eBay, the Drudge Report and Answers.com contained advertising contaminated with malware (malvertising). The common understanding was such programs were short lived, no longer. Just visiting the site could get you infected and often the site has little control over the advertising code. More at the source.

9/16/2015  114th Congress, Senate bill S.2044

On September 16, 2015 the US senate introduced S.2044 (a 10 page PDF with double spacing and wide margins) The short title is the Consumer Review Freedom Act of 2015. The summary at the top says “To prohibit the use of certain clauses in form contracts that restrict the ability of a consumer to communicate regarding the goods or services offered in interstate commerce that were the subject of the contract, and for other purposes.”

[ After several readings this appears to be an anti-gag law, unshackling consumers from keep-mouth-shut clauses found in contracts such as some end user license agreements (EULAs). Lamentably the language is in the convoluted phraseology of law makers so we bolded “prohibit clauses that restrict” the consumer’s communication ability to make clearer the intent, at least as we understand it. -ed ]

11/18/2015 Update  S.2044 moves out of committee

On November 18, 2015 the Committee on Commerce, Science, and Transportation ordered to be “reported with an amendment in the nature of a substitute favorably”. No amendment appears on line at the Congressional bill tracking site so what is “substitute favorably”? Substitutes are a procedural device to avoid having 50 amendments that say at page 5 line 17 strike “shall” and insert “may”. (source: GovTrack.us) Essentially the bill was re-written in the form it would be after applying all the amendments. The majority of the reporting entity (in this case a committee) support the bill as-revised.

[ Unfortunately the text of the bill, after the re-write, appears available. This means the bill could be completely opposite of what was originally intended. We just don’t know. -ed ]

12/08/2015 Update  S.2044 calendared

The committee issued a report and the bill was added to the Senate Legislative Calendar. Source

9/17/2015 Apple iOS apps targeted by new XcodeGhost

Chinese iOS developers disclosed a new OS X and iOS malware. Alibaba researchers posted an analysis naming new malware XcodeGhost. XcodeGhost’s code is located in an object file repackaged into some versions of Xcode installers which were uploaded to a cloud file sharing service used by iOS/OS X developers. Xcode is Apple’s tool for developing iOS or OS X apps and clearly some Chinese developers have used these infected packages. Much more at PaloAltoNetworks

Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store

9/17/2015 XcodeGhost infects Apps and gains new powers

XcodeGhost can prompt a fake alert dialog to get the user to “enter” their credentials; open URLs which allows exploitation of vulnerabilities; Read and write data in the user’s clipboard, which could open many “secure” elements that use the clipboard to transfer data. Much more at PaloAltoNetworks

9/17/2015 KOS finds ATMs emitting bluetooth beacons

Why? Because they’ve been compromised with a skimming device inside their “security” shell. How? Read

Massive Disruption in Cell Phone Programs on the horizon

Apple’s new program may move the industry to manufacturer-centric from carrier centric. More at the source GIGAOM research

9/18/2015 XcodeGhost affects Apple WeChat & 39 other apps

The hundreds of millions of people who use WeChat, instant messaging, banking apps, applkications from mobile carriers, maps, stock trading apps, and more may be infected by the XcodeGhost malware. Much more at PaloAltoNetworks

Update 9/20/2015  Apple’s AppStore & XcodeGhost

On Sunday [ 9/20/2015 ] Apple reported it is cleaning up its iOS App Store to remove XcodeGhost from iPhone and iPad programs developed with infected Xcode tool downloaded from a source in China. Why download from China? Because it was faster than Apple’s US servers. (source)

Update 9/21/2015  XcodeGhost infected apps

Here are some of the known infected software

Angry Birds 2
CamCard (a very popular business-card reader)
Card Safe
China Unicom Mobile Office
CITIC Bank move card space
Didi Chuxing
Eyes Wide
Freedom Battle
High German map
Hot stock market
I called MT
I called MT 2
FlyTek input
ane book
Lazy weekend
Mara Mara
Marital bed
Medicine to force
Micro Channel
Microblogging camera
Pocket billing
Poor tour
Quick asked the doctor
Railway 12306 (the sole official application for buying train tickets in China)
Stocks open class
elephone attribution assistant
The driver drops
The Kitchen
Three new board
Watercress reading
WeChat (reportedly 500 million daily users)


Update 9/22/2015  XcodeGhost in your machine?

Apple just published how to validate your version of Xcode. See Apple Developer News

11/09/2015 XcodeGhost still exists

Apple users beware: Almost two months ago XcodeGhost was revealed. It still exists because, even though the original source of infection was removed, reinfection comes from library code that hasn’t been cleaned. Some malware is so embedded that it is included in other malware! Apple’s App Store validation process approved code compiled from the vendor’s own source code. The “build” of the final program (the one distributed to consumers) often uses third-party components and if any of them are infected then the distributed code is infected. More at Sophos

EMV with about a week to go

It appears that we’re not well prepared. 8 of 10 respondents with household incomes of less than $35,000 per year have receved no information on EMV. Only 41% of surveyed consumers have received any form of EMV enabled cards. Of these 41%, 23% received no information on why they are receiving EMV cards. 2/3 is all surveyed consumers do not understand EMV and how it will impact them. Source and summary infographic (1 page PDF).

An Opinion on Cheating Software

In the wake of Volkswagen’s “defeat” software on diesel engines to cheat emissions standards and exhaust over 30 times the legal limit of pollutants a professor describes how we have laws with penalties to find and catch many miscreants, but (except for one great example) not software that cheats. Earthquake related building codes in Chile and Turkey and are cited as an example of pro-actively saving lives. De-certifying voting machines with hard coded passwords was another. She recommends three steps:

First, smart objects must be tested “in the wild” and not just in the lab, under the conditions where they will actually be used and with methods that don’t alert the device that it’s being tested. For cars, that means putting the emissions detector in the tail pipe of a running vehicle out on the highway. For voting machines that do not have an auditable paper trail, that means “parallel testing” — randomly selecting some machines on Election Day, and voting on them under observation to check their tallies. It is otherwise too easy for the voting machine software to behave perfectly well on all days of the year except, say, Nov. 8, 2016.Second, manufacturers must not be allowed to use copyright claims on their software to block research into their systems, as car companies and voting machine manufacturers have repeatedly tried to do. There are proprietary commercial interests at stake, but there are many ways to deal with this obstacle, including creating special commissions with full access to the code under regulatory supervision.

Third, we need to regulate what software is doing through its outputs. It’s simply too easy to slip in a few lines of malicious code to a modern device. So the public can’t always know if the device is working properly — but we can check its operation by creating auditable and hard-to-tamper-with logs of how the software is running that regulators can inspect.

None of this is impossible. There is one industry in particular that employs many of these safeguards in an admirable fashion: slot machines in casinos. These machines, which in some ways present the perfect cheating scenario, are run by software designed by the manufacturers without a centralized database of winnings and losses to check if frequencies of losses are excessive. Despite all these temptations, in many jurisdictions, these machines run some of the best regulated software in the country. The machines are legally allowed to win slightly more often than lose, of course, ensuring a tidy profit for the casinos (and tax revenues for the local governments) without cheating on the disclosed standards.

[ highlighting ours -ed More at the source: NY Times ]

[ Considering what my smart lightbulb can do to hack my WiFi, Heartbleed (expose contents of memory to unauthorized access), Shellshock/Bash (exposure to unauthorized external commands) and the SandWorm exploitation (think weaponized PowerPoint) this sounds very good -ed ]

EMV with one day to go

With one day before the 10/1/2015 deadline how well prepared are consumers and merchants? “More than six out of 10 credit card holders say they don’t yet have a chip-enabled card, despite the industry’s self-imposed Oct. 1 deadline, according to a survey conducted this month by CreditCards.com.”

09/30/2015 September – at this pace

So far in 2015 we are well behind the billion+ exposures of 2014. If we keep going at about 30 million exposed per average month we’ll finish 2015 at about 360 million. That is lower than 2013, but higher than any year since 2005. At about 70 incidents per month we’ll finish 2015 with 860 incidents, higher than any year except 2014.

To put those numbers in to perspective: In 2015
  we will have had more exposures than we have people in the United States.
  we will have had more than two incidents of exposure per day, every day.

