Cyber Security Leader
The Ohio Cyber Range Institute and the Ohio Cyber Reserve took part in a cyber security exercise at the University of Cincinnati July 15, 2022. Maj. Gen. John Harris said, āThis is just a next level of training for our Ohio Cyber Reserve. Our responsibility first and foremost is to respond if there is a crisis here in Ohio.ā https://t.co/F8HQ2oQKbq
ā Ohio Cyber Reserve (@OhioCyber) July 19, 2022
85 percent of computer and network breaches involved a human element, according to Verizon’s “2021 Data Breach Investigations Report,” while over 80 percent of breaches were discovered by external parties. That is good news. Does that mean if each one of us could modify our behavior, then perhaps this ransomware and breach problem might go away?
Well… Everyone works under some kind deadline pressure. And if you are like me, you tend to procrastinate. To meet that impending deadline, we have to work quickly. So, when that application or operating system security update pops up, we have to push it away. Or the I.T. department applies the update. Of course that is the day our assignment, proposal, paper, or whatever is due for presentation or submission. If you work remotely, that’s when you notice that your organization’s system is crawling along slowly or the company network is unavailable. You have already forgotten about or quashed that warning you received updating your home or office workstation to the latest security patch. Or your antivirus program that has been interrupting you for days does it again. And that’s when a “Digital Pearl Harbor” is most likely to occur.
There is no silver bullet or firewall that the computer/network security industry can set up to protect you or your organization from yourselves. Again, 85% of the problem it is a behavior issue.
When was the last time your immediate supervisor asked about whether you saw that operating system security update or antivirus update? When did your boss take an interest in that phishing training offered over lunch or online? Never? Well, there you go. Unless your entire organization takes the appropriate amount of interest based on their risk management processes, what can you hope to do to fix this? Or if you work for yourself at home or remotely for your company; when was the last time you made sure your computer operating system was updated, your cable modem or home router internal operating systems were updated?
Here is where the reader will expect me to come up with a frightening scenario. I will not waste my time. Suffice it to say that unless we use fundamental risk management processes, then we will simply lose – and lose big – even lose life itself. Lose to nation-states, terrorists, criminals (sometimes sponsored by nation-states or terror organizations).
Start with the The National Institute of Standards and Technology (NIST) “Generally Accepted Principles and Practices for Securing Information Technology Systems”. NIST has been a government agency since 1901. This means that when one sees in lawsuits and insurance documents containing wording similar to: “Generally Accepted Principles and Practices” or “Industry Standards”, they mean NIST or other industry or business convention.
From there, it will be easy to understand what and how you and/or your organization need to begin your process to prevent a Digital Pearl Harbor that would impact, you and even society as a whole
UPDATE 2 Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities; Using one flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections. https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/
UPDATE: National Security Agency Confirms Windows 10 Security Flaw āMakes Trust Vulnerableā “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we canāt say anything about the actual risk for the average user.” https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/ You should put together a test computer with any proprietary software or non-off-the-shelf, mission essential software and test the patch first.
UPDATE: National Security Agency Confirms Windows 10 Security Flaw āMakes Trust Vulnerableā
“If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we canāt say anything about the actual risk for the average user.”
https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/
January 14, 2020 – Microsoft MAY release a patch TODAY that is supposed to fix a huge security vulnerability. I am providing this notification because I recommend that only a test computer be patched, IF you are running non-off-the-shelf software. That is anything that you can’t buy at a store, like Office programs, etc. If you are using any proprietary software or software designed for your business systems, then you should ALWAYS test Microsoft patches before implementing them. This is a story by Brian Krebs, a leading #cybersecurity journalist. “Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog.” https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
What does physical security and cybersecurity have in common? Among other things; it’s the simple stuff that will get you.
I decided to stop by the Sylvania Township, Ohio Starbucks on Central Avenue for “Coffee with a cop.” October is National Cybersecurity Awareness Month and I thought it would be a good idea to check in with our local police first responders. These officers were from the Sylvania, Ohio Police Department.
