7MS #184: Infosec News and Links Roundup
- I still haven't seen the slides/video come across for last week's BHIS "Gorilla Webcast!! VPN 0-day and stunt hacking" training. I'll keep an eye out for it.
Verizon's Data Breach Investigations Report is out and Tenable sums up the high points if you want a Cliff's Notes version:
"Time to compromise is minutes (81.9%), while time to exfiltrate data is between days (67.8%) and minutes (21.2%)."
"...the mean time from the start of a phishing campaign to first click is 3 minutes and 45 seconds. In less than 4 minutes, an attacker can gain a foothold on your network."
"63% of breaches used weak and/or default credentials."
"99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published..."
In short: We're still not getting the basics right like active patching, 2FA, effective network segmentation and monitoring.
Spotify hacked - maybe. Several outlets reported a list of Spotify usernames/passwords in the wild, but Spotify denies a widespread breach - even to me directly via Twitter DM. Good to change your password just in case, though.
7 million accounts from the popular Minecraft community called Lifeboat were hacked, and unfortunately were only protected with MD5. Troy Hunt says:
“I was able to easily verify people's passwords with them simply by Googling them, such is the joy of unsalted MD5..."
- A site designed only for "beautiful people" was breached by allowing open MongoDB databases to be exposed to the Internet with little to no security protections. Security researcher Chris Vickery says it a bit more bluntly:
“A trained monkey could have protected [this database],” says Vickery, with a more blunt assessment. “That’s how easy it is to protect. It’s an incredible oversight, it’s massive negligence, but it happens more often than you think.”
Apparently this breach prompted a social media strike where 30k "ugly"/fake people applied for access to the site, but that issue has been fixed:
"We would like to reassure our community that the rating module has been restored to perfect working order. Every vote continues to count as we remain true to our founding principles; keeping the trolls out and the beautiful people in."
If you're curious about the troll breakdown:
USA: 11,924 UK: 3,156 Brazil: 2,911 France: 2,340 Canada: 1,220 Germany: 1,205 Australia: 1,093 Japan: 998 Russia: 840 Denmark: 470
- The company TruckersMP did something shocking - they responsibly disclosed a breach to HaveIBeenPwned. Why? The sysadmin explains:
"We're decently security minded and feel a responsibility and duty to inform our users when such a breach happens. All of the members of the team agreed it'd be ok to be added to the list with the notion that we'd like to see other sites do the same as well; given the unfortunate chance."
- Krebs reports that the American Dental Association has mailed some USB sticks full of malware to customers. A DSL Reports Security Forum user summed up what was likely the collective reaction this way:
“Oh wow the usually inept ADA just sent me new codes,” Mike wrote. “I bet some marketing genius had this wonderful idea instead of making it downloadable. I can’t wait to plug an unknown USB into my computer that has PHI/HIPAA on it…”
But the response from the ADA is the most humorous:
“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away."
"Many of the flash drives do not contain the Malware. If you have already used your flash drive and it worked as expected (it displayed a menu linking to chapters of the 2016 CDT manual), you may continue using it."
- British intelligence agencies are dumping Lenovo machines because:
Scientists are claimed to have identified highly-classified “back doors” in chips used in Lenovo machines which are extremely difficult to identify and could be activated remotely to either stop targeted computers working or access their contents.
- Jigsaw ransomware uses scare tactics to spook victims into paying. It also uses some shame/blame tactics to rub it in a bit:
"...JIGSAW uses a different threat for those victims with the message: “YOU ARE A PORN ADDICT.STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY.”
When I've been working on [VulnHub] boot2roots, kernel-exploits.com has come in very handy.
Want to simulate ransomware to assess damage from something like Cryptolocker without harming your network or data? Check this script out. Here's a demo:
- The PenQ security browser bundle looks like an interesting all-in-one OWASP pentesting browser. Check out the video:
Here's a nice netcat cheatsheet.
And also a nice scapy cheatsheet.
- Microsoft knows how ticked you are, meaning that our emotions are probably not any more safe than our data.
"Microsoft says Azure Media Face Detection can be used for “people counting, movement tracking, and even gauging audience participation and reaction via facial expressions.” If you’re using their neatly JSON-formatted data, you can instantly tell if a crowd likes what it’s seeing in your store window… or what it’s hearing from your political candidate."