In 2015 so far the average financial incident exposes almost 4 million accounts. At this rate we’ll have almost 88 million exposed accounts or about 44.2% of the adult population. NC3 can prevent many of these without expensive new hardware (would you believe $20 billion for EMV?

Make your voice heard!

As of 2014 62.4% of the US population was 18 or older and under 65, about 198,966,803 people. 88M is 44.2%.
[ link supporting the 62.4% was http://quickfacts.census.gov/qfd/states/00000.html
try http://www.census.gov/quickfacts/ ]

10/01/2015 SamsungPay compared to ApplePay

11 slides comparing the two applications, platforms and more at eWeek. Both can use biometric security with all of those drawbacks. Both allow users to load charge card information into the device which means that crooks can load stolen cards into the phones with ease. This partially explains why fraud on ApplePay is sixty times traditional fraud.

10/08/2015 Update: Hackers breach SamsungPay developer

LoopPay of Burlington, Massachusetts was acquired by Samsung in February 2015 for more than $250 million. In late August 2015 another organization found LoopPay’s data and informed the company that they had been breached. LookPay didn’t know until then. The target of the breach may have been specifications on “magnetic secure transmission” (MST), a key part of the Samsung Pay. MST allows Samsung devices to interface with existing terminal systems and not require merchants to upgrade. Effectively MST will appear to the reader as a magnetic stripe card. More at the source: NY Times

09/28/2015 Pastdate: More on SamsungPay

Some restrictions: Samsung Pay requires particular models of Samsung phones. It requires an agreement with carriers, so if you’re phone uses Verizon you’re out of luck for the moment. Using the Android operating system SamsungPay competes with AndroidPay from Google. Android pay has its own benefits and limitations. Yet, SamsungPay has a competitive edge in its “magnetic secure transmission” (MST) communications capabilities. Is that going to be enough? It is very impressive, but magnetic strips are waning in their senior years. More at Ars Technica

10/02/2015 Timely Breach Reporting for Defense Contractors

Months after the OPM breach the 100,000+ companies of the Department of Defense Industrial Base are required to to report breaches that “result in an actual or potentially adverse effect” on databases and information pertaining to DoD activities. Federal Register Part 236, Department Of Defense Industrial Base Cybersecurity Activities and a story from NBCNews.

10/05/2015 Patent Fee Fraud

The non-provisional patent application for NC3 was filed on 11/11/2013 at the World Intellectual Property Organization (WIPO) and published as WO 2014/078241 on 5/22/2014. Not much happened. Yet, within three days after the NC3 patent application 20150278814 (79 page PDF) was published in the United States three different invoices arrived all claiming to be fees due for the international application. They ranged from $2,225 to $2,548, were printed on official looking invoices, and containing many specific pieces of information. Yet, all were from the Czech Republic, and due in 8 to 13 days. I had been warned in advance by my most excellent patent attorneys and their overseas affiliates. Inventors beware!

Update 10/16/2015  2 more

Two more official looking invoices for about $2,100 USD each arrived today. Both “companies” wanted payment to a bank either in the “Slovak Republic” or the “Czech Republic”.

10/13/2015  Cops vs Crooks – good news

Reported last week: the Chinese government has arrested a handful of hackers at the urging of the U.S. Government. This was done quietly and wasn’t the first time either. See KrebsOnSecurity

10/13/2015  Australian Breach Laws not happening

Australia’s Joint Parliamentary Committee on Intelligence and Security recommended that data breach notification laws be in place before the end of 2015. With less than 15 sessions days remaining in the Australian Parliament Attorney-General George Brandis “amended” his remarks to say “… the government intends to introduce legislation before the end of this year.” [ emphasis ours – ed ] More at ZDNet

10/14/2015  Prepaid Debit Card Hiccups, Bad

For those living on the financial edge prepaid debit cards may be their lifeline. Facing increasing regulatory requirements banks are unwilling, or unable, to open traditional checking or savings accounts for those with irregular financial situations. Paying money in advance to a company in exchange for a plastic card is one of the few ways to avoid carrying all your cash with you or stuffing it in a mattress. So what happens when that company can not, or will not, give you your money back? Many times it is a problem that affects a few people at a time, but during early October hundreds of thousands of RushCard customers were affected turning them into people without money. RushCard is no charity, they charge fees which are reasonable compared to other services (except for maybe the $100 per paper statement fee). The deluge overwhelmed RushCard support. According to their Facebook page customers were on hold for hours at a time. The timeline has posts from people who couldn’t buy medicine, food, transportation or had their lives disrupted. It appears that a number of accounts were made “inactive” during a conversion. Source: [ http://www.myfoxmemphis.com/story/30262641/rush-card-problems-causing-issues-for-users ] HBQ Memphis. Update 10/20/2014 ABCNews. Update 10/21/2015 NYTimes

10/30/2015  RushCard to Reimburse Customers

RushCard said that it refund customers for losses as well as inconvenience. Russell Simmons, RushCard co-founder said “We’re focused on making customers whole.” Rick Savard, RushCard’s chief executive, said “We take accountability, We will make it right and go a little bit further.” The details are still being developed and have to be approved by regulators. More …

[ What a clear statement of beneficial intent. ThumbsUp, HatsOff, Kudos etc to the company, especially if they follow through. -ed ]

12/04/2015 Update  RushCard facing regulators

The Consumer Financial Protection Bureau is investigating UniRush (RushCard’s parent company) and demanding material. The company calls the requests overly broad and the time too short. More at NY Times.

10/15/2015  US Navy returns to sextant training

Training in celestial navigation was phased out of the US Navy between 2000 and 2006. A difficult topic, it was deemed irrelevant given LORAN and other satellite based systems that could do the navigation faster and more accurately. Perhaps given the concern over maritime cyber warfare, starting with the class of 2017, third year midshipmen are again to face the sun and the stars with sextants often older than they are. Assisting with the initial instruction is the US Merchant Marine Academy, which never stopped teaching celestial navigation as a professional practice to have an alternative navigation system to check the primary system. More …. Also see USNA article.

10/16/2015  New CISA Law – good or bad?

The Cybersecurity Information Sharing Act (CISA) (Senate Resolution S.754) is scheduled to be considered in the Senate later this year. The original measure was reported to Senate by Senator Burr without written report in March of 2015. Its started purpose is to allow and encourage sharing of threat intelligence between private companies and the government. The Computer & Communications Industry Association (CCIA) is a technology advocacy group started in 1972 and represents Google, Facebook, Microsoft, Amazon, and eBay, and other technology firms. They support the goals, but not at the cost of privacy. CCIA reported

CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.  In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.

Several federal elected officials have made similar statements. See the source: Sophos

10/24/2015  Draft Cybersecurity Law has undesirable consequences

Hacking cars has been reported here for years. In 2010 and 2011 Dr. Tadayoshi Kohno of the University of Washington reported successfully hacking cars without ever touching them. In February 2015, a 14 year old hacked cars with $15 of parts from Radio Shack. In July 2015, two security researchers released a video showing they can hack air conditioning, radio, windshield wipers, steering, transmission or brakes.

In response, the House of Representatives have drafted a law related to cybersecurity for cars and trucks. The intent was to deter hackers from accessing vehicles in such a way that threatens drivers’ safety and privacy. Sadly, the draft contains some provisions with potentially terrible consequences.

One provision was thrown into question with two words: “without authorization”. This could make it illegal for bona fide security researchers to examine the code. The draft law does not state from whom such authorization may be obtained. “Accessing” an electronic control unit or critical system would be illegal. This legal language won’t deter crooks, but it might give security researchers a pause. Security through obscurity, that is, keeping the details from the public, has been a bad idea since at least 1853 (read why). Language in the bill could give protection to manufacturers from enforcement of exiting consumer protection laws, even if those companies violate their own privacy policies. Read more at Sophos

10/27/2015 Update:  CISA passes Senate

CISA was passed today in the Senate 74:21 and moves to a conference committee to resolve differences between the Senate and House versions. That won’t fix the problems.

The Electronic Freedom Foundation Defending Your Rights in a Digital World isn’t happy about it and neither should you be. The bills have clauses granting broad immunity, contains vague definitions, and allows for considerable non-security data sharing in the name of security. CISA does not address the actual problems underlying recent breaches including the lack of encryption for files containing personally identifiable information and the lamentable tendency for persons to fall prey to social engineering and click a link that leads to malware and system exposure.

