Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday August 20th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes Dinah Davis, vice-president of research and development at managed service provider Arctic Wolf will be here to discuss some of the news from the past seven days. But first the highlights:
American cellular provider T-Mobile has admitted that someone recently copied data on almost 48 million current, former or prospective customers. Most were people who had applied for credit with the carrier, but the stolen data included their names, dates of birth, Social Security numbers and driver’s license numbers. This is one incident Dinah and I will talk about.
UPDATE: After this podcast was reported T-Mobile added more information about the hack. The total number of victims has increased, as has some of the data stolen.
Initially the carrier said informatiion from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, social security numbers and driver’s license/ID information, were compromised. It has since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
The carrier also initially said that information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information were compromised. T-Mobile now says phone numbers, as well as IMEI and IMSI information — which are the typical identifier numbers associated with a mobile phone — were also compromised. Additionally, it has identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
BlackBerry warned software developers and manufacturers using its QNX operating system that some older versions of its development platform as well as special versions of the OS have a vulnerability that has to be patched immediately. QNX is a real-time embedded operating system used in a wide range of industrial systems including medical ventilators, medical robots, train controls, cars, and factory automation systems. How many devices are affected isn’t known.
The SynAck ransomware group has rebranded itself as El_Cometa. According to one news site the low profile group apparently wants to be bigger, because it plans to launch a ransomware-as-a-service platform to draw partners and spread their malware. Chuck Everette, director of cybersecurity advocacy at Deep Instinct, told me this week that ransomware groups often re-brand themselves if they start getting bad publicity after attacking sensitive things like hospitals and oil pipelines.
Speaking of oil pipelines, Colonial Pipeline in the U.S. has started alerting some 5,800 current and former employees that their personal information was stolen during the ransomware attack in May.
A vulnerability has been found in a software development kit, or SDK, from a company called ThroughTek. Manufacturers use the platform because it has a protocol for wirelessly connecting products to a mobile app. Possible devices that could be hacked include certain models of baby monitors, wireless video cameras and digital video recorders.
Another vulnerability was found in a software development kit that goes with some chipsets made by Realtek. These chipsets and SDKs might be in certain models of internet gateways, Wi-Fi equipment and even toys that have been sold for years. Dinah and I will have a few words to say about SDKs.
Finally, in another one of those ‘oopsy’ moments, someone left open on the internet a terrorist watch list created by U.S. authorities. A security researcher found it. We don’t know if anyone else did.
(The following is an edited transcript. To hear the full talk play the podcast.)
Howard: Hi Dinah. I thought today we‘d talk about the T-Mobile data breach, two incidents involving software development kits and the Blackberry QNX alert.
Let’s start first with Blackberry. For those who don’t know, QNX is a secure operating system that is embedded in devices. It can be found in everything from car entertainment systems to aircraft cockpit displays to running nuclear reactors. In this case, Blackberry found a vulnerability in its software development platform and two specialized versions of QNX, one called QNX Safety for applications that demand extra safety certification and QNX for medical devices. You used to work for BlackBerry. Do you have a little bit of a familiarity with the QNX operating system?
Dinah: A little bit. I worked on the handheld side, but I was at the company when we purchased them. It’s a strong system … And you know, BlackBerry’s a company that is quite focused on security. I know when I was there, we had three pillars and one of those pillars was always security. So it is this Blackberry story is a little surprising cause they usually come out on top in the security conversations.
Howard: One of the things that’s controversial are allegations on the news site Politico that U.S. cyber authorities believe that QNX was vulnerable to the same memory overflow bug that was found a number of months ago by Microsoft. And the claim is Blackberry didn’t want to publicly acknowledge this. I tried to get hold of Blackberry to talk about this and, and the alert that they had issued, but they would only refer me to their press release.
Dinah: These decisions can be hard for companies. Did Blackberry make the right decision and holding on to this information? I don’t know. I’m always a little bit more towards disclosure, but there might’ve been good reasons not to. Maybe they were worried about hackers taking advantage [of news of the vulnerability]. I can only speculate. There’s something going on here and it would seem that maybe they should have disclosed sooner when everyone else was disclosing about the same kind of bug that Microsoft had found.
Howard: The other thing that I found interesting about this news was that it raises the issue of the ability of companies to patch embedded operating systems. Some manufacturers have internet-connected toys, surveillance, cameras, drones, baby monitors and they’ll use free operating systems in these devices to cut costs. And a number of them don’t care if the software can’t be patched. I would assume that companies that have to pay for the Blackberry QNX would have capabilities built into their systems so that they can be updated. Can you talk a bit about the difficulty of updating, systems that run on the operational technology [OT] side, which is where QNX would be used?
Dinah: Anytime you’re using an underlying system in for your product, you’re going to be beholden to it. We all use some type of operating system, whether it’s iOS, MacOS or Windows. And anytime there’s a vulnerability in one of those things, we’re all beholden to that. The key is a lot of these operating systems will ensure that they have an update mechanism. So, similarly, when Microsoft licenses their [Windows] operating system to Dell or Lenovo or other companies they still have mechanisms to update because it’s software running on hardware. The tricky becomes when it’s software running in the background. It’s not like a user can go and choose to do an upgrade.
So manufacturers have to make sure that they’re also allowing for updates to occur. In some cases you need to make sure that you’ve implemented the APIs and the calls that will allow for those updates. And one would hope that anyone using QNX has done that, because it’s usually bought by people who are building substantial things like medical devices. If they haven’t and they overlooked that, then there are going to be devices out there that are going to have issues.
Howard: And it‘s up to the IT department to make sure that devices that are bought by various departments [can be updated]. If a hospital’s medical staff are buying scanners and other technical devices that have…