Security News Bites For The Week Ending January 18, 2019

January 18, 2019 CyberCecurity Leave a comment

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update: The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper. All computers and servers were turned off and the city disconnected from the Internet. While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next. It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000, We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks. Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion. Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent. China is a very important growth market for China since most of the western world is i-saturated. If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales. Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead. Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10. While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue). Not to worry though, Apple still has over $100 billion in cash in the bank. (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm. In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China). This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above. (Source: Bleeping Computer).

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover. The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage. It is reasonable to assume if we found these holes, there are more to be discovered. In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management. Just because a vendor is big does not mean that it is secure. Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now. Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned. Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors. Of them, 5 did not always use multi-factor authentication when accessing missile information. They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes. That fundamentally is the problem. If there are no consequences to ignoring the rules, then many people just won’t bother. Source: Motherboard.