Security News for the Week Ending January 29, 2021

Adult Web Site Hacked; 2 Million Records Leaked

Most visitors to adult web sites do not want to be “outed”, but that is exactly what happened to 2 million customers of MyFreeCams. While the data stolen (username, email, UNENCRYPTED passwords and account balance) is not that sensitive, the fact that someone has an account there at all could be used to blackmail their customers. As is too often the case, the site discovered the breach when the media asked them if the data they had was legit. Ouch. Credit: Cybernews

FBI’s Goal of Weakened Encryption Might Backfire on All of Us

A group associated with Hezbollah known as Lebanese Cedar has hacked telephone companies and Internet providers in the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority and the UAE. At least. Reports have identified at least 250 servers that were compromised by the group. If the FBI gets their way and we add more holes in the security scheme, that will only make the job of hacking us and ransomware easier for terrorists. That doesn’t seem like a great plan. Contrary to their wishes, there is no way to create a hole that only the good guys can use. Credit: ZDNet

Open Source Library Flaws Used by DoD & IC for Satellite Imagery Could Lead to Takeovers

Nitro is a software library used by the Defense Department and Intelligence Community to store, transmit and exchange satellite images. Researchers at GRIMM discovered the bugs in Nitro which they think could have led to system takeovers. The good news is that the researchers, who were working with DHS CISA alerted the vendor and they released a fixed version the following day. Credit: SC Magazine

Air Force Intelligence Officer Planned to Sell Secrets to Russia

Elizabeth Jo Shirley, an Air Force Intelligence Officer, kidnapped her daughter to Mexico and planned to defect to Russia with top-secret information. She worked at the NSA, Department of Energy and other government agencies for nearly 20 years before she went rogue. She was sentenced to 97 months. Credit: The Register

Law Enforcement Hacks Emotet and Netwalker

Netwalker

The cops are fighting a game of whack-a-mole with the hackers and likely always will, but this week they whacked hard and had a couple of wins.

In a multi-nation effort including the US, UK, Europol and many others, the good guys (and ladies) took control of the command and control servers for the Emotet malware. Emotet is a huge player in the spam/malware game and this coordinated takedown will set them back a bunch. They had been working on this takedown for three years.

This doesn’t mean that they won’t be back, but it does mean that they will need to basically start over, conning people to click on the wrong links and compromising those computers again. Credit: Homeland Security Today

At the same time, law enforcement from the US and Bulgaria disrupted the Netwalker ransomware gangs by taking down their servers and indicting a Canadian who reportedly made over $25 million using the Netwalker tools. Credit: Metacurity

While this hits are great and high profile, and will definitely have at least a short term affect, there is too much money being made to have the hackers just quit. I don’t think it will deter many hackers, unfortunately.

As long as users and companies don’t treat the threat seriously enough, the hackers will just come back. After all, to paraphrase an old politician – hack a billion dollars here and a billion dollars there and after a while, it adds up to real money.

Microsoft Teams – Hacker’s Choice

At the beginning of the pandemic (can you remember that far back), Teams had about 32 million daily users and was trying to compete with Slack. As of December, Teams had an estimated 115 million daily users. Teams is the defacto communications and collaboration app for anyone using Office or Microsoft 365.

As of December, analysis says that only 1 in 4 users in a Microsoft 365 shop actually uses Teams on a daily basis. That means that that 115 million users could turn into, say 450 million users.

Is that a juicy enough target for the average hacker? I think so.

What are some of the Teams weaknesses?

  • With one click, sensitive information can be forwarded outside the organization, either by user error, insider threat or hackers that compromised an account.
  • External members might be added to a channel and team members may not realize that there are external members on a certain channel, and share proprietary or confidential information.
  • Compromised partner’s accounts could be used by hackers to attack the organization’s end-users, while the organization has no control over the security of their partner.
  • Channels created by partners do not allow visibility to the organization’s channel, via admin or API. Accordingly, the company cannot know what has been shared on these channels and the data goes unaudited.
  • End-users’ generally share anything in Teams, including sensitive information, because they assume that unlike email it is not monitored or archive
  • Links in the chat are not scanned at all.
  • Files are scanned, but not instantly and only for basic issues. That means that malware can sit in the chat for hours at a time

Hackers are taking advantage of this in two main ways:

  • Starting with a compromised Microsoft email account, use those credentials to login to Teams
  • Using the trust that users have inherently in other Teams users – get the users to respond to messages, click on links and download shared files.

