Personal Cybersecurity #42: Daily news

What you need to know for your personal cyber security life…

Number forty-two in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.

And, just so you know, I’ve got 31 years of IT experience, and my day job is with the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.

evil inside

# # #

HEADLINES…for this issue…15 articles

  • Despite patching efforts, 300K servers are still vulnerable to Heartbleed
  • Card Wash: Card Breaches at Car Washes
  • Culture clash: How physical security is impacted by cultural norms
  • People invested $1.2 million in an app that had no security
  • Lockheed Clinches $82.5 Million Sole-Source Cyber Range Deal
  • Cybersecurity Skills Shortage Poses Threat in Singapore
  • Hacker busted in Sharjah
  • Monterey County grand jury finds computer data risks
  • CircleCityCon: The missing update
  • IRS, Hartford police conducting criminal investigation on Access Health data breach
  • At least 32, 000 servers broadcast admin passwords in the clear, advisory warn
  • Garmin tackles ‘misinformation’ on hacking aircraft avionic
  • Microsoft: NSA security fallout ‘getting worse, ‘ ‘not blowing over’
  • USENIX: Unstable code can lead to security vulnerabilities
  • Cybercriminals Zero In on a Lucrative New Target: Hedge Funds

# # #

Despite patching efforts, 300K servers are still vulnerable to Heartbleed

  • By Lucian Constantin
  • IDG News Service
  • June 23, 2014

Despite a great start, the rate of patching OpenSSL servers against the critical Heartbleed vulnerability has slowed down to almost a halt. Around 300,000 servers remain vulnerable and many of them are unlikely to get patched anytime soon.

Over the past month only around 9,000 servers were secured, a far cry from the almost 300,000 servers patched during the first month after the vulnerability was revealed.

The Heartbleed flaw was publicly disclosed in early April and allows attackers to extract information from the memory of servers that run OpenSSL 1.0.1 through 1.0.1f, if they support an SSL feature called “heartbeat.” The extracted information can include user passwords and long-term server private keys that can be used to decrypt SSL traffic captured from servers.

Shortly after the vulnerability was announced, Robert Graham, the CEO of Errata Security, ran an Internet scan and found 615,268 publicly accessible SSL servers that were vulnerable to Heartbleed. He repeated the scan one month later and found that the number of vulnerable systems had decreased by almost half, to 318,239.


# # #

Card Wash: Card Breaches at Car Washes

  • By Brian Krebs
  • Krebs on Security
  • June 23, 2014

An investigation into a string of credit card breaches at dozens of car wash locations across the United States illustrates the challenges facing local law enforcement as they seek to connect the dots between cybercrime and local gang activity that increasingly cross multiple domestic and international borders.

Earlier this month, police in Everett, Massachusetts arrested a local man named Jean Pierre for possessing nine stolen credit cards. The cards themselves weren’t stolen: They were gift cards that had been re-encoded with data from cards that were stolen from a variety of data breaches at merchants, including a Splash Car Wash in Connecticut.

How authorities in Massachusetts connected Pierre to a cybercrime at a Connecticut car wash is a mix of odd luck and old-fashioned police work. In May, the Everett police department received a complaint from a sheriff’s department in South Carolina about a resident who’d had his credit card account used repeatedly for fraudulent transactions at a Family Dollar store in Everett.

Everett PD Detective Michael Lavey obtained security camera footage from the local Dollar Store in question. When Lavey asked the store clerk if he knew the individuals pictured at the date and time of the fraudulent transactions, the clerk said the suspects had been coming in for months — several times each week — always purchasing gift cards.


# # #

Culture clash: How physical security is impacted by cultural norms

  • By Grant Hatchimonji
  • CSO Online
  • June 23, 2014

Physical perimeter security can differ from facility to facility, with myriad factors playing into what exactly is implemented, including budget and the assets that are being protected.

But what about geographical location and, subsequently, culture?

It’s not one of the more obvious aspects that people consider when examining security, but it factors in more than one may think. Perimeter security varies from country to country, and their cultures have often proven to be both to the beneficial and detrimental.

Generally speaking, there is a stronger culture of security overseas and most businesses are equipped with more stringent measures than what we see stateside, according to Eric Milam, managing principal at Accuvant.

“Most organizations in the US, they appear to be somewhat behind the rest of the world,” he says. “Tailgating protection, knee knockers, man traps…we encountered that a lot more in Europe.”


 # # #

People invested $1.2 million in an app that had no security

  • By Violet Blue
  • Zero Day
  • June 23, 2014

Proving that no one learned from Snapchat’s security and privacy spectacle, people invested $1.2 million in an app that had essentially no security.

Despite the news it was hacked only days after its media fanfare, Yo still isn’t coming clean.

Last week free Android and iOS app “Yo” was top in Google Play and iTunes downloads and hot in tech press, with much fanfare focusing on its pointlessness, popularity and sizable cash backing.

