Category Archives: Hacks

Coming Clean After A Hack

A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.

The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as the National Registry of Persons.

The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.

But here is where things get messy.

The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.

The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.

Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.

Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.

When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.

The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.

The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.

I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.

If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.

It is also a problem for citizens if their card is used to commit a crime.

BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.

The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?

This is a challenge for everyone who gets hacked – government or otherwise.

I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.

For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record

What if You Get Locked Out of Your Cloud Account?

Konstantin Gizdov has an interesting story to tell. He got locked out of his Microsoft Azure account. He doesn’t think it was hacked, it was a Microsoft software bug.

More importantly, his attempts to recover the account were incredibly frustrating. The frustration was, in part, caused by the fact that Microsoft didn’t think it was their problem.

The problem started when he got an email that his account had been renamed. All of his attempts to get Microsoft support to unlock the account were totally unsuccessful and the data in the account was important to him.

Part of his problem was that, as an IT person, he had secured his account very effectively and removed most of the back doors that would have let him back in.

He followed all of Microsoft’s procedures for recovering his account, but, for whatever reason, none of them worked. Microsoft said there are no bugs (really? What alternate reality do they live in?)

He did have an emergency account recovery code which should work except that, he said, there was s 30 day waiting period before he could use it.

But he lucked out. His story got a fair amount of coverage and Microsoft’s Identity VP saw it. HE apologized on Twitter, both for the bug and how Microsoft’s customer support handled it.

But this is a good lesson for everyone.

Even Microsoft says that you should use an out of network backup. WE have at least 4 generations of backups, including at least one that is locked up in a bank vault. You really can’t have too many backups.

As companies and individuals move more stuff to the cloud, this is becoming a potentially large issue.

While the world won’t stop turning if you lose all of your music or photos stored in the cloud, I suspect a lot of people will not be happy. Support on the consumer side is even worse than what this guy experienced.

On the business side, getting locked out of your business records or customer records could, potentially, put you out of business. And get you sued on top of it.

And cyber insurance companies are starting to get into the act telling businesses that they won’t get coverage if they don’t have the right air-gapped backups.

This would be a good time to review what you have, both for your business and personally, and make sure that you are okay with whatever losses you might have if something bad were to happen.

Credit: The Register and Security Week

What Happens When Hackers Steal ALL of the Code to your System

Just ask Twitch. The livestreaming service for video gamers, esports, music and other content fell to hackers.

It was acquired by Amazon in 2014 for almost a billion dollars.

Hackers broke in and stole 135 gigabytes of data. This includes all of the source code to the platform, transaction data, userids, passwords and other information.

It appears that the passwords were NOT encrypted.

The data has already been posted in multiple places in the hacker underground.

It is not impressive that a company like Amazon would allow a subsidiary to store personal information this way, but apparently, they did.

Among the data stolen was the source code to a gaming platform designed to compete with Steam and information about how much (and who) the highest paid content creators were being paid.

Worse yet, the hacker, who may have had a vendetta against Twitch, said this 125 gigabytes of data was part 1.

How many parts are there? What is going to happen next?

One obvious problem for Twitch is that now that all of their source code is public, hackers will be combing through it to find vulnerabilities and given what we know so far, there are vulnerabilities.

If you are a Twitch user, you should immediately change your password and enable MFA.

Credit: Threatpost

Twitch said: We can confirm a breach has taken place,” and “Our teams are working with urgency to understand the extent of this.”

I bet they are :).

Google searches for how to delete Twitch were up 800%. Kind of like locking the barn after the animals got out.

Users of Twitch, the world’s biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform.

The phenomenon of “hate raids” — torrents of abuse — has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.

Twitch says that they are working on fixing that. Oh, and they are suing some of their customers for organizing the hate raids.

Credit: Security Week

One source is reporting that the following items were among what was stolen:

  • Entirety of Twitch, with its Git commit history going all the way back to early beginnings
  • Payouts for the top Twitch creators
  • Every property that Twitch owns, including IGDB and CurseForge
  • Mobile, desktop, and video game console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • Every other property owned by Amazon Game Studios
  • Twitch internal security tools

We are seeing conflicting reports from different sources about userids and passwords. It is possible that they were or were not stolen and the conflicts may be due to what piece of the data each source saw.

One poster on 4Chan says the leak was done to foster more competition in the online video streaming space because Twitch is a “toxic cesspool”. While competitors won’t use Twitch’s code directly, they certainly might check it out for ideas.

