Welcome to Cyber Security Today. From Toronto this is the Week in Review for the week ending Friday, January 19th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley, head of Beauceron Security, will be here to discuss recent news. But first a recap of some of the news from the past seven days:
Cryptocurrency scammers this month have been hacking the X accounts of companies or of well-known people. One of the latest was the city of Peterborough, Ont. David and I will discuss this trend.
We’ll also talk about the arrest in Ukraine of a resident for using hacked cloud accounts to create 1 million virtual servers for mining cryptocurrency.
We’ll discuss how an accounting firm employee falling for a phishing scam led to disclosure of the names of some customers of an American laptop maker.
And while it happened earlier this month, David will have thoughts about the genetic testing service 23andMe blaming some poor users’ password practices for a huge data breach.
Also in the news this week, Atlassian, Ivanti, Citrix, SonicWall and Juniper Networks were among companies that issued security updates to fix major vulnerabilities in their applications.
The ‘Have I Been Pwned’ website, where you can check if your credentials have been stolen, has added millions of unique email addresses to its data store. This is from a huge credentials-stuffing database called Naz.API that someone has been pedaling on the dark web. Not all of the stolen credentials on this list are new. But researcher Troy Hunt, who maintains the site, said about one-third of the email addresses are new to the millions of stolen credentials he has collected so far from other sources.
American home loan provider Academy Mortgage Corp. said it is notifying over 248,000 people that some of their personal data was stolen last March. An attacker accessed and disabled some IT systems, the company says. Information stolen included names, dates of birth and Social Security numbers stored for payroll and organizational purposes.
Google has updated its explanation of what the Chrome browser’s Incognito mode does and doesn’t protect users from. This comes as Google reportedly has reached a settlement on a class action lawsuit over alleged tracking of users’ activity in Incognito mode. According to the website MSPowerUser, the disclaimer now clearly states Incognito doesn’t change how data is collected by websites users visit, including Google.
The Governor of New Jersey this week signed data privacy and breach notification legislation. Starting next January companies doing business in the state can only collect personal data that is necessary for the business. And they’ll have to tell consumers what collected data is being used for.
Consumer Reports says nine of 10 American health-related websites it recently studied raised at least one data privacy concern, including sharing consumer data with a long list of third parties. Two websites that claimed they don’t sell or share covered data appeared to allow third party marketing cookies, which might legally constitute a data sale. Despite new health privacy protections in state laws, the report says, many health-related sites shared data with third parties.
Finally, a cybercrime syndicate has been creating a huge botnet by compromising smart TVs and set-top boxes running the Android and eCos operating systems for the last eight years. That’s according to researchers at a Chinese cybersecurity company called XLab. They call the bot Bigpanzi. Not only can it launch distributed denial of service attacks, it can also substitute content on victim’s TVs. One way homeowners can avoid being victims is by refusing to download apps that promise access to pirated movies and TV shows. Those apps are likely infected.
(The following is an edited transcript of part of the discussion. To hear the full conversation play the podcast)
Howard: There have been several high-profile hacks of prominent accounts on the X social media platforms, with many of the attackers renaming accounts and promoting links to cryptocurrency scams before the real owners regain control. One victim this week was the city of Peterborough, Ont. Recent victims have included security firm Mandiant and the U.S. Securities and Exchange Commission. The group that hacked the SEC account claimed the regulator had announced a change in policy for bitcoin exchange-traded funds. We’re not sure if this is one group or several copycats. David, what’s going on?
David Shipley: Thankfully, for the most part it looks like it’s just the usual crypto scammers. I’ll speak up about the SEC separately because I think there’s some unique twists about it. But for the other ones, for Mandiant the the city of Peterborough this could have been so much worse. If it was someone doing it for the lulls, as the hacker kids like to say, imagine one of those accounts pumping out deep fake intimate images and you can get a sense of how off the rails this could have gone. Or, on the other side, hacking the Mandiant account to hit key folks who follow it like security professionals, researchers, CISOs and hitting them with malicious links or malware. That could have been far more damaging than promoting crypto scams. So I think we dodged a bullet on this one.