By Friday night the app had been hacked five ways until Sunday (literally).

After Friday night’s report Yo had been hacked and people were sending “Yos” as Elon Musk (among other things), Yo founder Or Arbel told TechCrunch that Yo was “having security issues.”


 # # #

Lockheed Clinches $82.5 Million Sole-Source Cyber Range Deal

  • By Aliya Sternstein
  • June 23, 2014

A defensewide system that simulates hacks is reliant on Lockheed Martin’s trade secrets and expertise, Pentagon officials said in a redacted justification for awarding an $82.5 million to develop and manage the so-called cyber range.

In May, officials said they were awarding Lockheed a $14 million, 5-year contract to operate and sustain the National Cyber Range.

ManTech in 2012 lost a bid for the contract, according to Pentagon officials, because only Lockheed had the necessary institutional knowledge and computer programs.

“ManTech does not have the expertise” to support the system’s capabilities, “nor do they, or the government, own the source code,” said Army officials, who awarded the contract to Lockheed on May 23.


 # # #

Cybersecurity Skills Shortage Poses Threat in Singapore

  • By Brian Leonal
  • June 22, 2014

Singapore’s ability to fight a rising threat from hackers is hindered by a skills shortage and lack of awareness among companies, according to the computer security firm that runs a state-supported training center.

“We do see a lack of capability and capacity in skilled professionals, and that’s partly due to massive demand across the world that stretches an already small, existing pool of people,” Bryce Boland, Asia Pacific chief technology officer at Milpitas, California-based FireEye Inc. (FEYE), a cybersecurity firm, said in an interview in Singapore last week.

Singapore, a global financial center which relies on its image as a safe and stable location to lure business, has suffered high-profile online attacks on government websites and security breaches involving companies’ client data in recent months. Cybersecurity risks pose a challenge as the government steps up efforts to link public facilities and infrastructure for real-time data in Southeast Asia’s only developed nation.

“Organizations increasingly recognize that the approach toward cyber security must be organization-wide,” said Lyon Poh, head of IT Assurance and Security at KPMG LLP in Singapore. “However, they lack people with the experience to set up a comprehensive cyber security defense system to promptly detect and respond to cyber threats.”


 # # #

Hacker busted in Sharjah

An Arab accountant has been arrested for hacking the email account of the company manager in Sharjah.

The incident came to light when the victim, a Canadian, noticed his account was hacked and informed police.  He claimed that his confidential and private information in his emails were hacked.

The Organised Crimes Section, Criminal Investigation Department, Sharjah Police, began investigations to trace the unknown hacker.

They soon succeeded in arresting the hacker, who confessed to hacking the manager’s account as well as of some other people. He had used many illicit computer programs to do so, he told investigating officials.

The suspect works in another emirate.


 # # #

Monterey County grand jury finds computer data risks

  • By Julia Reynolds
  • Monterey County Herald
  • 06/21/2014

SALINAS — A civil grand jury issued a stern critique of Monterey County’s ability to protect sensitive computer information, warning that delays in updating policies and procedures could expose the county to multimillion-dollar lawsuits.

The interim grand jury report was released Thursday.

“During the past eight or more years the Monterey County government has not devoted adequate attention to compliance with the California and federal privacy laws,” the reports states.

It said the county “must now immediately change this attitude to strict attention and compliance if it is to avoid serious financial consequences for potential violations.”

The investigation came about, the grand jurors wrote, after they learned of a March 2013 data breach at the county’s Department of Social Services “on an old 200S computer health database connected to a California State network.”

In that breach, “data was illegally accessed through state computers.”


 # # #

CircleCityCon: The missing update

  • By Steve Ragan
  • Salted Hash
  • CSO
  • June 19, 2014

Last weekend, 240 people attended CircleCityCon, Indianapolis’ first major security conference. It was an amazing time, offering a chance to lean form a wide range of professionals.

There were more than thirty talks recorded at the event, thanks to Adrian Crenshaw (@irongeek_adc) and his team of volunteers. Salted Hash has included some of the videos below, but all of them are worth a look. In fact, Irongeek has recorded hundreds of talks over the years, and his archive of security footage is impressive.

Today’s post serves as an update to my coverage of CircleCityCon, but it’s also the tale of how I learned an important lesson.

This post, and the future articles based on the talks from this year’s CircleCityCon, almost didn’t happen. On Monday morning, my mobile office (a ThinkPad T430s) fizzled out. At first, it was determined that the video card had died, but once that was fixed, the system was still hosed. Ultimately, it was a RAM issue.


 # # #

At least 32, 000 servers broadcast admin passwords in the clear, advisory warn

  • By Dan Goodin
  • Ars Technica
  • June 19, 2014

An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.

The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments.

“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,” wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team. “It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password.'”

