BTH News 08August2020
This Week In Cybersecurity
This week on Between the Hacks, Black Hat keynote addresses election security, more fallout from the Blackbaud breach, the NSA warns of location tracking abuse, 20 GB of Intel data is leaked and watch the DEF CON YouTube channel.
U.S. Voting Equipment Still Riddled With Flaws
To kick off this year’s virtual Black Hat security conference, Matt Blaze, the McDevitt Professor of Computer Science & Law at Georgetown University, gave a keynote address where he shared his research into election and voting machine vulnerabilities.
Bank Info Security reported that, ,”in his keynote address, Blaze called upon the tech community to help secure the elections. ‘So our expertise in this community is central to many of the problems that we have here. And I think the optimistic note is that we can do this, but we need to engage now.’
Prior to COVID-19, much of the election security research focused on voting machines, but according to The Register, “The outbreak of coronavirus, has shifted Blaze's gaze to absentee voting systems, which pre-COVID-19 weren't such a high priority.”
The same day as the Blaze keynote, the U.S. Department of State announced that it, “is offering a reward of up to $10 million for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities.”
To learn more about the vulnerabilities and challenges with many of today’s voting machines, read this Between The Hacks coverage of the HBO documentary, Kill Chain.
Blackbaud Round 2
As reported last week by Between the Hacks, “Blackbaud, a US-based cloud provider that primarily serves educational institutions and nonprofits, disclosed that it sustained an attempted ransomware attack in May during which the attackers were able to exfiltrate some customer data.” This week we saw additional organizations impacted and it seems likely that this list will grow in the weeks to come.
While this is not an exhaustive list, we are seeing many more U.S. organizations and institutions of higher learning being added to the list this week.
Texas State University, the Texas Health Resources Foundation, the ACLU, the Cancer Research Institute, the Louisiana Tech University Foundation and others, reports The Dallas Morning News.
EdScoop reports that 23 campuses of the California State University system may have been impacted, as well as Lenoir-Rhyne University, a private school in Hickory, North Carolina.
Blackbaud’s website also lists the University of Notre Dame, University of South Dakota, University of Central Arkansas and Wake Tech Community College in Raleigh, North Carolina as impacted by the breach.
The Vermont Food Bank, Planned Parenthood, the George W. Bush Presidential Center, Vermont Public Radio, the Rhode Island School of Design and Human Rights Watch have acknowledged notices from Blackbaud, according to The Non-Profit Times.
Britain's National Trust has warned volunteers of a data breach linked to the Blackbaud data breach in May, according to Infosecurity Magazine.
NSA Warns Mobile Users of Location Data Abuse
The National Security Agency (NSA) is warning mobile devices users of the privacy implications and data exposure of using mobile devices. In their advisory entitled, Limiting Location Data Exposure, the NSA writes, “Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”
The advisory shares that GPS, Wi-Fi, Bluetooth and cellular communication can, and is, often used to track a specific device and advises that these be turned off when not needed and limited in their permissions when they are used.
What Can You Do?
The NSA recommends the following mitigation steps for users with location sensitivities.
Disable location services settings on the device.
Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.4
Apps should be given as few permissions as possible:
Set privacy settings to ensure apps are not using or sharing location data.
Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either notallow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to location are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.
Disable advertising permissions to the greatest extent possible:
Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.
Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.
Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to notallow location data usage.
Use an anonymizing Virtual Private Network (VPN) to help obscure location.
Minimize the amount of data with location information that is stored in the cloud, if possible.
If it is critical that location is not revealed for a particular mission, consider the following recommendations:
Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure thatthe mission site cannot be predicted from this location.
Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.
DUMPSTER FIRE OF THE WEEK
The Dumpster Fire of the Week: 20 GB Intel Data Breach
Intel has suffered a data breach that includes more than twenty gigabytes of internal documents. A Swiss software engineer named Till Kottmann published the documents, most of which are marked “confidential.” Kottmann claims that his source hacked the company sometime around May this year, according to Engadget.
CyberScoop reports, “the files did not contain any personally identifiable information on Intel employees or customers.” In a statement to Tom’s Hardware, Intel wrote, "We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data." The Intel Resource and Design Center is a web portal where Intel provides non-public technical documents to business partners integrating Intel chipsets into their respective products, according to ZDNet.
Tip of the Week
DEF CON on YouTube
This week, DEF CON and Black Hat were delivered virtually. While DEF CON posts many of the talks on YouTube, the fact that the whole conference was virtual has prompted daily uploads of great content. If you have any interest in security (and if you’re reading this blog, I suspect that you do), you’re bound to find a lot of interesting content on the DEF CON YouTube channel.