EFF wasn’t alone in being unhappy. The Center for Democracy & Technology (CDT) published these points about CISA:

Requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the NSA, other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill;

Risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity;

Authorizes cybersecurity “countermeasures” that would violate the Computer Fraud and Abuse Act and cause harm to others;

Will have unintended consequences – it trumps all law in authorizing companies to share user Internet communications and data that qualify as “cyber threat indicators;”

Does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities. [ from a 10/23/2015 article and there is a lot more. Highlighting ours – ed ]

Computer security engineers and academics were against it. Technology companies, large and small, were against it. A million constituents sent messages opposing CISA. Noted security researcher Brian Krebs isn’t for it and his article has more references on why this effort is unlikely to accomplish its goals.

(Sec. 6) Provides liability protections to entities acting in accordance with this Act that: (1) monitor information systems, or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares any indicators or defensive measures with the federal government is consistent with specified procedures and exceptions set forth under the DHS sharing process. [ 114th Congress, Senate Bill 754, the entirety of Section 6. ]

Does that mean the mere act of monitoring exempts an organization from legal action? So, would Experian have still be liable for exposing 200 million financial accounts in 2013 if they had been monitoring? They actually sold the information quite openly so how would monitoring have stopped that? Will the CISA bill shield others?

So did CISA passage reflect a misunderstanding by lawmakers about technology and security? Or, is there another agenda at play? [ Similar to the imposition of EMV by 10/1/2015. Was it to protect the public or move liability from one group to another? If the former, why were only 40% provided EMV cards by the deadline? -ed ]

10/28/2015 Update  Automobile code can be modified

Altering computer programs may not infringe software copyright. Owners and security researchers can work with automobile software without incurring some U.S. copyright liability. The government agreed with fair use advocates that vehicle owners are entitled to modify their cars, which may involve altering software. Automakers opposed the rules. They said vehicle owners could visit authorized repair shops for changes they may need to undertake. [ what about “want” to undertake? -ed ] The new rules sunset in three years and will have to be renewed. It is still copyrighted material so, unlike the some versions of the Creative Commons License someone can’t extract code and sell it. More at Reuters … [ Be aware: If CISA becomes law this is a conflict between CISA and the ruling. -ed ]

12/17/2015 Update  CISA part of Omnibus

There are a dozen or so budgetary bills that have to be passed or the government shuts down. It isn’t like the annual deadline is a surprise, happens every year. Given the nature of Congress when there is a lot of tax dollars being spent there is a lot of … negotiating … so sometimes these bills are rolled up into one “Omnibus” bill that has already been “approved” by enough people to get it passed. One vote applies to them all. Political cover is provided because to vote nay endangers the whole package and risks a government shutdown.

Back in October CISA passed the Senate. Privacy advocates were unhappy with provisions more amenable to surveillance than security. They were not alone. Apple, the Business Software Alliance, Computer and Communications Industry Association, the Electronic Freedom Foundation (EFF), Reddit, Twitter, and more than 50 other groups expressed varying levels of concern. The Department of Homeland Security itself warned that the bill could overwhelm the agency with data of “dubious value” as it reduces privacy protections. There was hope that the provisions could be altered before being signed. That hope is pretty much gone. It appears that CISA has been further edited to remove more privacy.

Because CISA is part of the Omnibus bill any negative votes threatens the entire federal budget. CISA on its own was contentious so by sticking it here Congress is getting it done, whether we like it or not, and without further debate. More at Wired.

[ With so many on record against it, who is actually for it? -ed ]

12/18/2015 Update  CISA passed by Congress

Bye bye privacy. Hello to something else. In some of their words:

Budget watchdogs: will add $2 trillion to the nation’s debt over 20 years.

Two Republicans
Sen Lee (R Utah): “an affront to the Constitution. A small handful of leaders from the two parties got together behind closed doors to decide what the nation’s taxing and spending policies would be for the next year…”

Sen McConnell (R Kentucky): “This legislation is worth supporting.”

Two Democrats
Rep Doggett (D Texas): “… they put it all on the credit card, except that it’s your credit card”

Rep Pelosi (D California): “I feel almost jubilant about what is in this appropriations bill,”

The bill heads to the Senate who are expect to pass it and President Obama has indicated he will sign the bill. (Not sure why, but the NYTimes has this story dated tomorrow 12/19/2015)

CISA was the 14th rider on the Omnibus.

Sen Wyden (D Oregon): “a surveillance bill by another name.”

Joseph Pizzo (engineer at Norse Security): “Organizations can now directly share raw data with several agencies with no protection or anonymity … organizations may feel that they’re helping, I don’t foresee any work moving forward to protect consumer data.”

Mark Jaycox (Electronic Frontier Foundation): “There is essentially no privacy scrub for unrelated personal information … The privacy protections are definitely worse than in CISA — it’s certainly a worse bill in regards to privacy.” (source)

“Do I need to put copyright symbols on my text messages?” (source)

[ Interesting idea, but we don’t think it will help protect it from being transmitted anyway. Lastly, how many riders were in this MUST-PASS bill? We can’t find a number. We did find that one rider lifted the sledding ban on Capitol Hill after 14 years. (source) Absolutely critical to running our country. -ed ]

10/16/2015  Kotak Mahindra Bank of India

This is either a new high point or a low point depends on your point of view. The Kotak bank recently detected a fraud where 1,730 transactions worth Rs 2.84 crore (RS 2.84cr is 28.4 million rupees, or about $440,000 USD) were carried out using 580 credit cards the bank had never issued. The cards were fabricated and used for online shopping and making payments in Brazil, Canada, France, Germany, India, UK and USA between July 2, 2015 and September 10, 2015. So who is liable? Bank insurance generally covers issued cards. Are the merchants liable? Is there an undiscovered gap in the card infrastructure? Are more such incidents on the horizon? More…

10/19/2015  Apple Yanks Apps, Hundreds of Apps

The creators of these applications used used a software development kit (SDK) from a Chinese advertising company which allowed developers to add ads to their apps. That is in keeping with Apple’s terms. Unbeknownst to the developers, the SDK covertly collected information such as email addresses and iPhone serial numbers and transmitted that back the SDK provider. That is a violation of Apple’s privacy guidelines for developers. The design of the SDK hid the illicit harvesting very well and Apple is assisting developers to adapt their applications without snooperware. More …

10/22/2015  Australia wants YOU! (or at least your face)

Late last month Australia passed the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015, (full text) granting authority to collect biometric data on everyone in and out of the country. The Guardian/UK reports that the quality of images from social media already have a name connected to them and are more useful than the lesser quality images captured by closed circuit television (CCTV) cameras popping up around the world. According to George Brandis, Australia’s attorney general, these new powers do not need parliamentary approval. More …

[ See what Cassius said in Julius Caesar Act 1, Scene 2 per US Library of Congress -ed ]

Aside: As of 2012 London England had about 422,000 CCTVs or one for every 14 people in the city. By July 2013 the British Security Industry Authority (BSIA) estimated there were up to 5.9 million CCTV in the country, one for every 11 people in the UK.

10/23/2015 Update   CCTV not secure

Many closed circuit television cameras (CCTVs) and their networks have been found to be infected with botnets. Researchers at Incapsula have discovered a botnet that directs attacks from 900 CCTVs all over Earth (map and details) and like many devices on the IoTh their security, if any, is an afterthought. Source: BoingBoing

[ There is an Inherent Danger on the Internet of Things. Don’t be an IDIOT – ed ]

10/23/2015  Apple Scammed

A press release (1 page PDF) from the Queens County, New York district attorney has charged a man with grand larceny for allegedly altering pre-paid cards to have higher values and then purchase gift cards from Apple worth nearly one million dollars.

10/26/2015  Practice Safe Hex!

In the latest demonstration of unsafe hex practices certificate provider CompTIA placed 200 unbranded USB drives at public locations in Chicago, Cleveland, San Francisco and Washington, D.C. 17% plugged in the drives and opened text files, clicked on unfamiliar web links or sent messages to a listed email address.