This means that businesses need to up their security when it comes to Teams. One place to start is with employee training. Credit: Dark Reading

Are Your Internal Systems Exposed?

Of course your first answer is no. Internal systems are only visible internally. But you made changes in a hurry to deal with Covid.

Here is the story of one researcher. He is the head of hackers at an ethical hacking firm, Intigriti.

Companies use software like JIRA and Asana to create tickets for all sorts of reasons. As these service desks have become publicly visible, it is likely that changes to the configurations were not made to protect that software appropriately.

Here is what the researcher did.

He started with 10,000 popular domain names.

1,972 had Atlassian instances associated with them.

288 were open to the public (this is an increase of 12% since the Covid crisis started.

He then signed up for accounts on these domains.

Sometimes he could access HR tickets, Office helpdesks, marketing, data science and other departments.

Sometimes it included requests to reset MFA or unlock an account.

About a third of the accounts he created allowed him to assign tickets to other people.

Okay, so this sounds like a problem. What did he/could he do?

MORE THAN 85% OF THE COMPANIES FOR WHICH HE WAS ABLE TO CREATE AN ACCOUNT DID NOT HAVE A WAY TO RESPONSIBLY REPORT THE VULNERABILITY.

Does your company have a way? That is easy to find?

The companies that did respond had a variety of responses from accepting to critical. He was offered rewards of from 50 Euros to $10,000.

Is this a bug in JIRA? No. No more so than you leaving your front door open when you go to work is a bug in the door.

Is this being exploited in the wild? Likely it is.

Is this limited to JIRA? Absolutely not. It could be an issue for any software that is exposed to the public Internet.

Could you be exposed? Do you have systems that are publicly visible? If so, then yes.

Does this affect cloud based systems? It is certainly possible. In this case, it was a cloud based system.

The only way to be sure is to inventory your systems and look at them one at a time. Start with the ones that house data that you would not want to be posted publicly. Credit: Medium

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

How The Law Decrypts Your Phone’s Encryption

Law enforcement agencies around the world have been whining about the “going dark” problem at least since the early 1990s when they tried really hard to put Phil Zimmerman in jail for creating encryption that mere mortals could use. There is no question that bad folks use encryption to hide stuff, but good folks also do and it is going to be impossible to create a master key that will only be used by the good guys for good. Not going to happen.

So that leaves the police with the option of hacking your phone, which, is less impossible than they often claim.

Johns Hopkins cryptographer Matthew Green managed a team of experts to tear apart the secrets and see what they found.

They looked at available documentation and also did some hacking. They also reviewed all of the existing news that they could find about what the cops have done in the past to break in.

Green thought, going in, that security on Apple and Google phones was pretty good, but coming out he realized that almost nothing is protected as well as it could be.

The researchers figured that it would be really difficult to steal any of the many levels of encryption keys that iPhones use, but that turns out not to be the case.

If your iPhone was powered off and someone turned it on, the security would be pretty good – what Apple calls “Complete Protection”. But as soon as you log in, you move from “Complete Protection” to “Protected Until First User Authentication”. That is likely the state your phone is in 99.99% of the time.

The major difference between these two states is that in the after the first login, many of the keys are available in memory. At this point, if someone can exploit your phone, getting those keys and decrypting the data those keys protect is easy.

This is likely how all forensic tools like Cellebrite and Grayshift work.

Android works very similarly except while Apple has a way for apps to protect small bits of data more securely after first login – like a banking password – Android does not have a feature like that. That means that tools like Grayshift can grab more data once you have logged in.

Android also suffers from dozens of manufacturers and hundreds of models and many people who have not seen an upgrade or patch in years.

When the researchers explained what they had done to the folks at Apple, they basically said that they were concerned about protecting your stuff against street thieves and not well funded attackers and they chose user convenience over security (my words). From a marketing standpoint that makes sense, but they don’t really tell people that up front.

Google, like Apple, said these attacks require physical access (like what might happen when you cross the border and the customs person says “papers please” and “phone please”. They said it also requires these folks to know about bugs that have not been patched. Google said that you can expect to see additional hardening in the next release of Android.

If you think it is only the FBI or NSA that buys these Celebrite and similar tools, you are very wrong. Researchers found nearly 50,000 examples of police in all 50 states using these tools between 2015 and 2019 and that was just what they were able to uncover. Law enforcement has not exactly volunteered that they can hack your phone at the push of a button.

Given this, you might wonder why the police are complaining about going dark. I think it is because they can’t just snoop on anything, any time, any where, including over the air and unless they can do that, they will complain. Credit: Wired