Lufthansa’s AirTag Ban Justification Is Seriously Flawed

Posted in Commentary with tags on October 10, 2022 by itnerd

Earlier today I wrote about German airline Lufthansa banning AirTags in luggage. I suspect this has nothing to do with safety and everything to do with the fact that they lose people’s luggage and AirTags not only allow passengers to hold them accountable for this, but embarrassing them at the same time. Here’s another data point on this front. Lufthansa tweeted this as its justification:

So I found this response to be a bit suspect. Thus I found the regulation online. Now I am no expert on this sort of thing, and I would welcome an expert to comment on this. But the way I read this is as follows:

  • The regulation that Lufthansa appears to be citing specifically talks about lithium ion battery regulations. AirTags use a CR2032 battery which is not a lithium ion battery.
  • AirTags are basically very low-powered transmitters. This means that there is not nearly enough power to interfere with commercial plane’s systems.

So my guess is Lufthansa is using this as cover and hoping that nobody will call them on it.

Too bad for them the Twitterverse called them on it:

https://twitter.com/coolfactor/status/1579558413704769536

Really, at this point Lufthansa needs to find some way to walk this back because they are not winning here. In fact they’re losing. They’re losing on the public relations front, and there is zero chance that passengers will comply with this edict from them. Thus they might as well give up now and save some face.

Leave a comment »

American Airports Hit By Russian Based DDoS Attack

Posted in Commentary with tags on October 10, 2022 by itnerd

Hackers acting on behalf of Russia have taken aim at US Airports by launching a massive Distributed Denial Of Service attack on them. Bleeping Computer has the details:

The pro-Russian hacktivist group ‘KillNet’ is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.

The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it impossible for travelers to connect and get updates about their scheduled flights or book airport services.

Notable examples of airport websites that are currently unavailable include the Hartsfield-Jackson Atlanta International Airport (ATL), one of the country’s larger air traffic hubs, and the Los Angeles International Airport (LAX), which is intermittently offline or very slow to respond.

Clearly these hackers are not likely happy about the actions that the US among other countries have taken against Russia’s invasion of Ukraine. Thus they’re taking this action. While this wasn’t a long lasting attack, it does send a message.

I have commentary from several industry experts on this:

Gary Kinghorn, Senior Director at Nozomi Networks: Fortunately, the DDoS attacks were not particularly damaging or long lasting. Most of the major airports appeared to be responding normally to new connection requests without delay by early to mid-morning. DDoS attacks are not targeted attacks that exploit a specific vulnerability, but generally just overwhelm a site’s ability to respond with an enormous amount of traffic from a large number of distributed clients. There are many types of DDoS attacks that can seek to exploit different aspects of the client-server connection request protocol. This attack appears to be a SYN flood, where there are a large number of connection requests that never complete and leave the target web site resources used on incomplete connections that delay response to legitimate users. It does not appear that a deeper exploit was executed that took advantage of known vulnerabilities in higher levels of the OSI protocol stack, hopefully because most of these sites are well-patched and defend against most sophisticated DDoS attacks. It’s hard to defend against DDoS attacks because every web site that is open to all users can be overwhelmed with a traffic spike of valid connection requests until you can identify and filter out a range of IP sources or expand capacity or bandwidth for the target site. CISA has an excellent Quick Guide that explains best practices for managing DDoS attacks and good site hygiene to make sure sites are not vulnerable to more sophisticated attacks using various IP protocols: https://www.cisa.gov/uscert/security-publications/DDoS-Quick-Guide

Michael Hamilton, Founder, President, and CISO of Critical Insight, formerly Critical Informatics and CI Security: All websites are vulnerable to distributed denial of service. This type of attack can be conducted by nearly anyone, and especially if there are many “volunteers” that operate DOS tools from their computers or phones. The attack itself is essentially an annoyance, perpetrated by reasonably unsophisticated actors. Services such as Cloudflare proxy inbound traffic and have detection analytics for denial of service attacks, which they null-route to protect customer sites and that does a good job of mitigating these attacks. However, the Russian volunteers are not without skilled cyber actors and it may only be a question of time before more sophisticated attacks are leveled at infrastructure. Security teams should track this group in terms of the techniques and procedures used to estimate what sectors are being targeted with what techniques, and then apply controls commensurate with the threat.