The CompTIA white paper (9 page PDF) Cyber Secure: a Look at Employee Cybersecurity Habits in the Workplace summarizes a survey of 1,200 full-time workers across the US examining their technology use, security habits and level of cybersecurity awareness. Topics examined include usage of company-issued devices, public Wi-Fi, password protection, login IDs and USB sticks. [ Thanks to CompTIA for providing this paper with no registration required -ed ]

Some statistics from the white paper
   94% of full-time employees regularly connect to public Wi-Fi networks
   65% of full time employees transmit work-related data
            on public Wi-Fi networks (69% of the 94%)
   63% of employees use their work mobile device for personal activities.
   41% percent of employees do not know what two-factor authentication is.
   38% of employees have repurposed work passwords for personal purposes.
   38% use work passwords for personal accounts.
   37% of employees only change their work passwords annually or sporadically.
   36% of employees use their work email address for personal accounts
   27% of Millennials have had their personal identifiable information
            hacked in the past two years
   19% of all employees have had their personal identifiable information
            hacked in the past two years

More at Sophos and see the results of research done on USB drives lost in public transit and sold in auction.

10/28/2015  License Plate Readers

In an automated license plate reader (ALPR) system: cameras should read license plates, systems compare them against lists of wanted vehicles and either forward an alert, store the information for further use, or just discard the reading. Why should you care? It is one thing for law enforcement to find crooks. It is another to snoop on your comings and goings by the police or anyone else.

How did these cameras get found? Several years ago researchers found what they thought were hundreds of cameras to take pictures of stop light violators. Those cameras were transmitting their signals without security. The Electronic Frontier Foundation (EFF) assisted the research and found the cameras were not taking pictures of stop light violators, but were tracking license plates. The company that made these systems was acquired by 3M. In 2013 a 3M spokeswoman noted that these systems feature robust security protocols, including password protection and encryption.

Since mid-2015 the EFF has been working with police to track over 100 automated license plate readers whose output has been streaming live on the web, accessible to anyone who knows where to look. The cameras can be pole mounted, on the sides of buildings, even part of police cars. The “leaking” cameras were found in:
  California: the University of Southern California’s public safety department
  Florida: Hialeah Police Department
  Louisiana: Kenner Police and the Sheriffs of St. Tammany and Jefferson Parish
The good news: Except for Florida all the found systems are now secure. The bad news: The researchers have found other vulnerable cameras in Alabama, California, Florida, Louisiana, Mississippi, Ohio, Oklahoma, Pennsylvania, Texas, Virginia, and Washington state.

What can you do? Take a gander at the EFF report, an easy read. Then realize that for the 4.6+ million reads of 1.1+ million plates for the police department of Oakland, California (OPD) found 1,760 (0.16%) plates were of interest. That makes them less than efficient. Measures to expand license plate readers have been curtailed in Louisiana and California. Now think about your tax dollars at work and maybe ask your police department what those systems cost you, the taxpayer, and how effective are they at catching crooks. Oh yes, those traffic light systems? Not so secure either. Speaking of the internet of things and a lack of security: Would you believe a car wash that can be hacked via the internet?

10/28/2015  Safe Hex! (more)

Train employees to be cynical enough to inspect email before opening it. See eWeek

10/29/2015  Cybersecurity Law in Tanzania

Elections can be won or lost on the slimmest of margins and any tool that can be used, or abused, to tip that small balance warrants the most careful of examinations. That Tanzania’s cybersecurity law has stifled political discourse appears undisputed. How much remains to be seen.

The Cybercrimes Act of 2015 on April 1, 2015 drew criticism from both inside and outside of Tanzania. By mid-July 2015 Article 19, Defending Freedom of Expression and Information had published their review (27 page PDF) which contained two full pages of bullet points of concern. Of particular note was Section 16 which punishes by at least six months imprisonment the publishing of false or misleading information. Think on that a moment. In the United States our political advertising machinery inflames voters with misleading information, quotes out of context, etc. quite often. So what happened in Tanzania?

A raid was made late on election day by persons who identified themselves as police officers. There may be some question if they were. 38 people were detained and computers were taken into custody. The next day eight people were charged under Section 16 of the Cybercrimes Act, accused of publishing “inaccurate and unverified data” over Facebook and Twitter.

The Cybercrime law isn’t well known. The defense attorney for the eight initially reported there was no such thing as Section 16. The outcome of this case of eight political staffers is unclear.

See: 9/12/2015 TanzaniaToday: Activist NGOs file case against Cybercrime Act; 10/18/2015 on how “Tanzania’s social media chat groups have gone a little quiet since the government introduced a new law to tackle cyber crime.” from the BBC and a 10/29/2015 Slate article.

10/30/2015  Seeing Through Walls

X-ray specs? We don’t need no steenkin x-rays specs!
Even if you’re out of sight and behind a wall MIT announced the creation of a device that can find you using wireless signals like Wi-Fi to provide reflections for analysis. Think like SONAR that analyses sound waves generated from being reflected off objects. Good? Bad? Like any tool it depends how it is used. More at Sophos …

10/30/2015  White House: Modernizing Federal Cybersecurity

In the past year the government has been hard hit by cyber problems with breaches at the IRS, US Postal Service, unclassified email at the State Department, secure email of the President, secure email of the Joint Chiefs of Staff and more.

After the OPM Breach back in June 2015 the US Government announced (3 page PDF) “the sprint”, a large coordinated effort to enhance federal cyber security. On October 30, 2015 there was another announcement where “Today, the Administration directed a series of actions to continue strengthening Federal cybersecurity & modernizing the government’s technology infrastructure.”

The goal (21 page PDF) of the Cybersecurity Strategy Implementation Plan (CSIP) is to strengthen Federal civilian cybersecurity through the following five objectives:
   Prioritized Identification and Protection of high-value assets and information;
   Timely Detection of and Rapid Response to cyber incidents;
   Rapid Recovery from incidents when they occur
   Recruitment and Retention of the most highly-qualified Cybersecurity Workforce       talent the Federal Government can bring to bear; and
   Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology.

11/03/2015 Update:  So how good is that cyber-plan?

It is a good start, but the scale is daunting. “To put it in perspective: the US government employs 4.1 million workers, almost twice as many people as Wal-Mart … [ plus ] the 212 biggest private employers in the US combined have 4.4 million workers.” See more at Sophos.

Your apps are still talking about you!

A research paper Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps was published by researchers from Carnegie-Mellon, Harvard and the Massachusetts Institute of Technology (MIT).

Why should you care? This is personally identifiable information (PII) the raw material for identity theft. There is also the Big Brother aspect. An app may share a unique identification code related to a device. There are several including System ID, SIM card ID, IMEI, MEID, MAC address, UDID, and more. These identifications can be used to track you.

All on line The paper is all on line without requiring registration. You can get it here or here. There is a summary graphic showing the applications and what domains they tell. Other charts rate the sensitivity of information shared, tracking (location sharing whether the user intends to or not) and more. You can also select one of the over 100 tested applications to see what that application shares. For example: The YELP application on Android shares to four different domains.
  yelp.com gets Address,Birthday, Email, Gender, Name,
      Password, ZIPcode and Location
  DoubleClick.net gets Location
  Google.com gets Email and Name
  GoogleAPis.com gets Gender and Name

A mystery! 51 of the 55 (93%) of the Android application tested communicated with
SafeMovedM.com. Why is unclear. The authors hypothesize it may be a background connection made by the Android operating system. That very little information flowed via the monitored HTTP connection does not exclude the possibility that other ports that were not monitored by the researchers.

What you can do about it. Right now – there are tools that can protect your privacy by sending false data in response to permission requests from apps. Unfortunately it appears that none of them are easy to install. MockDroid is from the University of Cambridge, Computer Laboratory and is essentially a replacement Android-based operating system. It was created circa 2011 and may no longer work on current cell phones. Taming Information-Stealing Smartphone Applications (TISSA) from North Carolina State University is also circa 2011, but is a privacy setting manager allowing customization of each applications access to information. Those settings can be adjusted any time that the relevant applications are being run – not just when the applications are installed. AppFence implements two privacy controls that covertly substitutes shadow data in place of private data and block network transmissions that contain data the user made available to the application for on-device use only. AppFence requires altering the operating system.

Later – Consumers can get an opt-out option to inhibit or limit the sharing of data to third parties. This might be a regulatory or legislative protective measure, but even with such restrictions, would you trust that all applications follow the rules? [ me neither -ed]

[ Update: The paper was based on work done at least a year ago. The SafeMovedM.com domain no longer appears to exist. A reverse IP lookup of the address cited resolves to server-54-230-38-136.jfk1.r.cloudfront.net. ]

11/10/2015 Update  A modern anti-tracking tool

The three tools noted above are operating system modifications. There is at least one application that works to block communication with many sites. Ghostery, in default mode, blocks many advertising, analytics, beacons, privacy, and widgets from communicating with their host sites. You can selectively choose to allow any of them to access your data. How many sites are monitored? Many! You can search the database for a particular tracker. Clicking on the tracker name reveals what information is being provided, for what purpose, the tracking company and more.

