Hack | Bach Seat

Tag Archive for Hack

RB | July 30, 2016

Comments Off

More IRS Tech Troubles

The U.S. gooberment agency in charge of ~~extorting~~ collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

The latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

This is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials.

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seat; voice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2016, 2FA, Biometrics, Hack, IRS, Passwords, Security, Two-factor authentication, US Government

RB | September 22, 2015

Comments Off

How Safe Is Your Connected Car?

There will be 250 million wirelessly connected cars on the road by 2020 according to Gartner (IT). The technical prognosticators believe that 60% – 75% of them will be capable of consuming, creating, and sharing Web-based data. In light of predictions like these and highly publicized car network attack demonstrations car need more security. Intel (INTC) has established the Automotive Security Review Board (ASRB) to help mitigate cyber-security risks associated with connected automobiles.

An Intel presser says ASRB researchers will do ongoing security tests and audits. They will codify best practices and design recommendations for advanced cyber-security solutions and products. Intel will publish automotive cyber-security best practices white papers, which the company will update based on ASRB findings. Chris Young, senior vice president, and general manager of Intel Security said in the presser.

We can, and must, raise the bar against cyberattacks in automobiles … Few things are more personal than our safety while on the road, making the ASRB the right idea at the right time.

Secure car networks

It is the right time to secure the networks in cars. A study released by Atlanta-based PT&C|LWG Forensic Consulting Services looked at what made cars vulnerable to attacks.
Robert Gragg, a forensic analyst with PT&C|LWG told CSO cars with the highest risk of cyber threat tended to have the most features networked together, especially where radio or Wi-Fi networks are connected to physical components of vehicles.

Today’s modern automobile uses between 20 and 70 computers, each with its own specialized use. The article explains that engine control units oversee a wide array of electronic sensors and actuators that regulate the engine and maintain optimal performance. Vehicle manufacturers use the generic term “electronic control units” (ECUs) to describe the myriad of computers that manage various vehicle functions.

For example, the author says ECUs control vehicle safety functions, such as antilock brakes and proximity alerts. The ECU which governs climate control systems receives temperature data from sensors inside the cabin and uses that to adjust airflow, heating, and cooling.

What is a controller area network

Typically, all of a vehicle’s computer systems can be accessed over a vehicle’s controller area network (CAN) via the radio head unit, a computerized system that runs a car’s or truck’s communications and entertainment system.

Many of today’s modern vehicles can be accessed via cellular, Bluetooth, or even WiFi connectivity. While no easy task, the CSO article says, once a hacker gains access to the vehicle’s head unit, its firmware can be used to compromise the vehicle’s CAN, which speaks to all the ECUs. Then it’s just a matter of discovering which CAN messages can control various vehicle functions.

Car attacks

These attacks can happen at a distance. PT&C|LWG study estimated minimum distances from which a vehicle could be hacked according to the wireless communication protocol it is using. For example, a passive anti-theft system could be access from 10 meters, a radio data system (or radio head unit) could be hacked from 100 meters, a Bluetooth system could be accessed from 10 meters, a smart key from five to 20 meters, and a vehicle equipped with Wi-Fi… well, it could be hacked from anywhere there’s Internet access (rb- I wrote about this vulnerability in 2011).

That may be a problem. Increasingly, carmakers are coming out with vehicles that include Wi-Fi routers for Internet connectivity. PT&C|LWG’s Gragg said.

In more advanced vehicles — the ones that have infotainment systems — wireless security and wireless access points are all connected into the navigation system. So those are more susceptible to hacking because there are just more wireless access points … Anything open to wireless capabilities is susceptible to the hacking.

rb-

In May, both General Motors (of ignition switch cover-up infamy) and the Auto Alliance, the car maker’s lobbyist, testified against a proposed exemption in copyright law that would allow third-party researchers to get access to vehicle software. A decision in that matter could come any day from the U.S. Copyright Office.

The Auto Alliance has also threatened to run to Congress should the Copyright Office rule in favor of the researchers to cover up threats to the consumer, like Volkswagen and GM. The lobbying group calls legitimate researchers attackers in a letter to a Congressional subcommittee investigating the auto industry’s ability to thwart cyber attackers; “Automakers are facing pressure from the organized efforts of technology pirates and anti-copyright groups to allow the circumvention of protected onboard networks, and to give hackers with the right to attack vehicles carte blanche under the auspices of research”.

This would set a dangerous precedent for devices connected to the Internet of Things (IoT) to be unregulated. If the automakers are successful in their DMCA claims, it would be deadly for everyone on the road too.

Who remembers “Unsafe At Any Speed“?

Most will connect to an unsecured Wi-Fi hotspot if its free: study (zdnet.com)

Category: Cars | Tags: 2015, Attack, Audi, Auto Alliance, Bluetooth, Connected cars, DMCA, Electronic control units, Ford, GM, Hack, IOT, Jeep, Ralph Nader, Volkswagen, Wi-Fi

RB | July 2, 2015

Comments Off

The Enemy Within at School

Naked Security reports on a hack that combines two of our favorite things on the Bach Seat, Florida, and lax data security at school. The way the Sophos blog tells the story, a 14-year-old Florida boy is charged with being a hacker by trespassing on his school’s computer system.

Florida school hacker

The charges came after he shoulder-surfed a teacher typing in his password and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.

A Tampa Bay Times article says that an eighth-grader was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school using an administrative-level password without permission.

A spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension. Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports. Naked Security says this is the student’s second offense.

When the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests – (now we know why he is in trouble – NCLB! – Common Core!!) while logged in as an administrator. Those are files he well could have viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what this teenager might have done.