I had a pleasant surprise because Chief Paul Long and Deputy Chief Ray Carroll were there. Both of these officers have already had long successful and distinguished law enforcement careers.
Upon entering and shaking hands, I asked whether there were any assets or other material that these local heroes needed. I am sure that there must be something local citizens could do to better support the police. However, Chief Carroll said that their message is simple: “Lock your house, garage and car(s).”
And that’s where the convergence of cyber and physical security intersect – it’s the simple stuff. Lock up your possessions to keep them secure. Cyber – “Keep you operating system up-to-date.” Why are they so similar?
Whether we like it or not, the basic design of our computers and networking equipment and operating systems follow the open academic beginnings of computing and internet/networking. Up to the early 1990s personal computers were not networked. A few of us could maybe wrangle internet access from a local college or university and that was it. The World Wide Web did not exist. Fast forward to the cobbled together systems that we now use. If you don’t keep your operating system up-to-date with a firewall and antivirus, then you are doing the same as leaving your house unlocked.
Enough preaching. What I loved about meeting with the several police officers and command officers was how much we all have in common. We all agreed. It does not matter how fancy your security system is – either physical or cyber. It is the mindset and care of the people who are operating or failing to operate them. If you have a lock on your door and you don’t use it, then you have a much better chance of losing your stuff. And it is the same with your personal information that you keep in your computer.
I am looking forward to more conversations with our first responders. Even a geek like me will learn and be motivated by the exchange of ideas.
UPDATE 2: New Evidence found by Bloomberg reporting. “A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.” https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom
UPDATE: WHY SHOULD YOU CARE? If true, then your electronic devices will spike up in price because more than 90% of them are made in China. That would end. The potential damage to national security would cost the government 100s of billions of dollars and you as a tax payer will see the bill. Apple and Amazon have unequivocally denied that this hack ever took place. Folks, Bloomberg is a top notch publication with almost incomparable reporters and editors. They spent a year researching this story. On the other hand, Apple and Amazon could be just as screwed as Elon Musk, if the SEC or other regulatory agency finds that their statement(s) of denial are false. So far this is first relatively comprehensive discussion that I have found. https://itunes.apple.com/us/podcast/325-chinese-spy-chips-microsoft-announcements-pixel/id430333725?i=1000421160995&mt=2
How many Americans have purchased drones, phones, and computers that are assembled in China? Millions and millions, for sure…
According to a well reported story from Bloomberg, a chip the size of a grain of rice that appears to be a common part of a circuit board was stealthily placed by secret members of China’s Peoples Liberation Army in devices used in some U.S. servers. This chip is not detectable by operating systems nor by any antivirus. Further, it is found on circuit boards made in China and sold to U.S. enterprise-class computer server manufacturers. Companies like Amazon, Apple and even (reportedly) some government agencies.
This is may be the greatest intelligence coup of the decade, as well. See the story HERE.
The Bluetooth that you use to connect your smart watch, speakers or other peripheral is seriously compromised. Please check that you have updated your device to the latest operating system version. This applies to iPhones and Android devices. The devices include Apple, Android smart phones, smart watches like Apple Watch and other devices (perhaps even Chrome laptops).
Failure to update your operating system may expose your confidential information to a nearby hacker who could ruin your finances and/or snoop on your messages and possibly put you in danger.
Forbes published a good explanation headlined, Update Your iPhones And Androids Now If You Don’t Want Your Bluetooth Hacked . Enough said, please just update now.
See below for how to update Android and Apple phones:
This wikiHow teaches you how to manually update an Android phone or tablet operating system. While your Android will typically update automatically, you can speed up the update process by manually updating as soon as you know an update is available.
1. Connect to Wi-Fi.
2. Open Settings.
3. Tap System.
4. Tap System Update.
5. Tap Download and Install.
Two Methods:Performing an On-Device Update (Over-the-Air)Using iTunesCommunity Q&A
This wikiHow teaches you how to install the latest version of Apple’s operating system for your iPhone, iPad, or iPod Touch.