What you need to know about trackers is a video, less than 2 minutes, that explains clearly what trackers do and how they impact individuals and businesses alike. Ghostery is available for every browser including Firefox, Safari, Chrome, Internet Explorer, and Opera. It works on iOS and Android. Blocking those additional communications sessions speeds up your browsing session.

Businesses Read This If you are managing a site and wondering how your competition is actively engaging your customers consider investigating how to block data accumulators from poaching your customer base and selling it, over and over again effectively diluting your brand.

If you are using any third party software, such as ad displays or services, know that these are generally beyond your control. They can slow your site, trigger mixed content security warnings that cause your potential customers to abandon their purchases (reduce conversion rate), create a security gap where contaminated third party software is running on your system, and by causing personally identifiable information (PII) to be shared (even if you didn’t do it yourself) you might run afoul of privacy requirements anywhere in the world. (the world wide part of the web). Several white papers from Ghostery dicuss the serious business of digital security.

[ Ghostery was founded in 2009 so we’re not sure why the research paper didn’t cite them. Disclosure: we use Ghostery, but have no other connection with them. -ed ]

11/01/2015  Class Action Lawsuits – Great equalizer or not?

Might have been, but “arbitration clauses” often make it impossible to get to court. Where do you find these clauses? Check your charge card, cellphone agreement, contracts for cable service, contracts for internet access, terms of service for shopping online, your employment agreement, contracts with for-profit schools, renting a car, opening a bank account, buying a computer game, or just by walking into a restaurant or theater that has a sign, you have have agreed to not sue (even for damages) as either you or us may elect to resolve any claim by individual arbitration.

Even Ashley Madison customers agreed to arbitration instead of class action so they are unlikely to successfully obtain justice in multiple lawsuits combined as class actions against a company that created fictitious profiles and portrayed them as real potential companions. Or consider receiving “roaming charges” when using your cell phone in your home. The charges per consumer are small, but a class action, might get justice. The case is just one of many listed at a specialty web site that lists class action (or attempted class actions) against cellular service providers. Read past the headlines, especially those that say consumers won. Many of them are many years old. Then notice the date of the most recent case. Then see Pendergast v. Sprint Nextel Corporation from 2010 to appreciate the barriers for even potential plaintiffs.

How did we get to the point where the people were pushed away from their day in court and toward arbitration where they so seldom seldom prevail? Agreements are so long and in such fine print so your eyes glaze over and you don’t read the clause. As for how those clauses got there, see here…

12/15/2015 Update:  Class actions limited … again

In a ruling (28 page PDF) yesterday the US Supreme Court ruled 6-to-3 that customers of DirecTV in California must use individual arbitration and were not allowed to form a class action. This ruling by our nation’s highest court makes it harder for consumers to obtain justice for defective products, service or outright fraud.

In dissent one justice wrote “these decisions have predictably resulted in the deprivation of consumers’ rights to seek redress for losses, and, turning the coin, they have insulated powerful economic interests from liability for violations of consumer protection laws.” Another dissenter wrote “I would take no further step to disarm consumers, leaving them without effective access to justice”. Source: NY Times article

11/02/2015  Cloud NOT(secure) Since Inception

At Mitre the Common Vulnerability and Exposure for CVE-2015-7835 shows no detail. On 10/29/2015 Xen Security Advisory CVE-2015-7835 / XSA-148 version 4 “x86: Uncontrolled creation of large page mappings by PV guests” was published and it says a PV guest can create writeable mappings using super page mappings which violate Xen intended invariants for pages which Xen is supposed to keep read-only even if the “allowsuperpage” command line option is not used. Why believe them? Xen is reporting a vulnerability of their own software. Good for them, but …

W   T   F   does that mean?

It means

An extremely serious vulnerability lay undiscovered at the heart of much of The Cloud for seven years.

The vulnerability (CVE-2015-7835), which affects the Xen hypervisor [ a sort of supervisor of supervisors ] software used by Cloud hosting companies like Amazon Web Services, is so serious that it was widely patched under embargo before being disclosed on 29 October 2015.

Xen hypervisor software allows a ‘host’ server to be sub-divided into a number of smaller, easily managed virtual ‘guest’ servers. Although they share hardware and some software, the guests behave as entirely independent servers that are isolated from each other and their host. Virtualisation has become incredibly popular in IT departments and data centres around the world and it’s a key underpinning technology for Cloud infrastructure and services. The vulnerability within Xen allows an attacker who’s running a virtualised guest server to reliably access the host machine’s memory and take over the entire host system … So how did something so serious go undiscovered for so long in something so critical?

One perspective is provided by the security team at QubesOS (a security-focused operating system that relies on Xen) in their 29 October 2015 security bulletin.

… this is subtle bug, because there is no buggy code that could be spotted immediately. The bug emerges only if one looks at a bigger picture of logic flows …

In other words it wasn’t obvious, but that doesn’t mean they’re letting Xen off the hook though:

On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years …

Specifically, it worries us that, in the last 7 years (i.e. all the time when the bug was sitting there having a good time) so much engineering and development effort has been put into adding all sorts of new features and whatnots, yet no serious effort to improve Xen security effectively.

[ more at the source: Sophos. Highlighting ours. Maybe advertising should carry a warning: Reality May Differ From Shown -ed ]

11/05/2015  How NOT to hire a cybercrook

Some people are not cut out to be criminals. Consider a Pennsylvanian who wanted to expunge court records for about $16,000 he owed. He took out a Craigslist ad using his personal email address and his telephone number. Well, police use computers too and arranged for the man to implicate himself in that crime, other crimes and trying to hire an undercover officer to do the job. Read more at WHTM an ABC affiliate in Harrisburg, PA or Sophos

11/06/2015  ISP leaks PII, gets smacked more than a year later

Back in September 2014 a customer service employee for Cox Communications had been tricked into revealing personal information to hackers for more than 50 customers. This week the Federal Communications Commission (FCC) reached a settlement with Cox. “As a condition of settlement, Cox will pay a $595,000 civil penalty. The settlement also requires Cox to identify all affected customers, notify them of the breach, and provide them one year of free credit monitoring. Under the settlement, Cox will adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information and CPNI. The Enforcement Bureau will monitor Cox’s compliance with the consent decree for seven years.”

[ Too bad it takes this level of action for some large internet service providers to take the security of OUR information seriously. Highlighting in above quote is ours -ed ]

11/11/2015  Win3.1 halts air traffic

On Saturday bad weather and the abrupt cessation of weather support caused Orly airport near Paris to temporarily suspend all air operations.

Until the construction of the Charles de Gaulle airport, Orly was the main airport of France. Located about 8 miles south of Paris it now serves as a secondary hub for Air France and the home base for other airlines. According to an article published Wednesday in Le Canard Enchaîné the DECOR system, used to send weather information to pilots, failed. This information includes Runway Visual Range which gets more critical as weather and visibility deteriorate. The computer that runs DECOR runs on Windows 3.1, whose support ended 12/31/2001, more than a decade ago. Le Canard publishes both serious and satirical articles. This one is deadly serious. Win31 and Windows XP are both in active service. The software isn’t the only element on the breaking edge, the hardware parts are not being manufactured and engineers search eBay for parts.

11/12/2015  More on the IoT

“The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks. … Mass-deployed, insecure-by-default devices are difficult and expensive to clean up and/or harden for security, and the costs of that vulnerability are felt across the Internet and around the globe.” [ KrebsOnSecurity, highlighting ours -ed ]

Think this isn’t a problem? A vulnerability in a common router from Ubiquiti has resulted in 600,000 to 1,100,000 devices ready to be compromised and used in Distributed Denial of Service (DDoS) attacks. (Why are they so vulnerable?) It isn’t that the devices are “bad” it is that they are shipped in a plain vanilla state and the “professionals” who install it ignore routine procedures like changing the default administrator password. DDoS was a way of knocking a competitor off line or making a social statement. It has evolved into a blackmail / extortion device. Pay us or else. The proliferation of capability, as well as the improved effectiveness of devices today vs yesterday, makes the future somewhat dimmer than all the beneficial aspects the internet provides.