The X/ Twitter hack — I just can’t get over calling it Twitter — is fascinating because it did move the market for a short time, particularly for bitcoin, and that could have made somebody millions of dollars. On top of that a few days later the actual announcement did come out that the SEC authorized bitcoin ETFs. I’ve often thought about how hacks and social media takeovers could be used to move entire industries or markets in a way that would be hard for authorities to trace manipulation of stocks or commodities …
Howard: One thing these X takeovers have in common is weak security — easily guessed passwords or a security weakness or an account user is falling for a trick and giving up their password. This last is the allegation by X itself in the hack of the SEC’s account. X tweeted that the cause was a hacker getting control over a phone number associated with the SEC account through what they said was a third party. It sounds like either a wireless carrier or an outside support company was tricked into giving an attacker control over an employee’s phone and that employee uses that phone tor the SEC tweets.
David: It screams SIM swap attack. One of the questions I had is was the SIM swap tied to bypassing MFA? Because, ironically, phone-based SMS-based multifactor authentication is a premium feature if you pay for X/Twitter. Was that how they bypassed MFA? Which makes me wonder if they [the attackers] used an old feature where you could send an SMS text and it would create a tweet for you. If you are planning a market-moving event and if you were going to poke the SEC, using burner phones would probably not be a bad idea: Get a burner phone, SIM swap it, do the tweet and ditch the phone. That could make investigating it even harder.
…
Howard: In the case of the Mandiant hack, the company said employees are supposed to have two-factor authentication enabled on any account that they use for logins. However, it said in this case due to some team transmission transitions one person’s account was open and it fell to a brute-force password attack.
David: For all the technological tools we have to secure accounts things like MFA and conditional access et cetra, it always always comes down to people and processes. So the interesting question for enterprises is how do you monitor compliance for third-party SaaS platforms like X and others when it comes to making sure accounts have turned on MFA? At my firm every single quarter we have to do a full review of all the applications that we use as part of our ISO 27001 process. We have to provide evidence of not only who has access and what access they have, but are appropriate controls in place as dictated by the risk impact [assessment] — even for a 40-person company. That’s a lot of work. We estimate that that we probably spend about $5,000 to $6,000 a year in staff time [on that]. That’s just a direct cost. That’s not the productivity cost to review around a hundred applications quarterly. Imagine a large enterprise that has tens of thousands of applications: How do they stay on top of these things? The only thing I would say is that we’re learning from this experience. I think it’s good to have a learning attitude from this [the X account takeovers]: How could we avoid something like this?
…
Howard: What are the lessons learned from these recent hacks of X?
David: There are a couple of different pieces: First, we need a standard way for SaaS [software-as-a-service] customers to automatically be able to query [accounts] for compliance with basic hacking mitigations and controls like multifactor authentication. You should be able to just plug into your SaaS provider with some kind of a trusted feed setup so that it can send alerts to other security tools when there’s a rogue account created or an account that doesn’t have basic control like MFA. This standard needs to be mandated by regulators for platforms once they reach a certain size, whether that’s revenue or user base. And you should prohibit vendors from selling this specific set of functionality as a premium — ie. an extra cost service. This API access should allow for systems to query for access compliance and should send alerts in a standard format when accounts don’t have the proper control set up now. That’s the technology side. Ironically, that’s not that hard to do, but making it happen is going to require policy and regulation –and a mindshift miracle.
Part two, regulators should mandate mandatory multifactor authentication for platforms of certain size and scale — like big tech social media firms, major cloud providers. At the same time industry best practices standards and certifications — I’m looking at you SOC 2, ISO 27001 — should require companies provide this to their customers as well. Maybe we can see that before 2030.
Part 3 is the importance of measuring security culture, not just compliance. I mentioned earlier how my firm measures compliance and how we’d see a higher cost for unclear gains. Maybe if we did it more often. But if folks believe in the importance of doing what’s right and being secure as part of their job and as part of the right thing to do, that could potentially make all the difference in the world. Getting people to that point takes more than Cyber Security Awareness Month and a platform. But it can have huge ROI, and that’s what building a security culture can do.The post Cyber Security Today, Week in Review for the week ending Friday, Jan. 19, 2024 first appeared on IT World Canada.