There was -so much- interesting security news this week, probably related to the fact that Blackhat and DEFCON are all happening at the same time.
I've done my very best to be selective, but still ended up going over my usual limit of articles, I'm sorry :-) I hope you enjoy the result though!
Breaches and leaks
- Monzo, the UK-based digital bank, had a big "woops" moment when it discovered that it had customer PIN codes in its logs, exposing it to around 100 internal engineers. About 20% of customers are affected: link.
- The Bank of Cardiff, based in California, exposed an s3 bucket with one million phone calls to customers: link.
- StockX, a "fashion and sneaker trading platform" (that's a thing?) was breached. They've fumbled the disclosure process, but at seems that 6.8 million records were stolen with personal information: link.
- CafePress, a t-shirt and merchandising site, had a breach impacted 23 million users. Half of the passwords were hashed with the inadequate SHA-1: link.
- State Farm Insurance suffered a credential stuffing attack. It's unclear how many customers were affected: link.
The audit was scoped to the eight most-used components, and found 34 significant vulnerabilities and a lot to be improved. The worst have already been fixed in the latest versions, it's worth checking out. Kudos to CNCF for doing this and being so transparent about it.
In this blogpost a security researcher explains how he found exposed information on a ton of companies, including NASA and Google, through Jira, the issue tracker. It's a bit hard to read, but if you use Jira at your place it's probably a good idea to go through it and double check your own settings.
It was reported by Bitdefender in August 2018, and is now being publicly disclosed. All major OS vendors have already released updates to mitigate the issue. While the disclosure says that it affects all modern CPU's, AMD says that they are not vulnerable to this variant.
Mathy Vanhoef (who discovered the KRACK attack) and Eyal Ronen have discovered flaws in the current WPA3 version. They were able to get the WiFi password twice, once through a flaw in the recommended key exchange algorithm, Brainpool, and once in the EAP-pwd authentication of FreeRADIUS devices. The discoveries might lead to a WPA 3.1.
Fascinating story. The attackers first bribed employees to unlock phones, but then got employees to deploy malware on the AT&T infrastructure, meant to automate much of the unlocking process. One employee got over $400.000 in bribes.
Microsoft announced at Black Hat that they are launching a separate cloud testing environment, dubbed Azure Security Lab, where researchers can wreck havoc without being afraid of impacting customers. There's a bounty of up to $300.000 for those who do. They are also upping their regular bug bounties, to $40.000 maximum.
More bug bounty news: Apple has increased their maximum bounty to a whopping $1 million. Their program now also includes pretty much their entire OS range, is open to all researchers, and interestingly gives you a 50% bonus on your bounty if you discovered the issue in a pre-release build.
Brian Krebs tries to piece together what we know about the hack. It sounds like they had a WAF that was misconfigured, both in that it could redirect requests to inside the perimeter, and that it had access to read-all S3 permissions. I can' t fully make it out yet though. The comments are an interesting read too.
Another one on Capital One, but I liked this article because it takes a step back from all the finger pointing, and instead describes what they did right, and how impossible it is, realistically, to prevent these issues in any company of that size.
Symantec is essentially being split in two, with its enterprise portfolio and brand name going to Broadcom. They will retain their consumer-facing products, like Norton Antivirus.
The Avaya 9600 series, used by 90% of Fortune 100 companies, runs an old DHCP client which is vulnerable to remote code execution. The bug itself was reported in 2009, but up till now it wasn't known that it affected these phones. Avaya released a fix which you'll want to implement if you use these.
Interested read on how the US Army is trying to tackle training around the ever-changing field of cybersecurity. Must be a big challenge, no doubt.
The attacks themselves aren't anything new, but it certainly is a delivery method I never thought about before, and nicely scalable: package deliveries. The researchers include a small 3G-equipped device in a package that they send to their target, track and control it remotely, and use it to attack the local WiFi network.