11/13/2015  Hospital IoT

Hospital technology is just as open to hacking as other devices on the internet of things. The difference is those devices can kill you easier.

2013 – Billy Rios Part 1   Billy Rios is a white hat hacker whose clients include the Pentagon, Microsoft, Google, and others he can’t talk about. In 2013 he was engaged by the Mayo Clinic with about a dozen other investigators from cybersecurity firms and other notable white hat hackers. The hospital provided them with dozens of medical devices and a simple direction: do your worst. The results were worse than expected. Mayo developed new security requirements for its medical device suppliers. Non-compliance meant no sale, at least not to Mayo.

Later, Rios bought an infusion pump. Not that he needed one. He just found one for sale and wanted to test it. Pumps like these are in widespread use to control the delivery of fluids to a patient. “Smart pumps” are supposed to help reduce IV delivery errors, reportedly over half of all medication errors. It didn’t take long to discover that he could access the machine via a network and remotely cause changes just as though he was physically present. In the Spring of 2014 Rios sent his notes to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) where he listed vulnerabilities and suggested that the manufacturer conduct further analysis to determine if similar vulnerabilities exist in other devices and determine the impact on patients. DHS contacted the Food and Drug Administration (FDA) who forwarded the report to the manufacturer. After months there was no reply from the manufacturer or the FDA.

2014 Summer – Billy Rios Part 2   Summer of 2014 Rios followed up with DHS who reported the company was “not interested in verifying that other pumps are vulnerable.” This was bad news for Billy Rios as he was hospitalized and … connected to an infusion pump. More, his bed was network connected as were leg pressure bands to move blood around while he was bedridden. He counted more than a dozen networked devices. After he was mobile, still in the hospital, he found a drug dispensary that he knew had a hard-coded password. Rios had notified DHS who in turn notified manufacturers. This machine wasn’t patched and all the drugs were his for the taking.

When he got out, alive, he had an epiphany. His earlier reports hadn’t communicated the sense of urgency needed to effect change. So he made a video showing how he could remotely break through passwords, unlock, and manipulate the infuser. He sent sample computer code to the DHS and the FDA. That got their attention.

2014 Fall – Honey pots   In the fall of 2014, TrapX Security created honeypotted virtual medical devices (2 page PDF) and installed them in more than 60 hospitals. These were computers that, over a network, looked and behaved like medical devices. They were lures, designed to attract crooks and monitor their activities. After six months all hospitals contained malware infected medical devices implanted by multiple means. Devices included radiological devices and analyzers. The devices gave no indication they’d been hacked. (TrapX case study of hijacked blood gas analyzer 2 page PDF and more case studies).

Why hack a medical device?   First, it gives crooks a landing pad inside the hospitals network. From there they can reach around to compromise other devices and obtain personally identifiable information (PII) for identity theft and financial gain. Second, it provides for a more nefarious purpose, damaging patients. An x-ray machine could be instructed to deliver a toxic dose while showing a normal dose. The infusion pumps could deliver a drug at a higher rate than the body can absorb. Third, crooks can lock up the machines with ransomware so they won’t work until a ransom gets paid. That these events have taken place is not generally questioned. That any particular event occurred is often undisclosed.

2015 July – FDA acts and finger pointing begins   On July 31, 2015 the FDA issued an alert and notice regarding safety of medical devices. “We [ the FDA ] strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.” This was unprecedented, the first time a named product was considered a cybersecurity risk.

Hospitals pointed at the manufacturers. Device makers pointed out that access to their devices meant the hospital networks were not secure in the first place. Someone else said that the work of security researchers, such as Rios, are moving toward security measures that might get in the way of patient care. [ We’ve been sparing in our use of in-line editorial commentary, but this is quintessential bull feces. When a crook can alter a machine to harm a patient, it matters little that the patient is receiving otherwise excellent care. Every physician, nurse, technician and administrator should be unhappy that their patient died and the machines were wiped so they appear “innocent”. -ed ]

2015 Healthcare Cybersecurity Survey   The 2015 KPMG Healthcare Cybersecurity Survey polled over 200 CIO, CTO, CSO, CCO etc. from hospitals, medical practices, etc. and found that 81% of health care executives say that their organizations have been compromised at least once in the past two years. Half believe they are adequately prepared. 13% reported they get hacking attempts about once a day. 16% say they cannot detect real-time compromises

The problem continues with new barriers to discovery   Hard coded passwords, just to single out one vulnerability, were found in several hundred devices made by more than three dozen companies. No public FDA notice for them.

U. S. Code Title 17 is “Copyrights”. Chapter 12, “Copyright Protection And Management Systems” includes §1201 “Circumvention of copyright protection systems” which states “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” Or, there is a legal prohibition against researching how to bypass technological controls created under copyright protection. The Electronic Frontier Foundation (EFF) found this provision, while designed to protect copyright holders, effectively puts the public at risk by precluding review. A “Short Comment Regarding a Proposed Exemption Under 17 U.S.C. 1201” was published (1 page PDF) documenting how DMCA prevents researchers from disclosing potentially lethal vulnerabilities in commonly used medical implants. The article author is personally affected because of an insulin pump his doctor prescribed. Are there deficiencies in that device? Will we ever know?

Good news   In late October 2015, the Copyright Office ruled that otherwise protected software for automobiles can be modified without legal concern. This may be a short lived victory as the Cybersecurity Information Sharing Act (CISA) may override the ruling.

Some have asked: Is discussion of security weaknesses harmful or helpful? A rational response was published back in 1853. Worth the read. Gratefully, Mayo didn’t muzzle the investigators back in 2013 and exposure of the scope of the problem may move more people toward cybersecurity research and safer hospital stays.

(See original Bloomberg article and an article from BoingBoing).

11/15/2015  Anonymous on Paris

This should settle the question: Hackers are people too. On Sunday the ANONYMOUS hacker group left a video on YouTube. It was in French. Here is a translation.

On Friday 13 November our country France was attacked in Paris for two hours, by multiple terrorist attacks claimed by you, the Islamic State.

These attacks cannot go unpunished. That’s why Anonymous activists from all over the world will hunt you down. Yes you, the vermin who kill innocent victims, we will hunt you down like we did to those who carried out the attacks on Charlie Hebdo.

So get ready for a massive reaction from Anonymous. Know that we will find you and we will never let up. We are going to launch the biggest ever operation against you. Expect very many cyberattacks. War is declared. Prepare yourselves.

Know this: the French people are stronger than you and we will come out of this atrocity even stronger.

Anonymous sends its condolences to the families of the victims.

We are Anonymous. We are legion. We don’t forgive, we don’t forget. Expect us.

This version has been viewed 5.4 million times as of 11/17/2015 1200 Central. This [ https://www.youtube.com/watch?v=NmF3os5se6g ] version appears to be the same video, but without advertising overlays. Hopefully the cyberwarfare will be effective.

About Guy Fawkes and the Gunpowder Plot (9 page PDF) Thanks to WebArchive.Org because the original appears to have been removed from Parliament.UK

Update 11/17/2015  re Anonymous vs ISIS

Anonymous is a group of hackers that started by imposing some mischief because they could. In the last year they’ve taken on some significant social issues including outing a number of KKK members and sympathizers. They recently are engaged in an operation against ISIS, reportedly taking down over 5,000 of ISIS’ Twitter accounts. The BBC interviewed a reported member of Anonymous on their aims. A telephone interview was declined, but written questions were answered.

Update 11/18/2015  re Anonymous vs ISIS

DailyKOS has a little more on the BBC interview.

Update 11/25/2015  re Anonymous vs ISIS

That there has been an effect appears to be without question. The nature of that effect is questioned. Are these tactics creating a crude online dragnet that catches those who use some particular languages? Are journalists, law enforcement and intelligence personnel also being caught? More …

11/16/2015  TV-cell phone communications

Teenagers know that some ring tones are beyond the hearing range of older people. This is because tiny hair cells inside your inner ear pick up sound waves and converts them to nerve impulses that your brain interprets as sound. These tiny cells don’t regrow so as they die you lose a little hearing.

The Federal Trade Commission is holding a workshop today on Cross-Device Tracking. If you miss seeing it live an archive version should go on line when the workshop is over.

