This week's big news was the extraordinary leak of 500 million Yahoo! accounts, and the largest DDoS to date which took down the website of journalist Brian Krebs. In addition to the rest of the news coverage below, I really recommend reading a think-piece by @thegrugq and considering how it applies to our own incident response plans. Enjoy!
This is a really great read by @thegrugq. 5 weeks ago an NSA exploit toolkit, containing methods to hack routers and other hardware by the likes of Cisco and Fortinet, was leaked publicly (see CSW#30). This toolkit was estimated to have been created in 2013, and a lot of commentary then focussed on "why didn't the NSA give vendors a heads up on their vulnerabilities?" @thegrugq sheds some light on the decision making that intelligence agencies make when stuff like this happens. If the NSA notified the vendors, then 1) they're burning an expensive and useful toolkit, and 2) telling the thief that they strongly suspect or know that their toolkit was stolen. If the thief used the toolkit then the NSA will have solid confirmation that their toolkit was stolen, and probably also be able to figure out who did it.
These games play out in the commercial world too. If you're being actively attacked, do you shut everything down as quickly as possible, or watch and learn how the attacker behaves? Sophos has 8 tips for incident response which touches on this.
Renowned infosec journalist Brian Krebs has just faced the largest ever DDoS attack publicly disclosed to date - 620Gbps - likely in retaliation for his role in the news coverage and arrest of two men behind a DDoS-as-a-service provider. He had been protected by Akamai's service for much of that attack, and many attacks beforehand, but as he was a pro-bono customer they couldn't continue to host him, and his site went down for the better part of the week. It's back online now, this time behind Google's Project Shield, which is a free DDoS protection service for "websites serving news, human rights, or elections monitoring content". Krebs' post explores what it means for such large scale attacks to be increasingly achievable, what he calls "the democratisation of censorship".
Yahoo confirmed that it had been subject of a massive hacking attack that exposed the data of at least 500 million users. It apparently occurred in 2014, and was done by "state-sponsored actors". According to reports, upper management didn't take their security problem seriously either. Former Yahoo information security head Alex Stamos, now CSO at Facebook, had tried aggressively to get management to act more strongly at the time, but he had not been successful. Verizon, who are in advanced talks to acquire Yahoo, also were unaware until very recently. Hopefully this can serve as a very convincing example for companies and boards who drag their heels when it comes to security and incident response. Also remember that we can do more to protect our users from password reuse attacks!.
The Victoria Police in Australia are warning citizens to beware of USB thumbdrives being left in their letterboxes. Their statement said "Victims have experienced fraudulent media streaming service offers ... and members of the public are urged to avoid plugging them into their computers or other devices." As we've mentioned in CSW #28 a recent study showed that 45% of 300 USBs dropped at a University of Illinois Urbana-Champaign campus were plugged in and had files clicked on. Not a super scaleable attack, but the Risky Business podcast made an interesting point: USB drives must now be so cheap that the profit derived from this attack makes the endeavour worthwhile.
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security might seem like a smart business decision. The study notes some important limitations: "it does not account for lost revenue, sales, market valuation, or intangible or nonfinancial costs such as lost time due to a fired CEO, or loss of reputation." I also bet the recent advent of shorting stock before vulnerability disclosure, as seen in the MedSec / Muddy Waters / St. Jude Medical case, has introduced a new type of financial risk.
According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. It also found that 55 percent of respondents said they have "evolved processes for managing privileged accounts".
Please don't let this be your organization.
- Mac OSX Sierra is out, including nearly 20 code-exec bugfixes
- Tesla patches exploit that left Model S vulnerable to remote access
- RCE exploit found in Metasploit itself, delighting irony lovers everywhere
That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!
Sign Up For Cloud Security Weekly