Yotam Perkal, Director, Vulnerability Research at Rezilion: So far from what I’ve been able to gather, the important thing to note here is that the affected targets are the airport websites which had no operational impact on the airports themselves. I haven’t been able to find any technical information about the attack method, but it doesn’t seem a specific vulnerability was exploited. In these types of DDoS attacks the attackers simply issue a significantly large amount of traffic from multiple locations directed at the website under attack until it (or the hosting service it uses) cannot handle the load and it becomes unavailable.

Chris Grove, Director, Cyber Security Strategy at Nozomi Networks: Before we get into the specifics of the cyber-attack, I need to recognize and give kudos to CISA for issuing Alert AA22-110A just 6 months ago, which called this hacker group out by name, described their tactics typically used, then warned of similar upcoming attacks after they DDOS’d Bradley airport in March. Today’s attack is evidence of the importance of collaborative approaches to cybersecurity, and heeding warnings that come from those in the know. It’s fortunate that the operations of these airports weren’t impacted, but assuredly that will change in the future as the assailants attempt more brazen attacks with larger impact. As we’ve learned from mitigating years of attacks from other cyber activists, like Anonymous, these campaigns don’t last long (this airport attack was part of a 1 week campaign), are mostly confined to DDOS attacks, with an occasional data leakage if the hackers were able to breach the defenses. Like a storm, this too will pass. For the air industry there will be other attacks as the Ukraine situation escalates, so although this campaign is only 1 week long, defenders should remain at a high state of alert, and continue developing 360-degree situational awareness of their operations.

Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti: If airlines are being targeted by DDoS, it is more than likely their web presence is also being targeted by the same attackers. There are many avenues to a denial of service, so continuously testing for web vulnerabilities and remediating any issues is crucial to minimize the overall attack surface. While DDoS attacks are mainly intended to render systems unresponsive and deny service to users, they are also used to slow systems down in preparation for further attacks, including SQL injection.

I think it’s a safe bet that there will be more of this given that this invasion of Ukraine continues along with the sanctions that countries have imposed on Russia. Thus everyone needs to prepare for this to happen again, and again.

UPDATE: I have additional commentary from Craig Burland, CISO of Inversion6:

“This malicious call to action is a great example of why organizations need to be ever-vigilant in their cybersecurity operations. A focus on cybersecurity isn’t only for when the auditor is coming or after a breach. It’s a 24x7x365 responsibility that we must all own and embrace. We don’t take days off from things like workplace safety or legal due diligence. Cybersecurity is no different especially as we collectively face organizations like Killnet.”

Leave a comment »

Laid Off Sysadmin Pwns Ex-Employer’s Network And Goes Straight To Jail As A Result

Posted in Commentary with tags on October 10, 2022 by itnerd

When companies ask me to do a security assessment, one of the things I ask them is how many disgruntled employees they have and what do they do to mitigate the threat that they pose. A lot of them don’t do nearly enough, and this is an example of what happens if you’re one of those people.

Casey K. Umetsu, aged 40, worked as a sysadmin for a high-profile financial company in Hawaii. Until he got laid off. Hoping to get his job back he launched a scheme to disrupt the operations of his former employer, and then ride in and save the day and cash in at the same time. But instead of getting his job back, he got caught and here’s what happened next:

As part of his guilty plea, Umetsu admitted that, shortly after severing all ties with the company, he accessed a website the company used to manage its internet domain. After using his former employer’s credentials to access the company’s configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company’s web presence and email. Umetsu then prolonged the outage for several days by taking a variety of steps to keep the company locked out of the website. Umetsu admitted he caused the damage as part of a scheme to convince the company it should hire him back at a higher salary.

“Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said U.S. Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.”

“This is a great example of a company partnering, and working with the FBI, to catch a former employee who sabotaged their network for their own personal gain,” said FBI Special Agent in Charge Steven Merrill. “We encourage companies to include the FBI as part of their cybersecurity incident plan so we can assist when they have a cyber incident.”

This is a textbook example of why you need to terminate all access to any company resource the second you fire someone. And I do mean the second you fire someone. This financial services company didn’t do that, and it cost them. While they reported it and the feds were able to hunt this guy down, this didn’t have to happen. Thus I would take this as a cautionary tale and make sure that you have processes and procedures in place to make sure that this doesn’t happen to you.