Why? Because someone realized that while you might not hear it, your cell phone probably can. A television, or a computer, could produce sounds another device could receive and you wouldn’t know. So, if you have a cooperating app, maybe Facebook, Twitter, something you leave running, it could hear a commercial and know that you saw it. Or, that you changed channels, or that you fast forwarded it. Couple this with a smart house app and the monitors might notice a surge in water consumption when you went to the bathroom (so you didn’t see the commercial). The situation gets complicated with multiple people, but the central theme is … someone is watching.

Back in late 2013 BadBios jumped air gapped devices to form a communications link where none was intended. It worked on PCs and Apple computers and put a dent in an easy security wall. In the same way, this system allows communication between systems we may, or may not, want to allow. See more at Sophos.

[ Anyone remember the television system in Ray Bradbury’s Fahrenheit 451? It watched you watching it. There was even interaction. In a dystopian future here is the situation: “Over the course of several decades, people embraced new media, sports, and a quickening pace of life. Books were ruthlessly abridged or degraded to accommodate a short attention span while minority groups protested over the controversial, outdated content perceived to be found in books. The government took advantage of this and the firemen were soon hired to burn books in the name of public happiness.” Are we headed there? Highlighting ours. -ed ]

11/19/2015  McAfee looking back and ahead

In the August 2015 Quarterly Threats Report (40 page PDF) McAfee looked back over the past five years. In the 2016 Threats Prediction (40 page PDF) they look forward to predict how the types of threat actors will change, how attackers’ behaviors and targets will change, and how the industry will respond between now and 2020. This report also makes specific predictions about expected threat activity in 2016 from ransomware to attacks on systems embedded in automobiles, critical infrastructure attacks to warehousing and sale of stolen data. There is much more.

11/19/2015  Email does more than deliver messages to you

Email “remote content” is when that big picture wasn’t actually in the email. A small snippet of code goes out to a particular web site and brings that picture to your computer for your viewing pleasure. Getting that picture can trigger alarms at the other end or do worse. The “picture” might be a single pixel. You might not see much, but you’ve been tracked and now the sender knows you’ve opened the email. “By some estimates, trackers are now used in as much as 60 percent of all sent emails.”

Are you defenseless? Nope. Disable email from automatically loading images. That also takes care of the single pixels. Trackers are also hidden in fonts and web links. Those take a little more effort to defeat. One big step is to disable HTML when reading email. No fonts, no picture, no colors, but also fewer trackers. More …

11/20/2015  A crook, a big brass pair, and a slightly smaller brain

Before playing with the tail, recall the teeth of the tiger

Insurance fraud has been around a long time, but this crook put in a new twist. He sent boxes, insured for delivery to one address, but actually addressed to another. The boxes were actually empty. Multiple boxes were sent as part of activity on 19 eBay accounts using 18 PayPal accounts. PayPal (actually a third party parcel insurance company) pays for loss or damage to insured parcels. That third-party insurance is offered through eBay’s ShipCover program and they began investigating a accounts linked by overlapping eBay and PayPal accounts and identity information that were filing claims on nearly all of their insured parcels.

Old fashioned detective work eliminated other suspects. One possible criminal was emailed. In response the crook asked for and received scanned copies of the agent’s credentials. As for what was done with those credentials read the rest of the story at Sophos.

Many court documents are available on line. See USA v. Jawa Virginia Eastern District Court Case No. 1:15-mj-00332

11/30/2015  McAfee Threat Report

for November 2015. From the preface

Every hour more than 7.4 million attempts were made (via emails, browser searches, etc.) to entice our customers into connecting to risky URLs.

Every hour more than 3.5 million infected files were exposed to our customers’ networks.

Every hour an additional 7.4 million potentially unwanted programs attempted installation or launch.

Every hour 2.2 million attempts were made by our customers to connect to risky IP addresses, or those addresses attempted to connect to customers’ networks.

Topics included trends in fileless malware, mobile banking Trojans and the return of macro malware. Those, plus threat statistics including a high rise in Mac OS malware. (60 page PDF no charge, no registration required)

12/01/2015  Probin’ Time!

The Department of Homeland Security is offering to test private company cyber security.

The National Cybersecurity Assessment and Technical Services (NCATS) isn’t classified, but neither do they seek the limelight. From their 2014 report cyber-security issues are growing considerably. Or they are being reported more than they were in earlier years. There are some questions considering that DHS is a government agency. Private firms are responsible to the customer, but will DHS inform an intelligence agency about a found weakness before (or if) they tell you? Was this the same team who evaluated OPM? For more, read the KrebsOnSecurity article.

12/02/2015  Credit Monitoring vs Credit Freeze

Your credit information has been exposed and you get no-charge credit monitoring. Does it really protect you? See update.

12/02/2015  US Smartphone Comscore

At the end of October 2015, 193.9 million people in the U.S. owned smartphones. That is 77.9% mobile market penetration. More …

12/02/2015  Good News in Cops v Crooks

Around the world 37,479 web sites selling fake goods were shut down by the Homeland Security Investigations (HSI) led National Intellectual Property Rights Coordination Center (IPR Center). More …

12/03/2015 Update:  One that got away

An autonomous buying robot, part of an art project, is given a budget of about $100 in Bitcoins and released to make purchases on the DarkWeb. The purchases are shipped back where they are put on display. Earlier this year the Random Darknet Shopper was busted for buying ecstasy. Not being able to put the ‘cuffs on some software the Swiss police took the entire exhibit into custody. Calmer heads prevailed, the drugs destroyed and the exhibit returned. There are some strange things available out there. See the story from Sophos.

12/02/2015  Google spying on students? Again?

On Tuesday, December 1, 2015, the Electronic Frontier Foundation (EFF) filed a Federal Trade Commission (FTC) complaint (16 page PDF) that Google is using elements such as a student’s entire browsing history to build profiles for its own purposes. This action is contrary to the Student Privacy Pledge whose 200+/- signers include Google.

The EFF said in a release it discovered the data mining of schoolchildren’s personal information while researching the EFF’s Spying on Students campaign whose goal is educating parents and school administrators about risks to student privacy created by the widespread adoption of digital devices. For more see the Sophos article.

In March 2014 Google was sued (43 page PDF) for similar surreptitious data mining in Apps for Education software used by student in K-12 and higher such as email, calendar, word processing, spreadsheet and document sharing. Google admitted it automatically “scans and indexes” the email of Apps for Education users. The plaintiffs alleged a violation the Wiretap Act (see EFF explanation of the Act), which prohibits the interception of wire, oral, or electronic communications. It was a collection of other individual and class action cases including one where Google scanned messages sent from non-Gmail users who could not have given consent for scanning that Gmail users give.

12/03/2015  The VPN is secure, but you’re exposed anyway

VPN away from the office isn’t perfect protection.

When traveling you might connect from your hotel to a computer at the office via a virtual private network (VPN) to give you the same security as if you were sitting in the office protected by the best the IT department can muster (we hope). Sad news: you may be exposed anyway.

Risks from hotspots or hotel connections include not knowing who is actually running that service. Some places contract it out. Anyone nearby (wired or wireless) might be able to monitor and record your network traffic. (read what SlotBoom did in 20 minutes at a public WiFi) In your browser you enter www.someplace.com, but the internet runs on numbers. The domain naming service (DNS) converts those names to numbers. Those requests are easily viewed so even if you are using secure hypertext protocol (HTTPS) the watcher knows where you were. This leads to the ability to fake the DNS replies and instead of sending your request to (your bank) it sends it to (a fake bank) where you “log in” and the crooks now have your userid and password. There are more potential problems many of which can be avoided by using a VPN, but it isn’t perfect protection. Using a VPN, transmissions are encrypted on your computer. Even if they are monitored they are not easily useful to crooks. The computer at your office decrypts the transmissions and sends them back out on the (hopefully) more secure office computer systems.

The exposure comes during that brief time when you need to log in to the internet service to connect the VPN in the first place. Public WiFi is generally for customers and you have to log in or otherwise pass authentication. Some restaurants print the access name and password on coffee cups. The purpose is to make sure you are a customer, get you to agree to terms of service, or maybe push a few advertisements in front of your eyeballs. Whatever gets done, you are connecting without VPN protection and the exposure starts. Some hotels ask you for a name and room number. If they match you are a guest. You have to use your real name and room number to get a match and anyone sniffing the network gets to see. Unfortunately the same information is all someone needs to charge an expensive meal to your room. Ooops. Were some of those ads pushing malware on to your computer? Ooops. Who dunnit? Was it the restaurant? Their contracted service? The third party advertising provider? WiFi access is nice, but not at a high risk. Read on how one journalist did a clever workaround and, in the words of Sergeant Esterhaus, Let’s be careful out there!