Need help? Call or text Pilum Technology at 419-862-5252 email paulhem at paulhem dot com
First please heed this: If you are a large or small business leader or associate do not patch before you test that patch with any specialized software – that is any software other than generic office apps, like Microsoft (R) Office apps. Even commercial scheduling software should be tested. At least make sure that you create a Restore Point. before updating. Of course, Windows is supposed to create one for you. Do not bet your operation on that!
Many highly publicized data breaches occurred because firms did not patch or update software. For example Equifax had at least two months to patch/update specific software before 143 million people had their personal information stolen.Ā And some Equifax personnel were even aware of the need to patch the software in question. The U.S. Office of Personnel Management lost several million security clearance background investigation details because a contractor failed to update his computer.
As mentioned in My take on security, even if an individual believes that their information is not important enough to be stolen or abused, it can and will be collected and used.
Update your software.
First, the news.
(RNN) ā Russiaās hackers are busy folks.
The FBI and Cisco warned us this week that theyāve infiltrated 500,000 routers in more than 50 countries across the globe by using a malware system known as VPNFilter.
The compromised routers could be used for lots of things, but the experts believe the malicious software used to hack them are part of a plan for a huge cyber attack on Ukraine.
To torpedo the Russian plot, the FBI got court approval to seize a domain the hacking group was using to coordinate the operation.
The computer code used in the malware program shares code with previous Russian cyber attacks.
āDefending against this threat is extremely difficult due to the nature of the affected devices,ā according to Ciscoās cyber intelligence unit, Talos.
āThe majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.ā
And most of these routers are older devices that donāt have up-to-date software.
And now from FBI Internet Crime Complaint Center:
Alert Number
Questions regarding this PSA should be directed to your localĀ FBI Field Office.
Local Field Office Locations:Ā www.fbi.gov/contact-us/field
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malwareās network activity is complicated by its use of encryption and misattributable networks.
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
———————————————–
There will be a lot more on this.Ā There are some lists of routers out there. Some of them may have been installed by your Internet Service Provider. The Boston Globe reports, The FBI is urging Internet service providers Comcast Corp. and Verizon Communications Inc. and others to check whether their hardware is vulnerable, and work with customers on updating their routers.
This will be continually updated, until this becomes less of an issue.
Of course, your personal information is valuable so the cybercrooks will still come after you. Not the end-all-beat-all…. This will help make your Facebook privacy more robust, however.
UPDATE (3/30/18): We have updated this post and its screenshots to reflect how Facebook reorganized and removed some settings this week.
You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.
Over the weekend, it became clear that Cambridge Analytica, a data analytics company, got access to more than 50 million Facebook users’ data in 2014. The data was overwhelmingly collected, shared, and stored without user consent. The scale of this violation of user privacy reflects how Facebook’s terms of service and API were structured at the time. Make no mistake: this was not a data breach. This was exactly how Facebook’s infrastructure was designed to work.
In addition to raising questions about Facebook’s role in the 2016 presidential election, this news is a reminder of the inevitable privacy risks that users face when their personal information is captured, analyzed, indefinitely stored, and shared by a constellation of data brokers, marketers, and social media companies.
Tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used. That starts with meaningful transparency and allowing truly independent researchersāwith no bottom line or corporate interestāaccess to work with, black-box test, and audit their systems. Finally, users need to be able to leave when a platform isnāt serving them ā and take their data with them when they do.
Of course, you could choose to leave Facebook entirely, but for many that is not a viable solution. For now, if you’d like keep your data from going through Facebook’s API, you can take control of your privacy settings. Keep in mind that this disables ALL platform apps (like Farmville, Twitter, or Instagram) and you will not be able to log into other sites using your Facebook login.
Log into Facebook and visit theĀ App SettingsĀ page (or go there manually via the SettingsĀ Menu > AppsĀ ).
From there, click the “Edit” button under “Apps, Websites and Games.” Click “Turn Off.”
