Welcome to Cyber Security Today. It’s the Week in Review edition for the week ending Friday November 26th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes Dinah Davis, the Canadian-based vice-president of research and development at managed service provider Arctic Wolf will be with me for a discussion. But first a look back at some of the news from the past seven days:
GoDaddy, one of the biggest internet hosting providers, has admitted that a compromised password led to the hack of its managed WordPress service. The email addresses of up to 1.2 million active and inactive WordPress customers were copied. Worse is that usernames and passwords for a number of subscribers to the hosted service were exposed, forcing GoDaddy to make those users reset their passwords. Dinah and I will discuss this incident.
Windows administrators were warned to watch for suspicious changes in users’ access privileges. This comes after a researcher released proof of concept code for a new Windows zero-day vulnerability. If a person has access to a computer they may be able to easily upgrade their privileges to administrator using the exploit. Cisco Systems says hackers are already trying to take advantage of the vulnerability.
How fast can a hacker find an improperly protected server or database open to the internet? Sometimes, within hours. This is according to a report released this week on a test by Palo Alto Networks. It set up a number of honeypots on the internet to discover what happens. Dinah and I will discuss what the company calls shocking results that are a lesson for IT managers.
The Conti ransomware gang has suffered a temporary blow. Researchers at the Swiss cybersecurity firm called Prodaft published a report this week saying they managed to get into the group’s payment portal. They came away with valuable information for law enforcement agencies and IT security teams. According to one news service Conti briefly had to take down the portal, which is where ransomware victims make payments. It’s back online.
Organizations running network protection devices from FatPipe have been warned to install the latest software updates. They patch a serious zero-day vulnerability.
Some Farsi-speaking people living in the U.S., Canada, the Netherlands, Germany and other countries were hacked by a threat actor based in Iran this fall. According to researchers at SafeBreach they first fell for a fake copy of a real travel website that had them log in with their Gmail or Instagram passwords. As a result they gave up their credentials. Then they fell for a follow-up phishing scam by clicking on an attachment that was supposedly an article blaming Iran’s leader for the coronavirus. Instead their computers were infected with malware that took advantage of a Windows vulnerability. The thing is, they wouldn’t have been hacked if they had kept Windows patched.
A threat group that specializes in stealing business data is back. Dubbed RedCurl by researchers at Group-IB, the attackers had been quiet for seven months. However, evidence of their attacks have recently been discovered. The gang is patient, going after select victims with sophisticated weapons. But first they have to get in. They often do it by getting employees to fall for emails with attachments supposedly about internal company news, like bonuses.
If you use the Firefox Lockwise password manager app in your mobile device get ready for a change. The app will be discontinued starting December 13th. Android users will be able to use the password manager in the Firefox browser. Apple users should pay attention to a coming notice.
Finally, because today officially starts a holiday season of online shopping deals Dinah will discuss the safest way you can find bargains on the internet.
(The following is an edited transcript. To hear the full discussion play the podcast)
Howard: Let’s start with the GoDaddy hack. GoDaddy is a well-known domain registrar and it hosts a lot of company websites. It also hosts WordPress content management suites for companies and bloggers who don’t want to manage their own word press installations. But last week it made an embarrassing admission. Tell us about that.
Dinah: A hacker was able to get into a GoDaddy employee account of some kind with a compromised password. The hacker was able to find a store or a set of sFTP usernames and passwords that were not securely stored. sFTP is a protocol used to upload and transfer files to websites. You don’t really even need the login to the path to the website itself. You can just FTP stuff right into there.
This is the analogy of how bad this hack is: Let’s say I need to rent an apartment. The person showing me the apartment doesn’t own it but they’ve bought the ability to lease space in the building and I sign a contract. I pay them a monthly fee. But I don’t know that they’re not actually the owners. They’re also paying a monthly fee to the owners for leasing this space so they get a cut. The apartment is like a website that’s being hosted. The person showing is also Airbnb-ing that apartment to a whole bunch of other people. I, the renter, don’t you know own the lease with the owner of the building. The owner has a key to every room. You would think that they need to put that away in a safe location. But the analogy here is that they put the keys in a box and they put the box in a storage room — but the door to the storage room is not locked and the nor is the door to the building. But once you’re in you can easily find them. So if anyone finds that box, they have access to your apartment. That is what happened: The hackers found the box full of sFTP passwords and usernames. That allowed them to put anything into our apartment — or anything onto the website they want. And they had that access for two months. Two months is a very big deal. Now, GoDaddy has changed all the locks [passwords] but who knows what’s still in that website? This is a bad breach. It’s not just a regular supply chain attack. It’s like a cascading supply chain attack.
