Ruminations

Bitpourri - Four Ways To Fail

Welcome to Bitpourri, where we post tidbits that aren’t lengthy enough to warrant a full blog post of their own but still merit sharing. These (usually) unrelated vignettes are quick and easy reads for when you're interested in some food for thought but are feeling more “snackish” than ready for a full meal. You can find more of our Bitpourri series here.

In this edition of Bitpourri we're touching on several different security related topics ranging from preventative measures, bad security practices, bad product security and corporate greed.

• Nevada Scraps the App
• Insecurity Bowl
• Network and Highway Traffic
• Secrets of a Jumpshot

In response to the recent Iowa caucus debacle, the Nevada State Democratic Party (NSDP) has scrapped its plans to use an app to tabulate and report the results of the Nevada caucuses. This comes as no surprise considering it's the same app by Shadow, Inc that the Iowa Democratic Party (IDP) used with chaotic results.

To NSDP's credit, they had backup plans in place for both recording and reporting the caucus results. Nevada will now be using those backup plans as their primary method of counting the votes.

The IDP had paper backups too (the best kind of backups for voting). But they were not prepared to execute their backup plans from an operational standpoint. The IDP also had a call-in number for manually reporting vote counts. Unfortunately, it was jammed by internet trolls who deliberately interfered with the caucus results. IDP should have used a service for the call-in number that required a PIN.

On a related historical note, in 2002 an established Republican operative named Allen Raymond was hired to tie up the phone lines of the Democratic Get Out the Vote effort. This happened during the hotly contested 2002 Senate race between John Sununu (R) and then-Governor Jeanne Shaheen (D). Sununu won by a narrow margin. Raymond, along with several others, was later indicted for taking part in the RNC-funded effort. Raymond and two others were convicted in 2005 (one of the convictions was overturned on appeal).

There's nothing bigger than the Super Bowl, except for the social media frenzy that surrounds it. In the week leading up to the Super Bowl, social media accounts of the NFL and almost half of NFL teams were hacked (including the Chiefs and 49ers).

• Twitter
• Facebook
• Instagram

Not only did ESPN and UFC suffer a similar fate, but a week later Facebook's own Twitter and Instagram accounts were compromised. The same group was responsible for taking over all of these accounts.

You probably have two questions:

• How is it that multi-billion-dollar corporations can all get hacked at the same time?
• If those companies aren't safe, how am I ever supposed to protect my accounts?

How did so many NFL properties each have multiple social media accounts hacked at the same time? Without insider knowledge I can only speculate.

For the NFL, I would guess that each of the compromised entities used a predictable format or pattern for their passwords. Something like "KC-Twitter", "SF-Twitter" and "NFL-Twitter" comes to mind. Not only would this allow the attackers to guess the passwords of additional teams, but also additional social media platforms.

As for ESPN, the UFC and Facebook, each probably used a pattern of their own (but a pattern nonetheless). Using these types of predictable patterns is a very poor security practice.

So, what can you do to protect your one-of-a-kind collection of memes, cat photos and posts about what you had for lunch? The same thing the corporate giants mentioned above should have used: Multi-factor Authentication (aka Two Factor Authentication or 2FA).

The simplest way to describe 2FA is "something you have and something you know". Typically, "something you have" refers to your cell phone for a hardware security key. If you've ever received a text with a one-time code, then you've used 2FA. The "something you know" is usually a password or PIN. When combined together it is much more difficult to compromise an account (when compared to just using a password).

You can enable 2FA on all the major (and most minor) social medial platforms, as well as your email service providers. So, what are you waiting for? You should set up 2FA on all your accounts (once you've finished reading this post).

An amusing anecdote resulting from the critical Citrix ADC & Gateway products vulnerability. NU.nl reported that many Dutch ministries (government offices to those of us in America) shut off their Citrix VPN infrastructure to protect against this security hole. The unintended consequences? Very few government employees were able to work from home, resulting in traffic jams.

Most of you reading this aren't going to muster up much sympathy for these workers who now have to drive to work. But would you really want them making your commute even worse?

For those of you unfamiliar with CVE-2019-19781, it affects important parts of corporate networks. The flaw is so severe that Homeland Security has issued multiple alerts about it. With 80k corporate LANs at risk, and proof of concept code in the wild, it's no surprise that ransomware attackers are taking advantage of it. On a scale of 1–10, this vulnerability rates an 11.

Considering the potential risk of this vulnerability, a few traffic jams is really the best-case scenario.

Jumpshot is, or rather was, a subsidiary of the antivirus company Avast. Jumpshot shutdown their operations suddenly last month.

Jumpshot claimed to be a data analytics company. But leaked documents reveal it was really selling any and all data it could collect from anyone — and every device — using Avast software. Antivirus provider AVG was also funneling user data (your data) into Jumpshot.

So, what was Jumpshot selling? 'Every search. Every click. Every buy. On every site.' from hundreds of millions of users. Of course Avast framed it differently. But if Jumpshot were legitimate Avast would not have shutdown the company within days of the truth getting out.

Companies like Jumpshot need customers. These include companies like Google, Microsoft, IBM, Expedia, Intuit, Pepsi, Loreal and Home Depot (to name a few). And these "customers" are just as guilty of peering into your private data as Jumpshot is for selling it.

It's always jarring to find out this kind of abhorrent behavior exists in the corporate world. Many internet pundits claim that "If the service is free then you are the product." But with the case of Avast and AVG, your private data was the product whether you were using the free or paid version of their products. And that includes their corporate customers.

---