A separate blog post from security training institute Sans confirmed the contents of the advisory.


 # # #

Garmin tackles ‘misinformation’ on hacking aircraft avionic

  • By AOPA ePublishing staff
  • June 18, 2014

With much publicity the past several months focusing on hacking and security breaches—in the media, TV shows, and movies—Garmin is setting the record straight on the myths around one such possible breach: hacking aircraft avionics.

Garmin, an industry leader in aviation avionics, said in a blog posted June 17 that avionics manufacturers take numerous measures to ensure that avionics are safe and secure for pilots to use.

Garmin said that its software runs on proprietary operating systems “that would make it much more difficult to successfully accomplish an attack,” and that “proprietary protocols, data input validations, and other mitigations are in place to prevent viruses or malware from infecting, or affecting, our equipment.”

In addition, avionics manufacturers perform safety assessments on what could happen in an aircraft if the avionics data were corrupted, deliberately or not, and then develop mitigations for those possibilities before they go through equipment certification. And, all avionics are able to be overridden by the pilot, if he or she determines the aircraft is not doing what was intended. In many cases, pilots also must validate that their flight plan information is uploaded correctly and accept it before using it for active navigation. These actions help prevent input mistakes by the pilot as well as enhance security.


 # # #

Microsoft: NSA security fallout ‘getting worse, ‘ ‘not blowing over’

  • By Jack Clark
  • The Register
  • 19 Jun 2014

Microsoft’s top lawyer says the fallout of the NSA spying scandal is “getting worse,” and carries grim implications for US tech companies.

In a speech at the GigaOm Structure conference in San Francisco on Thursday, Microsoft general counsel Brad Smith warned attendees that unless the US political establishment figures out how to rein in its spy agencies, there could be heavy repercussions for tech companies.

“What we’ve seen since last June is a double-digit decline in people’s trust in American tech companies in key places like Brussels and Berlin and Brasilia. This has put trust at risk,” Smith said.

“The longer we wait or the less we do the worse the problem becomes,” he explained. “We are seeing other governments consider new procurement rules – procurement rules that could effectively freeze out US-based companies.”


 # # #

USENIX: Unstable code can lead to security vulnerabilities

  • By Joab Jackson
  • IDG News Service
  • June 19, 2014

As if tracking down bugs in a complex application isn’t difficult enough, programmers now must worry about a newly emerging and potentially dangerous trap, one in which a program compiler simply eliminates chunks of code it doesn’t understand, often without alerting the programmer of the missing functionality.

The code that can lead to this behavior is called optimization-unstable code, or “unstable code,” though it is more of a problem with how compilers optimize code, rather than the code itself, said Xi Wang, a researcher at the Massachusetts Institute of Technology. Wang discussed his team’s work at the USENIX annual technical conference, being held this week in Philadelphia.

With unstable code, programs can lose functionality or even critical safety checks without the programmer’s knowledge.

That this problem is only now coming to the attention of researchers may mean that many programs considered as secure, especially those written in C or other low-level system languages, may have undiscovered vulnerabilities.


 # # #

Cybercriminals Zero In on a Lucrative New Target: Hedge Funds

  • By Nicole Perlroth
  • Bits
  • The New York Times
  • June 19, 2014

They say crime follows opportunity.

Computer security experts say hedge funds, with their vast pools of money and opaque nature, have become perfect targets for sophisticated cybercriminals. Over the past two years, experts say, hedge funds have fallen victim to targeted attacks. What makes them such ripe targets is that even as hedge funds expend millions in moving their trading operations online, they have not made the same investment in security.

The latest evidence comes in the form of a new report Wednesday from BAE Systems, a computer security firm, that an unnamed hedge fund lost millions of dollars after criminals installed malware on its trading systems late last year. The malware was designed to insert a lag time in the hedge fund’s trading system and record the details of orders, so the attackers could trade on the information themselves.

According to BAE Systems, the attack began with a so-called spearphishing email, which contained links purporting to be about capital markets. Once they were clicked, an employee inadvertently downloaded malware onto a computer that gave criminals deeper access to the fund’s trading systems. The attack was noticed only after the fund’s analysts and tech staff discovered the lag times in its algorithmic trading strategy and abnormal file movement on its network. The breach, which was first reported by CNBC, cost the fund millions of dollars in recovery, according to BAE Systems, which did not name the fund.

But security experts say the crime is hardly new. “Hedge funds have been victims of targeted cyberattack over the past two years,” said Tom Kellermann, the chief cybersecurity officer at TrendMicro. “Hedge funds are woefully undersecured. The lack of investment in their cybersecurity has placed them in the line of fire.”


 # # #


Updated: June 24, 2014 — 11:40 pm

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 24th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural southern Wyoming, just below the continental divide (long story, that...). Always ready to help others, he shares what he learns on multiple blogs, many social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.