12/04/2015  WinXP – If it were not for the last minute…

Anybody not know that Microsoft stopped supporting Windows XP back in July 2014 or there abouts? Microsoft extended WinXP support for embedded systems, such as ATMs, until January 2016, that is, next month. Want to guess how many ATMs are still running WinXP? No one knows for sure but one estimate is over 60,000.

ATMs are not alone in receiving extended WinXP support. As of April 2015 the UK Metropolitan Police Service has over 35,600 computers running Windows XP. That support is costing them over $8 million USD per year. More at SCM.

12/07/2015  Merchants have fraud alerts, crooks have …

Crooks are not dummies and absent moral inhibitions, legal restraints, and especially without committee meetings they are generally more efficient. Sadly they can also be very clever. In this case, merchants of illegal things on the DarkWeb have a number of tools they can use to identify potential purchasers as law enforcement and stop the sale. As for the name of the alert and the … interesting graphic that goes with it see the KrebsOnSecurity article.

12/08/2015  Car calls cops on driver

After an accident where the car’s front hit another car in the rear, the car called emergency services in Port Lucie, Florida. A dispatcher called the driver who reported there was no accident. The dispatcher was skeptical and the police who followed up were even more convinced when they found the very damaged front end of the car with paint matching the color of the rear-ended car. After several denials and fabrications the driver confessed. Sophos has more on the story …

[ We’re pretty sure the Fifth Amendment that allows for people not to be compelled to testify against themselves does not apply to their automobile. Probably doesn’t apply to any thing connected to the rest of the world. Just think what can happen when your refrigerator tattles on you! On the other hand, is it true because the computer says so? Not always, but a flapping driver’s air bag makes for reasonable concern -ed ]

12/08/2015  Find you in the IOT search engine?

A special search engine reveals weaknesses for devices on the internet-of-things.

Censys was opened to the pubic in October 2015 by researchers from the University of Michigan with help from computer scientists from the University of Illinois Champaign Urbana. Google provided the infrastructure powering the search engine. Censys collects data on hosts and websites through daily scans which update their database of how devices are configured. Users can use a simple search interface, a report builder, or an SQL engine. Tutorials and research papers are on the site’s ABOUT page. Simple searches are limited to one page. To get more, at no charge, Censys requires researchers to register and agree to some terms of service. A wise precaution as this tool is designed to reveal weaknesses in systems around the world. More from the Sophos article.

[ As a test: I used What Is My IP . com and entered that in the simple search interface. It knew all the public information about my office IP. I entered the URL of this web site. In the Ipv4 web site search many other domains were returned. -ed]

12/09/2015  Cybercrooks are how old?

In the past year the average age of cyber-suspects has dropped from 24 to 17.

According to the UK National Crime Agency (NCA) some parents appear near clueless. See this clever public service spot and more from the Sophos article. (PSA also available at YouTube)

12/14/2015  Cyber security researchers targeted

Those who protect us are under pressure

An attack may be because some miscreant wants challenge or amusement. In their vernacular “for the lulz”. Others may be warnings because a criminal enterprise is in danger of losing a revenue stream. In some cases the researcher may be tracking state-sponsored actors affecting the national security of multiple nations with conflicting agendas. This moves the researcher into another level of personal danger.

At the Virus Bulletin Conference in Prague, during September-October 2015, Juan Andrés Guerrero-Saade of Kaspersky Lab, USA presented The Ethics And Perils Of Apt Research: An Unexpected Transition Into Intelligence Brokerage. The first paragraph of the paper (9 page PDF)

The top tier of the information security industry has undergone a tectonic shift. Information security researchers are increasingly involved in investigating state-sponsored or geopolitically significant threats. As a result, the affable and community-friendly information security researcher has become the misunderstood and often imperiled intelligence broker. In many ways, researchers have not come to accept this reality, nor have they prepared to act out their new role. Similarly, our industry has yet to gain insights into the complicated playing field of geopolitical intrigue it has set foot into, and as such has fallen into an identity crisis.

There is an asymmetry between state-supported counterintelligence or countercyberwarfare and private security researchers. Three aspects are described in detail along with different dangers for individuals vs their companies. This isn’t some vague feeling of paranoia. A Russian security firm exposed an organized criminal effort and the crooks didn’t like being exposed. Their responses included multiple warnings, swatting (false reports of criminal activity to harass the researcher), shipping drugs to researchers and reporting them as dealers, to more direct action including Molotov cocktail attacks. That these dangers exist is unquestioned. The details are not often reported. For more see this Motherboard article.

12/26/2015  Gmail Creates Replies for You

You can’t turn it off! A future security problem and a creepiness for today.

Automatic replies have been around for a long time. A common one is “I’m on vacation and expect to return (sometime). If you need immediate help contact (somebody at someplace).”

Google’s gmail takes it a step further. Back in November 2015 they added SmartReply for smartphones which starts writing a reply for you. “Smart Reply suggests up to three responses based on the emails you get. For those emails that only need a quick response, it can take care of the thinking and save precious time spent typing. And for those emails that require a bit more thought, it gives you a jump start so you can respond right away.” Yep, you don’t need to think about it, the computer will do it just fine. Using a neural network the application learns from your initial efforts and sounds more like you.

Herein lies the potential rub: Are you actually reading the email or are you giving it a once over (or less) and letting the computer do the reply? Will the information contained therein penetrate and be retained? Crafting a reply increases the probability of both. That typing on a smartphone is cumbersome and inefficient is unarguable. This could become more inefficient if the information goes in one eyeball and out the other. The nuance in communication will deteriorate and at some point the recipient of your reply will realize it was a computer and they are not important enough to you to warrant your attention. Bye-bye sales lead! Bye-bye potentially significant other!

Here is the problem for today. You can’t turn it off. You can edit, or skip, the suggested replies, but that is grating on the order of “Press 1 for the language we’re speaking now”. Why the potential security problem? What happens if the application gets hacked and starts writing subtly inappropriate material? Would you notice? In early trials the most common generated response to office communication was “I love you” and that will send the HR/legal people into the overhead.

Other sources: NY Times. The graphic appearing in some posts of this story is official AndroidCentral wallpaper.

[ In a nation where people talk, text, email and post with increasing frequency we are actually communicating less and less. This is a nice feature, but not being able to turn it off makes us even less efficient. -ed ]

12/28/2015  Pymt Processing Protocols Have Many Flaws

Stealing PINs and pillaging bank accounts are both trivial.

Researchers focused on communications protocols between card readers. ZVT is commonly used between point of sale systems and the card readers. Poseidon is used between the reader and the merchant’s bank. Karsten Nohl and Fabian Bräunlein demonstrated a series of attacks during the Chaos Computing Club security conference. The banking authorities said the attacks were “theoretical”, but Nohl demonstrated them repeatedly. More at Ars Technica

[ Update: If you get a certificate error or “Site can’t be loaded” for the demonstration you can access the 288MB MP4 at http://cdn.media.ccc.de/congress/2015/h264-sd/32c3-7368-en-de-Shopshifting_sd.mp4 -ed ]

12/28/2015  Sometimes it isn’t cyber

It is just old-fashioned theft.

It appears two bankers noticed 15 accounts with high balances. Not unusual in New York City. All belonged to elderly people receiving direct deposits from Social Security. Again, not unusual. These accounts had little other activity. Now that was unusual, because more than half of the account holders should have had no activity at all. They were dead. Well, at least they couldn’t complain when over $400,000 were withdrawn over several years. More at NY Times


Average Compromised per Breach (ACB) does not include incidents where the number compromised is unknown or undisclosed. A higher ACB means that, on average, more accounts were compromised in fewer incidents. Or, that the number of accounts compromised grew faster than the number of incidents.


Compromises in 2015 affecting 10,000 or more
Compromises in 2015 affecting under 10,000
Compromises in 2015 affecting an unknown, or undisclosed, number
Return to References page
Return to Year Link page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.