The other big hack of 2016?

hacker
Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

In DPRK, Linux Watches You

He might actually be looking at something here…

A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression.  Case in point – the DPRK’s Red Star Linux distribution.  In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines.  One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data.  The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.

The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.

Watch here…

 

In DPRK, Linux Watches You

your passcode can take the fifth, but not your finger

VA court gives tech savvy criminals the finger

Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence.  While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases.  I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime.  Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.

your passcode can take the fifth, but not your finger

hacking wifi via lightbulbs?

While the “Internet of Things” has great potential, it also opens up new attack surfaces for those with nefarious intent to exploit.  A good example of this was found by a security researcher last week.  LIFX offers wifi controlled LED light bulbs that can be turned on an off as well as color adjusted via an iOS or Android app.  In order to operate, the light bulbs must authenticate to the wireless network in the user’s home or office.  The researcher found that it was possible to retrieve the wireless network password from the bulbs themselves, giving them access to the rest of the devices on the same network.  LIFX has issued a patch to correct this issue, but this serves as a reminder that all of those new, whiz bang network connected devices are part of your network’s security perimeter.   Many of these devices are coming from startup companies which may not have a security culture embedded in their development process.   To be fair, the researcher had to do some fairly sophisticated to pull off this hack, but as IoT devices begin to proliferate, the payback for attackers will be worth the extra effort.

hacking wifi via lightbulbs?

so… about that hedge fund hacking story…

 

BAE Systems Spokeman

An update on the “hedge fund hacking” story from a couple of weeks ago… it appears that this attack (in which it was alleged that hackers penetrated hedge fund trading , delayed HFT orders and sent order information to servers in eastern Europe) did not actually happen. Apparently, this scenario was used internally at BAE Systems as a “what if” during table top exercises. For some reason, a BAE employee described this scenario to a reporter as if it was an actual incident. This is a real black eye for BAE (which probably explains why they waited for the holiday weekend to announce this).

More information:
http://www.cnbc.com/id/101807792

I still think that the kind of attack described in this scenario is bound to happen in the future as organized crime figures out that the capital markets provide much more profit potential than stealing credit card info – but there is no confirmed case of such an attack happening so far.

so… about that hedge fund hacking story…

apple security fail leaves email attachments unprotected

One of the nice things about Apple’s iOS platform is the “hardware level encryption” that protects “all of the information on the device.”  At least, that used to be the case.

Starting in iOS 7,  email attachments stored on iPhones, iPads, and iPod Touches (remember those?) are not stored in encrypted form.  A security researcher recently announced that he was able to retrieve plaintext attachments from encrypted iPhones using standard forensic tools.  Apple never corrected its previous statements indicating that all data in iOS was “protected by hardware encryption,” so millions of personal and business users have been working under a false assumption of security for a couple of months now.

When the researcher reported the issue to Apple, he was told that they were aware of it but had no date for a fix.

This is why I continue to recommend that corporate users stick with containerized solutions for their iOS and Android mobile users.  Consumer level mobile devices are not designed with the level of security appropriate for business (especially in highly regulated industries like Finance and Health Care).  Yes, it would be nice to use the native apps on personal devices to deliver corporate data from an ease of use point of view, but if your users are carrying around sensitive information in their email attachments, you have to consider the risk of an adversary extracting that information from the device relatively easily.

Apple really dropped the ball on this one.  They were not up front with their users regarding the loss of a key security feature and didn’t give them the chance to make an informed decision based on that information.   Not cool.  This incident underline’s Apple’s lack of commitment to and understanding of  the corporate market.  If they want to be a corporate player, they need to step up and accept the responsibilities that the role entails – otherwise, stop trying to do things half way, guys.

apple security fail leaves email attachments unprotected

how not to do a risk assessment

So, the risk management mavens for the City of Portland, Oregon have provided us all with an object lesson in how not to make risk based decisions.  It seems that one of the local young rowdies had the audacity to urinate into one of the reservoirs supplying the city with drinking water.  This particular reservoir contains 38 million gallons of water.   Horrified at this sullying of the public water supply, the city fathers made the obvious decision – empty and refill the reservoir.   I mean, it had pee in it!   Never mind that the uncovered reservoir contains all sorts of other contaminants (animal urine and feces, dead birds, pollutants carried by rain, etc.) as a matter of course.   Never mind that the concentration of urea caused by the wayward urinator would be around 3 parts per BILLLION – the EPA allows up to 10 parts per billion of arsenic in tap water, people.  No, because this particular infintessimal contamination made the news, 38 million gallons of water is going to be dumped.  As someone who has witnessed small children lugging jerry cans of water to their homes located miles away from the communal tap in Rwanda, this makes perfect sense to me.

It is this kind ridiculous approach to risk management that ensures that society will spend billions of dollars protecting itself from the wrong risks, and leave us vulnerable to the ones that really threaten us.

We need to get better at this, folks – science knows that people are bad at judging risk.  That’s why we need to train professionals in all fields to use evidence based methods and processes which compensate for our built in handicap in this area.  The basis of for good risk analysis is to train kids in critical thinking skills early and often throughout their education.  Maybe, they’ll be better at this stuff than we are.

 

how not to do a risk assessment