I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.

in typical HS-er logic, he told the newspaper:

If they’d have notified me it was illegal, I wouldn’t have done it in the first place. But all they said was ‘You shouldn’t be doing that.‘

Idaho school hacker

Another report from the other side of the continent comes from Engadget. They report that a teenager from Idaho took advantage of the latest trend in online criminal activity. He likely rented a cloud-based botnet to launch a distributed denial of service (DDos) against the largest school district in Idaho. The alleged DDoS took down the school district’s internet access according to media reports.

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack/ The attack forced the entire West Ada school district offline. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests (More high stakes testing – NCLB! Common Core!!) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test had to go through the process multiple times because the system kept losing their work and results.

The report goes on to say that authorities have found the Eagle High student from their IP address. The students could now face State and Federal felony charges. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses suffered as a consequence of the attack.

rb-

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.

Stop DDoS attacks, CISOs urged (itworldcanada.com)

Category: Uncategorized | Tags: 2015, Administrative Privledge, Cloud, Common Core, DDOS, Florida, Hack, High school, Idaho, Insider threat, K12, NCLB, Password, Security, Shoulder surf, Social engineering

RB | March 12, 2015

Comments Off

What the FREAK !

Earlier this month news broke that Google, Apple, and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. In fact, the origin of the FREAK back goes back to the 1990s and government meddling.

Paul Dirkin at Sophos’ Naked Security blog explains that FREAK is a risk to all users. It is a risk because an attacker can trick you and the server into settling on a much weaker HTTPS encryption scheme than from the 1990s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption. Export grade encryption is a ghost from an earlier U.S. Gooberment attempt to break encryption. In the ’90s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for every day, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.

No one should be using export-grade keys anymore – indeed, no one usually does. But many clients and servers still support them according to Sophos. Somehow, in 2015 it never seemed to matter that the 1990 code was still lying around.

If attackers can watch the traffic flowing between vulnerable devices and websites they could inject code that forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months to crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s (AMZN) cloud in 2015. It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.

Now that your security is compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).

Additionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export-grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,” With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third-party.

The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov. University of Michigan computer scientists J. Alex Halderman and Zakir Durumeric, told InfoSecurity that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.

The good news, according to Sophos: Users of Chromium/Chrome and Firefox are OK.

The bad news – the bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug is known to exist in:

OpenSSL‘s TLS implementation (before version 1.0.1k), which includes Google (GOOG) Android‘s “Browser” browser, and therefore probably Samsung‘s (005930) derived browser known as “Internet.”
Apple (AAPL) SecureTransport puts OS X software at risk, including Safari.
Microsoft (MSFT) Windows Schannel TLS library puts Windows software including Internet Explorer at risk.

You can check to see if your browser is vulnerable to the FREAK attack on a UMich page here.

You can also check on your favorite website on this UMich page.

rb-

“Export grade” encryption was largely abandoned by 2000 because it was a bad idea. silly idea. It hurt the US software industry and Americans who bought an inferior product. It is still a dumb idea in 2015. As the Gooberment wants to cripple the latest generation of encryption by putting backdoors into encrypted messaging. They seem to have won with Google. Google has dumped plans to encrypt communications by default in Android.

In the short term, if you are worried, use another browser Firefox or Chrome.

Apple’s App Stores Out of Order (blogs.barrons.com)

Category: Uncategorized | Tags: 2015, AAPL, Apple, Encryption, Freak, GOOG, Google, Hack, Microsoft, MSFT, Security, Sophos, SSL, TLS, University of Michigan

RB | March 10, 2015

Comments Off

Anthem Data Breach Hits BCBSM Users

The recent cyber-attack on the second-largest health insurance company in the U.S., Anthem Insurance was allegedly pulled off by Chinese hackers. Now the attack, which I covered here has spread to Michigan. Emily Lawler at MLive is reporting that Michigan residents are caught up in the national healthcare insurance data breach.

The Anthem health insurance company compromised data includes an estimated 80 million people, of which 636,075 Blue Cross Blue Shield of Michigan users. According to the article, some of the compromised information could have come from BCBSM customers. A BCBSM spokesperson told MLive there was a “strong possibility” some BCBSM customer data had been caught up in the data breach.

BCBSM is an affiliate of the compromised company, so the Michigan firm shared critical customer information with Anthem. The affiliation allowed the attackers to gain access to Michigan BCBSM users. Ms. Lawler cites information from Anthem’s initial investigation, which found that compromised Michigan personally identifiable information (PII) that could have been compromised includes names, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information.

Reassuringly (snark) BCBSM and Michigan’s Department of Insurance and Financial Services have been monitoring the data breach and its potential effect on Michiganders. BCBSM External Affairs Manager Stephanie Beres told MLive numbers from Anthem say 636,075 Michigan residents are impacted. That includes 410,990 Anthem members, and 225,745 customers of Blue Cross Blue Shield, Ms. Beres said.

rb-

Anthem is sending letters to those impacted their oopsie who will offer two years of free credit monitoring and identity theft repair. According to Anthem’s website AllClear ID will provide credit monitoring services. Those who think they may be affected are encouraged to visit a website Anthem has set up to distribute information about the hack, www.anthemfacts.com.

Connecticut bill requires insurers to encrypt personal data (newsday.com)

Category: Uncategorized | Tags: 2015, Anthem, Blue Cross and Blue Shield, China, Cyberwarfare, Hack, Michigan, PII, Security

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Hack

More IRS Tech Troubles

Related articles

How Safe Is Your Connected Car?

Secure car networks

What is a controller area network

Car attacks

What the FREAK !

Related articles

Anthem Data Breach Hits BCBSM Users

Related articles

Meta