Leave a comment »

Lufthansa Has Banned AirTags In Luggage

Posted in Commentary with tags on October 9, 2022 by itnerd

According to Boing Boing, the German airline Lufthansa has banned AirTags in luggage:

Lufthansa argues that baggage trackers fall in the category of portable electronic devices, and are therefore subject to dangerous goods regulations issued by the International Civil Aviation Organization (ICAO). This is specifically because of the transmission function. Lufthansa claims that the transmission function needs to be turned off during flight when in checked luggage, just as is required for cell phones, laptops, etc.

And the airline’s twitter feed has seemingly confirmed this:

The Boing Boing article has an alternate view:

My first thought is that I’m not surprised to see Lufthansa be the first airline to add a ban like this. Lufthansa isn’t exactly a customer-friendly airline, and the airline has had an awful summer when it comes to lost bags (I even had a delayed Lufthansa bag experience). AirTags empower travelers in terms of knowing exactly where their bags are, and I imagine that’s something some airlines don’t actually like. If you look at Twitter, you’ll see a ton of people expressing frustration with Lufthansa because they know exactly where their checked bag is, while the airline refuses to help.

I’ve wondered why it took this long for an airline to do this. After all they don’t want to be called out on losing luggage seeing as lost luggage has become insanely common these days. So if they can find any excuse to ban AirTags, they will.

Here’s the other part of this, how will they enforce this? Are they going to come up with some sort of scanner to find them? And if they do find them, will they remove them or remove the passenger? Also does this also apply to Tile or Chipolo products? They do the same thing as AirTags, but don’t have the network that AirTags have. I guess that they’re not afraid of those products catching them out when it comes to losing passenger’s bags.

I’m pretty sure that AirTags will continue to be used by passengers, which will lead to more stories of passengers tracking their lost luggage and calling out airlines due to that. I’m also pretty sure that as this story gets out, Lufthansa will get a whole lot of bad press which may make them rethink this ban. And that will make other airlines think against doing something similar.

1 Comment »

Meta Sues Chinese Developers Over Stealing Facebook Login Info

Posted in Commentary with tags on October 9, 2022 by itnerd

Earlier this week, I told you about Meta sending notifications to roughly a million people that they Facebook accounts were compromised by account login stealing malware that are in the Google Play Store and Apple App Store. Well, Meta has filed a lawsuit against several Chinese developers doing business as HeyMods, Highlight Mobi, and HeyWhatsApp for developing and deploying this malware starting May 2022. You can read the full details of the lawsuit here. But here are the highlights. According to Meta:

  • The threat actors created this malware and posted them on their own website, as well as the Google Play Store and other Android app download sites.
  • Once the apps were downloaded and installed, the users were prompted to enter their WhatsApp user credentials and authenticate their WhatsApp access on these applications.
  • The credentials were then sent to the threat actors.
  • Meta worked with Google to take out these apps.
  • Meta is suing the developers for breaching WhatsApp’s terms of use and Meta’s developer agreement.

Now I seriously doubt that Meta will get a cent from these developers as it is highly unlikely the Chinese government will assist a US court in holding its citizens responsible for something like this. But that’s not the point of this lawsuit. It’s meant to send a message that Meta will come after anyone who does anything to harm the company or its users. And I for one hope that this is the first of many lawsuits filed to go after threat actors like these as it will place pressure on the Chinese government to deal with these threat actors or risk losing respect in the international community.

Leave a comment »

UPS Is Being Used In An Email #Scam

Posted in Commentary with tags on October 9, 2022 by itnerd

UPS appears to the latest company that I’ve found that a threat actor has decided to use as part of an email scam. The email in question looks like this:

It appears to be from UPS, but the UPS logo is wrong. The quality of the English is also a #Fail as well as evidenced by phrases like “Your package was stopped at the distribution hub due to incomplete delivery informations.” The tracking number is also not consistent with the format that UPS uses. And finally, there’s the email address.

Clearly this isn’t a UPS email address.

Other than that, the colours that are used are pretty much on point. It won’t fool most people. But I can imagine that a few might fall of it.