Howard: A company called Wordfence which sells protective services for WordPress, says that GoDaddy stored those sFTP passwords in such a way that the plain text versions of the passwords could be retrieved, instead of storing salted hashes of the passwords or providing public key authentication, which it says are both industry practices. That sounds like a really big failure.
Dinah: Yes. They basically left a box of keys in the storage room and none of the doors were locked … And one of the biggest things hackers could do is put a whole bunch of phishing links in a bunch of websites hosted by GoDaddy that victims could click on and potentially download ransomware.
Howard: And this all comes back again to using safe passwords and having passwords protected. GoDaddy hasn’t said if the compromised password was protected with multifactor authentication, which is good but it isn’t perfect. In fact, there was an online conference I covered last month where a security company did a penetration test for a client and it said it was able to trick the CEO into giving up his two-factor authentication code by tricking him into logging into ah a fake authentication server. But good multifactor authentication is certainly better than none, and if you’re a senior administrator who has access to lots of things you should be using a key-based multifactor authentication where you’ve got a key that has to be plugged into your laptop for access. The system recognizes only one person per key and it doesn’t matter if the hacker has the password. If their laptop isn’t the user’s laptop and doesn’t have the key the system won’t accept the authentication.
So if you’re using a hosted service for an application, how do you protect yourself from third-party attacks.
Dinah: It’s difficult, because at some level you’re going to have to trust the service that you’re using. The best you can do is vet the service as much as you can. Make sure you’re using strong passwords and enable two-factor authentication if the site provides it. If they don’t provide it that’s an indication that maybe you shouldn’t use that site.
Howard: I want to turn now to the Palo Alto Network honeypot test. For those who don’t know a honeypot is a device or a service set up to lure an attacker to a fake target. Honeypots are used by companies to divert attackers from real corporate digital assets. They can also be used by security researchers to find out how attackers work. In this case Palo Alto Networks wanted to find out how fast an attacker could find unprotected servers and databases open on the internet. So it set up 320 nodes as if they were misconfigured or just thoughtlessly unprotected. These included servers with remote desk protocol — which is often used by companies so employees can connect from outside the office — secure secure shell protocol, server message block and a database. Some of the honeypots also had weak passwords. What the study found was 80 per cent of the honeypots were compromised within 24 hours of being planted on the internet and the rest were compromised within a week. One threat actor compromised 96 per cent of the databases within 30 seconds. What did you think about this test?
Dinah: That’s crazy. I wasn’t surprised for one second because attackers have bots crawling the web trying to find open ports, trying to find things that are open, because it’s super easy to walk in a front door when it’s wide open. And it’s pretty easy for them to have a constantly running bot or script that’s constantly looking for open ports. Or the hackers would already have in their arsenal a list of like dictionary [password] attacks. I love that they did this test because people think, ‘No one’s going to see my open port.’ Well, these are just random ones put on there and the fastest meantime to compromise on one site was 184 minutes. It’s pretty important that you lock down access to anything from outside your network.
Howard: I was reminded that many employees accidentally leave digital files and databases exposed to the internet. They may have asked the IT department to create a special database of customer information for them to analyze. And someone forgets to either password protect the database or to make sure that the database isn’t open to the internet, just as they did in this case in this test I’ve written many stories about security researchers finding huge databases open to the internet. If a security researcher could have found the database so could a crook or a nation-state. Security researchers and crooks do it with freely available search engines like Shodan, Census, Nexpose, Vega and others. So can you tell us how an IT department can use Shodan or other tools to scan their own companies’ internet ports and environments so that they can see what’s exposed?
