November 28, 2016

Cloud Security Weekly #42

Hope you're all having a great Cyber Monday! In this week's cyber happenings, Wordpress gets called out for having a vulnerable single-point-of-failure for 26% of the world's websites, San Francisco's MUNI gets hacked, Google is notifying users when they're attacked by state sponsored actors, and some neat tidbits from Dropbox, Auth0, and GCHQ. Enjoy!

Wordpress' update server a single point of failure for 26% of the top 10M websites

Up to a quarter of all websites on the internet could have been attacked through a since-patched vulnerability that allowed WordPress' core update server to be compromised. Matt Barry, lead developer of WordPress security outfit WordFence, found an attacker could impersonate core developer code deploys. By brute forcing a shared secret between WordPress and Github - crucially telling Wordpress to use a very weak hashing algorithm - he could get remote access to the update server. From there an attacker could push malicious updates to Wordpress servers worldwide. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates.

Google is warning journalists and professors about account takeover attacks

Google is warning prominent journalists and professors that nation-sponsored hackers have recently targeted their accounts, according to reports delivered in the past 24 hours over social media. One of the red banners included large white text that stated: "Warning: Google may have detected government-backed attackers trying to steal your password." It included a link that led to advice for securing accounts. Google has been sending warnings of nation-sponsored hacking attempts since 2012.

Dropbox how-to on password storage

In this semi-technical post, Dropbox explains how they store user passwords, and it's a neat read. They first SHA512 the plaintext password, to normalize it and give it a consistent length - because bcrypt can break if you don't. Then they bcrypt it. Then they encrypt it again using AES256, so that even if the database itself is leaked, you still need another key they keep elsewhere before you can start attempting to make malicious use of the bcrypt password hashes. Very interesting. If that tickles your fancy, also check out Auth0's blog post on their bcrypt-as-a-service clusters which lets them handle thousands of logins per second.

San Francisco transit hacked and held to ransom

Just days after a digital attack brought down payment systems at San Francisco’s MUNI rail system, the hacker responsible for the attack has threatened to release data on MUNI’s employees and customers if his ransom is not paid. The hacker is demanding 100 bitcoin, or roughly $73,000. MUNI riders were greeted with printed "Out of Service" and "Metro Free" signs on ticket machines on late on Friday and Saturday after the system’s computerized fare systems were hacked. The ticketing machines read “You Hacked, ALL Data Encrypted", with instructions for getting the decryption key. Thus far it seems MUNI hasn't paid.

GCHQ open-source a new tool: CyberChef

The UK's spooks, GCHQ, have open sourced a "swiss army knife" of tools for "carrying out all manner of "cyber" operations within a web browser". They've named it CyberChef, and it gives users a fairly simple UI for "creating hexdumps, simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, data compression and decompression, calculating hashes and checksums, IPv6 and X.509 parsing, and much more". It was created by an employee during their "10% innovation time" over the course of several years.

Cybersecurity: a soccer analogy

In this article Marc Laliberte compares the different positions of a soccer team to the different roles within Small / Medium businesses, as they relate to cybersecurity. End-users are strikers, IT support are the midfielders, your security team & network admins are the defenders, and your technical protections are the last line of defense: the goalie. If you need help explaining cybersecurity to people in your organization, maybe this analogy will help. :)

In Brief

That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!


If you want to get this news delivered weekly to you inbox sign up here:
Sign Up For Cloud Security Weekly

The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...