So, what’s the endgame here for the threat actors? I can’t say as when I tried to access the site that was linked in the email, it didn’t appear. Perhaps someone already took it out or the threat actors have moved on? It’s hard to say. But I can safely say that if this email hits your inbox, delete it.

1 Comment »

Are You Having Issues With A Brother Printer Being Able To Print After Being Asleep For A While? Here’s A Possible Fix That Their Tech Support Won’t Tell You About

Posted in Commentary with tags on October 8, 2022 by itnerd

I along with a few of my clients have had consistent issues for about a year or more with Brother printers that won’t print after being asleep for a period of time. Sometimes as short as an hour. In my case it’s an issue with the Brother HL-L2390DW that I got to replace a printer that died. It was working fine in my case, but I am guessing that a firmware update that I applied to it made it behave this way.

After doing some research and some testing, I’ve found a partial solution that either Brother’s tech support doesn’t know about or won’t tell you about. I say that because I contacted Brother’s tech support department and they danced me all around doing a variety of things to the printer including accusing me of not using genuine Brother toner before they blamed my network. Then blamed my PCs, Macs, and iPhones for the problem. Which frankly is just poor customer service on their part as this is clearly their issue.

Part of the issue seems to be that Brother has a “deep sleep” mode that isn’t part of the printer’s configuration settings that the user of the printer has access to. Instead, it’s buried in a hidden menu that requires a “Konami code” to get access to. Why Brother has done this I have no idea. But when this is enabled, I have consistent issues. Here’s what I did to try and deal with this on the HL-L2390DW:

  • Press menu
  • Go into General Setup
  • Go into Ecology
  • Go into Sleep Time
  • Press the minus key (-) and the Stop/Exit key at the same time
  • Turn off Deep Sleep

When I disabled “deep sleep” it improved things, but my problems didn’t go away completely. This goes back to the fact that I think Bother screwed something up in one of their firmware updates and they haven’t bothered to fix it. But others have reported that their issues have gone away. Thus your mileage may vary on this front. But I did do one other thing that I did to further improve things. More on that in a bit.

From my research, other Brother printers have this “feature”. Though it sometimes requires different keys to press to get into the hidden menu. To help you with that, I have this link to a number of YouTube videos that detail how to do this on a number of Brother printers as YouTube is what started me down the path of finding out what the issue was and how to fix it. Thus if you do a search of YouTube for your Brother printer, you should be able to find the directions that you need.

Now I get why Brother might want to have a deep sleep mode like this as it helps with the energy consumption of the printer as that’s something that some countries and some people really care about. But why Brother hides this is beyond me as it likely. took them a healthy amount of effort to create a hidden menu option for this that appears to be different on a variety of printers that they make. Would it not make sense to have this part of the regular menu structure so that users can choose to disable this if they want? It certainly would be easier.

Back to how I appear to have fixed this. I did one additional thing that required me to log into the printer using a web browser. Using the IP address that my printer was using on my network, I got a page that looks like this:

You will have to log in via the login prompt at the top. If you’re looking for the password because you don’t know it and maybe you didn’t know that there was a password, there is typically a sticker on the back of Brother printers that has the password. Once you log in, click on “Network” at the top, then click on “Interface.” You will see this:

You want to enable WiFi Direct. It will force you to restart the printer when you click submit. Since I did that I’ve been able to print without issues for the last day or so. But I will continue to monitor the situation. My guess is WiFi Direct does something to keep the printer either awake, or it keeps it alive on the network. Which in turn makes this issue go away. At least for me so far.

If Brother reads this, they may want to explain why they really haven’t addressed this as based on the sample size of people who complained about this issue, they are not doing themselves any favours by having this issue out in the wild and not addressing it in any meaningful way. I’d also like to know why it makes sense to Brother to force customers to Google for potential solutions and relying on people like me to try stuff and be kind enough to share their knowledge. I ask these questions because as it stands, their odds of making repeat or additional sales have just nosedived because of all of this. And my odds of recommending their printers to my clients is zero the longer that Brother doesn’t address these issues.

Brother may want to have a think about that and take action accordingly.

