2019 Week 3 Security Summary

Seems it was a slow cybersecurity week…

It seems that we may have just had the biggest breach disclosure ever named Collection #1.  It is not know at this time where it came from or what was the basis behind it, but a database showed up on the Dark Web (the MEGA cloud service to be exact) and in its raw form contained 2.7 billion rows of email addresses with their associated user names and passwords.  After duplicates are removed there are still around 1 billion unique records and more alarming a high number are on no other previous breach notices.  The running theory is that it aggregated 2000 other breaches many of which were encrypted and someone was able to break the encryption.  Of an interesting note, I ran my city account and it did not show up on the list (though it does show up on 9 other older lists) while my personal one did.

• Wired was one of the first to break the news:  https://www.wired.com/story/collection-one-breach-email-accounts-passwords/
•   Threat post give a bit more information as they dug in to Hunt’s (the owner of HaveIbeenPwnd) blog post and notes on the breach:  https://threatpost.com/773m-credentials-dark-web/140972/
• Troy Hunts blog post on the topic:  https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
•   https://www.infosecurity-magazine.com/news/researchers-find-87gb-trove-of/
•    https://www.scmagazine.com/home/security-news/collection-1-breach-exposes-773m-unique-emails-21m-passwords/

·          

Del Rio Texas has basically closed down due to a ransomware attack.  They got ahead of it by unplugging all their servers.

•  Security Today has a quick write-up on it:  https://securitytoday.com/articles/2019/01/15/ransomware-attack-closes-down-texas-town.aspx

• https://www.infosecurity-magazine.com/news/city-of-del-rio-hit-by-ransomware/

·          

Added some interesting pod-casts and blogs to my arsenal:

•   https://www.troyhunt.com/
• https://thecyberwire.com/
• https://www.talosintelligence.com/podcasts

This came up in a recent assessment of my switches, but the Cisco Small Business switches have a privileged default user.  It has now made the news.  Just a reminder to never leave defaults.

•  https://threatpost.com/critical-unpatched-cisco-flaw/141010/

·          

The Fallout exploit kit has added new tricks to include exploiting flash vulnerabilities. This flash vulnerability has been patched, but as we know, not everyone keeps up on updates.  Really, the biggest takeaway from the news was that EK developers are continuing to innovate.

• https://threatpost.com/fallout-ek-retools/141027/
• https://www.infosecurity-magazine.com/news/new-year-new-features-for-fallout/
• https://www.scmagazine.com/home/security-news/gaming/fixed-fortnite-flaws-could-have-enabled-account-takeovers/

·          

The state of Oklahoma made national news.  I guess the Securities Department put their entire database (3 tb worth) on an open server accessible to the world.  To quote from the linked article “Researchers at UpGuard who discovered the data leak said that the publicly accessible data totaled a whopping three terabytes. The more severe types of files exposed included documents detailing FBI investigations, Social Security numbers for ten thousand brokers, credentials for remote access to Oklahoma Department of Securities workstations – and even a list of data relating to AIDS patients, including patient names.”

• https://threatpost.com/oklahoma-gov-data-leak/140936/
•   https://www.upguard.com/breaches/rsync-oklahoma-securities-commission
• https://www.infosecurity-magazine.com/news/oklahoma-government-leaks-3tb-of/
• https://www.scmagazine.com/home/security-news/oklahoma-dept-of-securities-server-exposes-millions-of-files/

Including this just because it is currently the most popular game out there. 

Fortnight accounts were evidently able to be access due to poor single sign-on implementation.  In a nutshell, they had used a procedure that evidently would have allowed users to log on to multiple games.  The code was somewhat incomplete and researchers were able to use this to gain access.  It appears it is now patched, but the takeaway is probably to make sure you are finished with the sign-on procedure before releasing a product that tens of million people will use.

•  https://threatpost.com/fortnite-hacked-via-insecure-single-sign-on/140913/
•   https://www.infosecurity-magazine.com/news/fortnite-vulnerable-to-account/
• https://www.wired.com/story/fortnite-vulnerability-account-takeover/

·          

Originally was not going to put this in, but after seeing it grow more and more I decided to (and it was a slow cybersecurity week).  The topic that I spoke about at the Cybersecurity road show was all about how companies are collecting information about you that you have no idea about.  When compiled it allows companies to know just about everything about you.  For the first time, one of the people who’s company started this trend, Tom Cook, has started to talk about it.  Hopefully having such a big name attached to the issue will cause it to be a thing that is on the public’s radar.

• https://www.cnet.com/news/apples-tim-cook-calls-for-new-regulations-to-protect-your-personal-data/

·          

Another VIOP provider left calls, text messages and accounts open to the world.  This should be somewhat alarming as more and more of communications we have always assumed as ethereal are really there for years that someone has to keep protected.

• https://www.infosecurity-magazine.com/news/voipo-left-7-million-logs/
• https://www.scmagazine.com/home/security-news/voipo-database-exposed-millions-of-call-logs-and-personal-data/

·          

Found this kind of an interesting.  Basically, they used Telegram’s Windows client to send Windows command and control commands through the messaging platform data stream.

•   https://www.scmagazine.com/home/security-news/researchers-find-telegram-bot-chatter-is-actually-windows-malware-commands/