Category Archives: Breach

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Why The Microsoft Exchange Email Hack is So Bad

The media continues to report on the Microsoft Exchange hack, likely perpetrated by China. Reports are that at least 30,000 Exchange servers in the United States are impacted and some people say that number is likely way underestimated. On top of that, the number of servers worldwide is maybe ten times that number.

Given all the media attention, you would think that everyone would, at least, install the patches. It appears that AT LEAST 46,000 servers are not patched, according to The Record.

So why is this a big deal? First, the attackers could read any email on those servers. Whatever that might contain. One organization affected was the European Banking Authority. They say that no data was accessed. Sure, we believe them.

Second, the attackers, in many cases, left behind a present called a web shell. It is a way for the attackers to get back in to the server later. Many of our IT partners decided the only way to make sure that the hackers are really out is by rebuilding the servers from bare metal, not a simple task, especially if you have to do that to tens of thousands of servers.

So lets look at the timeline involved. We are getting more details every day and this timeline is interesting. This timeline comes from Brian Krebs, who Chris Krebs, former head of DHS CISA called his brother from another brother (i.e. they are not related).

Security testing firm Devcore says they alerted Microsoft on January 5 – two months ago.

On January 6th, Veloxity spots attacks that use unknown Exchange bugs

On January 8th, Devcore told Microsoft that they had been able to reproduce the bug.

On January 27th Dubex tells microsoft about new attacks on Exchange servers.

On January 29th, Trend Micro reports in their blog about these web shells infecting Exchange servers, but incorrectly says this was allowed by a bug patched last year.

In February, Microsoft tells the folks who reported the bug that they had escalated the problem and that they had a target release date of March’s patch Tuesday, March 9th.

By the end of February, the cat is out of the bag (it is hard to keep good news secret) and security folks are seeing global mass scans of Exchange servers looking for vulnerable systems.

This forces Microsoft’s hand and they released the patches a week before they planned to, now on March 2.

By March 3rd, tens of thousands of Exchange servers have been compromised. Once the patch is out, especially knowing that it is an emergency patch, hackers worldwide reverse engineer the patch, likely within hours of it being released.

By this time it is a national security emergency and everyone from CISA (who told government agencies that they had 48 hours to patch their servers or shut them down) to the White House to the National Security Advisors are sounding the alarm bell.

On March 5th, Chris Krebs, former head of DHS CISA says that the real number of compromised servers dwarfs the numbers being reported.

Needless to say, this is a big problem.

A couple of interesting footnotes.

Microsoft says that Office 365 was not compromised. Why? Don’t know. Possibly their server configuration is different. Possibly, since they knew about the bugs in early January, they were able to tweak their security before the word got out. I vote for number 2. Apparently at this point, now that we know how the attacks work, it is easy to block new attacks.

Second, Microsoft released patches for every supported version of Exchange. That means that the bug goes back, at least, to 2013.

But wait. Microsoft even patched an unsupported version of Exchange – Exchange 2010. That means that the bugs go back at least a decade. Possibly more.

Now here is the answer that we don’t have.

Were these bugs being quietly exploited for years? Remember if you do it quietly, you probably won’t get noticed.

If so, by whom?

China?

Russia?

Private hackers?

The NSA, CIA, Others?

Foreign intelligence agencies – friendly or not?

And if so, what have they stolen?

Likely we will never know the full extent of the attack, but between the SolarWinds hack and the Microsoft Exchange attack, one thing should be clear. We came to a gun fight with a spoon. And if we do not improve on our security efforts, we are going to continue to lose.

Right Wing Social Media Platform Gab.Com Hacked, Data Leaked

Last month, as Parler was being deplatformed by Amazon, it was hacked and many gigabytes of data were taken and later made public.

In what seems like a sequel, right wing free speech social media platform Gab.com was hacked and, again, data was stolen and later published.

It is reported that Gab is described as a haven for extremists including white supremacists, neo-Nazis, white nationalists, the alt-right and QAnon conspiracy theorists. If this is true, the data is probably of interest to a lot of people and may be “damaging” to the people who created it.

The site went down for a short period last week after saying there was an issue that only affected a few accounts.

When contacted by the media, Gab’s CEO said that there was no independent confirmation of the breach, which likely is true. That of course does not mean that they were not breached. He also said that they don’t collect much personal information. If what he means is that they don’t collect drivers license numbers, he is probably right, but if what he means is potentially embarrassing or criminal-charge-causing posts, well, then, he might be wrong.

The CEO did admit that the site was vulnerable to a SQL injection attack that they fixed last week (like maybe at the same time that they went off line????).

The 70 gigabytes of data that has been leaked (so far) includes public posts, private posts, user profiles, hashed passwords, direct messages and plaintext passwords for groups.

Could the data be used by law enforcement to see if there is a connection with the January 6th riots at the Capitol. Probably.

Compared to the Parler leak, this could be, potentially, much worse, since it claims to contain both private posts and direct messages.

We also don’t know if the 70 gig of data leaked is all that was stolen or just the first installment.

Bottom line, assuming that something that you post on a public social media platform will remain private is probably not a great bet. Credit: Hackread

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

Security News for the Week Ending February 12, 2021

Law Firm Goodwin Procter Hacked

Goodwin Procter managing parnter Mark Bettencourt confirmed that some of their clients’ data was compromised. But not to worry; it only affected a small percentage of their clients. One more time, we have a “supply chain attack”. While the vendor was unnamed, I suspect it was Accellion. They suffered a breach that is all over the news due to the high profile targets that suffered a loss. So now a very high profile law firm has to explain to its clients why its security was not good enough to protect their most sensitive data. If you are a client of a law firm, how confident are you that they can protect your data? Credit: ABA Journal

What Does This Mean for Cities?

Salesforce is joining other big tech companies in changing the work-life equation. This week they announced that most staff, after Covid, will only be in the office 1-3 days a week, many workers will never return to the office and a few workers will be in the office 4-5 days a week. This means that work from home security is now permanent, but it also questions the implications for downtown big cities. Salesforce has 9,000 workers in San Francisco. If half of them never come to the office and another 30% come to the office 1-2 days a week, what does this mean for downtown retail and office space? Credit: MSN

State Department Declassifies Report on Cuba’s Sonic Weapon

You may remember reports of Cuba having a secret sonic weapon back in 2017-2018. A newly declassified report by the State Department’s own Accountability Review Board lambasted the department’s response to the attack as lacking leadership, having ineffective communication and being systemically disorganized. There are 104 pages of detail, but none of them paint the previous administration favorably. As a result of the botched investigation we will probably never understand what the weapon was that Cuba attacked us with. Credit: Vice

Ex-Students Plead Guilty to Stealing and Trading Nude Pics and Vids

Two former SUNY Plattsburgh (NY) students pleaded guilty to hacking coeds’ MyPlattsurgh portal accounts and stealing nude pictures and videos. The portal contains full access to the students’ email, cloud storage, college billing, financial aid, coursework, grades and other personal information. They either guessed passwords or guessed security question answers. When the found nude photos and videos, they traded them with others, in some cases identifying the students by name. They even posted some photos online. Credit: The Register

IRS Warns Tax Pros of Identity Thieves Targeting Them

The IRS is warning tax professionals hackers are trying to steal their electronic tax filing credentials so that they can file fake returns and those returns will be tied to those same tax pros. If you are a tax pro and need help, please contact us. Credit: Bleeping Computer