1 Comment »

RatMilad Android Malware Targets Middle East Users In New Campaign 

Posted in Commentary with tags on October 7, 2022 by itnerd

Zimperium released a blog post on Wednesday that details a novel Android malware called RatMilad which is targeting Middle Eastern enterprise mobile devices by concealing itself as a VPN and phone number spoofing app:

The original variant of RatMilad hid behind a VPN, and phone number spoofing app called Text Me with the premise of enabling a user to verify a social media account through a phone, a common technique used by social media users in countries where access might be restricted, or that might want a second, verified account. Armed with the information about the spyware, the zLabs team has recently discovered a live sample of the RatMilad malware family hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me.

The phone spoofing app is distributed through links on social media and communication tools, encouraging them to sideload the fake toolset and enable significant permissions on the device. But in reality, after the user enables the app to access multiple services, the novel RatMilad spyware is installed by sideloading, enabling the malicious actor behind this instance to collect and control aspects of the mobile endpoint. As seen in the demo installation video below, the user is asked to allow almost complete access to the device, with requests to view contacts, phone call logs, device location, media and files, as well as send and view SMS messages and phone calls.

Clearly the threat actor or actors behind this are sophisticated. Which makes them very dangerous.

Dale Waterman, who is based in Dubai and is the Managing Director at Breakwater Solutions for the Middle East, noted:

     “The fact that this version of the RatMilad malware is targeting mobile phone users in the Middle East with Android operating systems by hiding behind a fake VPN comes as no surprise. Cybercriminals are using trusted platforms like Telegram and WhatsApp to distribute download links to the spyware because they recognize that many governments in the region do not permit the call functionality of apps like WhatsApp. Residents are able to use messaging, but not the (free) call services. If you consider the number of expats living and working across the Middle East, with many away from immediate family and loved ones, then it becomes obvious why bad actors would use a VPN scam to socially engineer access to devices. This is compounded by fact that GDPR-like privacy laws are only now being implemented across the Middle East, but not actively enforced yet by most data protection authorities. Consumers in the region are therefore completely de-sensitized to being constantly bombarded with unsolicited marketing and offers. This reduces the likelihood of consumers questioning the origin of the messages.”

This just highlights that you have to have your head on the metaphorical swivel when it comes to threats as this one is distributed via platforms that are trusted by many.

Leave a comment »

Facebook Issues Security Warning…. Scam Apps Stole Login Credentials For 1 Million Users

Posted in Commentary with tags on October 7, 2022 by itnerd

Meta/Facebook has put out a security warning to around one million users that their login credentials may have been stolen by scam apps. That’s a bad look for Facebook. But it’s a worse look for Google and Apple where there’s apps have been hosted. Here’s the details:

Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Google’s stores. In a new report, the company’s security researchers say that in the last year they’ve identified more than 400 scammy apps designed to hijack users’ Facebook account credentials.

According to the company, the apps are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to “Log In with Facebook” before they can access the promised features. But these login features are merely a means of stealing Facebook users’ account info. And Meta’s Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.

“Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login,” Agranovich said during a briefing with reporters.

And if you’re wondering how Facebook is addressing this, here’s how:

Agranovich said that Meta shared its findings with both Apple and Google, but that it was ultimately up to the stores to ensure the apps are removed. In the meantime, Facebook is pushing warnings to 1 million people who may have used the apps. The notifications inform users their account info may have been compromised by an app — it doesn’t name which one — and recommends resetting their passwords.

Thus if you get a warning like this, don’t ignore it. But Apple and Google who let these apps on their respective app stores need to get their act together to stop this sort of thing from happening. Specifically Apple as the company has always argued that the App Store is a safe place. But this incident proves otherwise. And I am sure some people on Capitol Hill will want to get answers about that sooner rather than later.

1 Comment »

Uber Exec Found Guilty Of Covering Up 2016 Hack

Posted in Commentary with tags on October 7, 2022 by itnerd

You might remember that Uber was hacked in 2016 and the company covered the whole thing up. The problem is that in the USA, that’s illegal and a day or so ago I had a reader ping me to say that someone walked the plank for that cover up:

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

That should send a message to Uber, and anyone else who thinks that covering up the fact that they were hacked is a good idea. At least the company disclosed the fact that they were recently pwned again by Lapsus$, and it seems that this hack was eerily similar to the 2016 one. That’s progress I suppose. Though it illustrates that Uber really hasn’t learned anything from the 2016 hack. Which reflects poorly on Uber.

Leave a comment »

« Older Entries
Newer Entries »