Dinah: It’s very common. You can buy tools, you can have a managed service provider do it for you. We do it for our clients all the time. You basically want to do an external vulnerability assessment. It’s going to see what ports are open. It’s going to go see if there’s any software running that has holes that’s accessible from the outside. Once they to that they’ll recommend you close this or upgrade this piece of software. You definitely want to be doing some kind of external vulnerability scanning on a regular basis on your network. You also want to audit your [security] rules often. Some databases should never be created. It should not be possible in your system to have those kinds of things created and not be protected. If you’re using a single sign-on application that helps because as soon as anything is opened or you know there’s a compromise you can shut down that person’s account and then attackers can’t get into anything. You want to make sure you have good firewalls. Try and protect your system from as much malicious content and traffic as you can.
Howard: There are two things that I thought [the honeypot test] also speaks to: One is security awareness training, so that employees should know that when they create databases that there are security controls so it’s not exposed to the internet. The other thing I thought the test also is a lesson for the need for fast application patching because that’s how attackers exploit vulnerabilities to get into networks.
The last item we’ll hit on this episode is online shopping. Since this weekend starts the Black Friday/Cyber Monday and Christmas sales season we need to remind listeners how to shop safely. What should people do, and not do?
Dinah: The number one rule is if the deal is too good to be true, it probably is. If it’s really hard to find something like this year — a really hot item is still the PlayStation 5 –and all of a sudden a store pops up and they have a huge supply of them and you can buy them for super cheap, that’s not going to be real. If you see ads for major retailers that you trust, go to their website separately and never click on a link in a text or email. Look in the domain names of the stores in ads and in emails: Are there any mistakes in the domain name are they using — a “1” (one) instead of an “l” (el).
If you’ve found a new site and you’re not sure about it use a website called ‘islegitsite.com’. When I put bestbuy.ca into it the site calls it “potentially legit” — they’re never going to say 100 per cent legitimate, but potentially legitimate is good. It had a web of trust score of 93 out of 100 hundred, which is a really good web of trust. It’s a good indicator. Another great thing to check is the domain date creation of a site. BestBuy’s was created 21 years ago, so it’s probably a good indication that it’s a legit site. If a site has been created in the last two or three months do not buy from it.
One new risk is what happens after you buy a product online and the product has to be delivered. This happened in my neighborhood yesterday: Some thieves were caught stealing boxes off of the front porch. So make sure you’re sending packages to a safe place. If it’s your home, are you going to be home? Check your front step multiple times a day. Set up SMS messaging or email delivery confirmations.
Howard: In connection with that I want to also add this time of year people are expecting text and email messages about package deliveries. But if you haven’t ordered anything online don’t reply to these messages. You may be worried that someone is sending you a package, and you may want to respond to a message. But don’t give away any personal information or a password if you’re asked. The message may say if you want details about this package delivery then enter your username and password from your Gmail account or your Office 365 account. But that’s fraud. If you’re really concerned instead of clicking on the message to the website of DHL or UPS or FedEx.
The other thing I want to remind people is about telephone calls. Visa and Mastercard don’t know who you are. Visa and Mastercard are not going to call you with a supposed problem with your card. Your credit card is with your provider who’s usually a bank and banks won’t call you about ah an alleged problem with your card and ask for your password or ask for your date of birth. If if you get a phone call from someone who says they’re calling about your credit card and they’re supposed to be from the bank, go to the bank for confirmation. If you can’t get to the bank because of it’s after-hours then ignore this. If a bank does call you and they’re really serious they’re going to ask you did you make this purchase you say no and what they will say is fine, we’re going to cancel that and we’re also going to cancel your card and you have to to get a new one. And then you go to the bank and look after that there. You don’t do it on the phone.
The final thing point I’d like to make is if you’re out shopping don’t use free public Wi-Fi to connect to the internet — even if it’s provided by the city, even if it’s provided by the shopping mall or a restaurant. Because it’s too easy for hackers to spoof a store, so when you think you’re logging into McDonald’s you’re not really logging into there. You may be fooled by a spelling mistake. It may cost you in charges, either in in in the time that you’re using or in a direct charge, but use your cellphone carrier’s cellular connection.