Credit: Cybernews

Some sources said the hackers got in via a misconfigured server, but I would suggest, the problem goes deeper than that. Much deeper. How comfortable are you that hackers could not steal all of your crown jewels?

Security News for the Week Ending September 24, 2021

Detecting Hidden Cameras in Your Airbnb and Similar Rentals

No one wants to think about this, but it is an issue. Especially in private home/condo rentals, owners are worried about you stealing or damaging their stuff. And some of them are just stalkers. Here is a TikTok video from well known security researcher Marcus Hutchins on some things that you can do to look for hidden cameras. Credit: Hack Read

Japan Sets New Internet Speed Record – 319,000,000,000,000 bits per second

While not a security issue, it is pretty impressive. This beats the old record of 178 terabits/second. The test was carried out in a lab, but simulated a 3,000 KM fiber. This is definitely still experimental, so don’t expect to get this speed at your house any time soon. Credit: Computing (free account required)

The Internet is Going to Break

Well, I don’t think so, but some people are concerned. Let’s Encrypt is that free service that lets web site owners encrypt traffic to and from their website. Let’s Encrypt’s original ROOT CERTIFICATE is going to expire in about a week. They updated their certificate in clients like Chrome and Edge and server software like Linux Apache a long time ago, but what about users that are running old, unsupported software. In a word, they are going to be SOL. The certificate will show as expired and depending on the situation, the user likely will not be able to establish the connection. If it is a server that has that expired certificate, even if the user has been updated, things won’t work. Bottom line, this is only going to be a problem for old, unsupported systems – but there are a lot of these. Stay tuned. Old IoT devices are most likely to break. If you are responsible for systems, now would be a good time to test. Credit: Portswigger

VoIP Phone Provider Hit by Denial of Service Attack; Has Been Down for a Week

This is the downside of the cloud. VoIP.ms has been battling a massive (they say) distributed denial of service attack since September 16th. They say they have over 80,000 (likely unhappy) customers in 125 countries. All of whom have limited voice service as a result of the attackers wanting VoIP.ms to pay them a ransom to stop the attack. How would your business operate if it did not have phone service for a week? Credit: ZDNet

100 Million IoT Devices Affected by New Bug

NanoMQ is an OPEN SOURCE messaging processing platform that is used in many critical IoT devices like patient monitors, fire detection, car system monitors and smart city applications, among many others. Researchers form Guardara detected multiple vulnerabilities affecting as many as 100 million devices. It could cause the device to crash – that is very simple to do – or worse. Attacks on these kinds of devices are spiking and until IoT vendors get serious about security, plan on a backup system for anything that is critical. While some people continue to spread the myth that Open Source software is secure, there is not much evidence for that as we see bug after bug revealed in super popular apps, never mind the really niche ones. Credit: Threat Post

Domain Registrar Epik Hacked

Domain registrar Epik is known for hosting certain types of domains. They call themselves the Swiss Bank of Domains – neutral in the political fights. They host the domains for right wing sites like Parler and Gab and political sites like Texas Right to Life and the Texas GOP, among many others.

The company confirmed that hackers breached their security AND downloaded customer account information.

The hackers may be affiliated with the non-group Anonymous, the loose collective of hackers that go after folks that they don’t like. They said, in a press release, that the hack was in retaliation for Epik’s habit of hosting questionable alt-right websites (their words).

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet,” the group said. “Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole.”

Epik Confirms Hack, Gigabytes of Data on Offer | Threatpost

It also appears that non-customers were also swept up in hack as well and some of their data was stolen too.

Size-wise, the hackers stole 180 gigabytes of data, they say, including names, phone numbers, physical addresses, purchases and passwords.

Also apparently much of the data was not encrypted and some of it was only lightly salted (meaning that reversing it was trivial for the hackers).

It seems that the hackers are GIVING the data away for FREE. Here is what you get for free:

  • domain purchases and transfers in and out, all whois history unredacted, all DNS changes, all email forwards, payment history (without credit cards), account credentials for customers, hosting, VPN, etc., Epik’s internal servers and systems, Epik’s GoDaddy logins and more.

The hackers said “yep, these Russian developers they hired are actually just that bad.” referring to the lack of encryption and weak hashing.

They also hacked the Texas GOP web site for fun.

What does this mean to you?

First of all – vendor cyber risk management. Are your vendors secure?

Second, if you used Epik, change all affected passwords and encryption keys

Third, assume an attack like this could happen; plan for it. Then do what you can to mitigate the damage from it.

Credit: Ars Technica