Cyber Weekly Roundup – March 2, 2017

Weekly Roundup

Cyber Weekly Roundup – March 2, 2017

1.) Google Just Discovered a Massive Web Leak…and you Might want to Change all your Passwords (February 24, 2017)

Serious Cloudflare bug exposed a potpourri of secret customer data (February, 23 2017)

Summary: A recently fixed software bug which may have exposed sensitive information such as user passwords and private messages was disclosed on February 23, 2017, by Cloudflare, a security and performance service provider for more than 5.5 million websites. This vulnerability had been active in Cloudflare services since September 22, 2016, and allowed for highly sensitive data to be cached by Google and other search engines. As a result, hackers could have accessed this data in real time by making web requests to affected websites to access some of the leaked data later by crafting queries on search engines. As a result of this vulnerability, a large number of businesses that leverage Cloudflare’s services could have been affected, including Uber, Fitbit, and OKCupid. It is important to note, however, that there is no definitive proof that this bug was actively exploited. Due to the nature and severity of this bug, it has been dubbed “CloudBleed” by some, a derivative of the name “HeartBleed,” a similar critical vulnerability in 2014 that affected a large portion of the internet. This vulnerability was discovered and reported by Tavis Ormandy of Google Project Zero.

Why it Matters: With every user gaining a larger “footprint” on the internet each day, incidents like this one go to show how important it is for the everyday user to utilize good password practices. In addition to the usual 8+ character password using letters (upper and lowercase), numbers, and symbols, passwords should be unique for each service that any user visits – this is to prevent a situation where an attacker can gain access to an individual’s email or banking accounts by successfully hacking a site such as Fitbit. That said, keeping a unique password for each site is impractical for many users. As more two-factor authentication techniques (using both a password and “something you have,” like a specific cellphone that receives a code, a USB token that must be present to access a site, a fingerprint, etc.) begin to see adoption, companies should encourage their user base to utilize these technologies to ensure their accounts are better protected. Alternatively, companies should leverage technologies such as single-sign-on and federated sign-on, where logging into one service grants access to many, with the expectation that the one service the user logs into is secured through two-factor authentication. With data breaches becoming an everyday occurrence, the standard username/password will no longer cut it for protecting users.

2.) Pentagon Launches Open-Source Experiment (February 24, 2017)

Summary: the Defense Department launched last week, a public site meant to showcase code written by federal employees and contractors that can be used for personal and private projects. This project is the result of an initiative launched by the Obama White House which aimed to improve code sharing between federal agencies in order to reduce redundant software development contracts, as well as make this code available to the public, similar to the open-source code made available in the private sector.

Why it Matters: Sharing code with colleagues and the public allows for improvement and refinements to the overall code. This is especially important in cybersecurity, as making the code run efficiently and expanding it to do more can greatly benefit professionals who are already contending with a labor force gap. In conjunction with machine learning, effective code will go a long way in assisting cybersecurity efforts.

3.) Yahoo reveals more breachiness to users victimized by forged cookies (February 15, 2017)

Hacks all the time. Engineers recently found Yahoo systems remained compromised (February 21, 2017)

Summary: Yahoo recently reported a security breech to its user accounts through use of a vulnerability that allowed attackers (most likely a “state actor,” according to Yahoo) to use forged cookies “created by a software stolen from within Yahoo’s internal systems to gain access to user accounts without a password.” The forged cookies were suspected to be in use between 2015 and 2016, according to the company. This is the second breach that Yahoo has reported in recent months – the company also reported a breach in September 2016 where threat actors stole information associated with at least 500 million user accounts in late 2014 – the largest data breach reported to date. Verizon, who has reported that it is in talks to purchase Yahoo, met to amend the terms of a definitive agreement, reducing the cost of the deal by $350 Million (now $4.48 billion), and adding amendments to their terms that Yahoo would be responsible for 50% of any cash liabilities incurred due to breaches.

Why it matters: How expensive is a data breach? While it’s easy to calculate the cost of the technology and man-hours necessary to respond to and recover from an incident such as a data breach as well as the cost of regulatory fines due to the breach, the cost of how it affects future business can be harder to calculate, especially early on in the timeline of a breach. In this case, Verizon has calculated a fairly solid cost to the beach by reducing their offer by $350 million. Verizon has reported that this security breach and the cost of the incident response and recovery did not directly affect the closing price on this deal, but rather the cost was reduced due to the difficulties integrating Yahoo with Verizon’s AOL unit and due to how the breach may “hamper user engagement and in the process make the assets less valuable.”

4.) Hackers who took control of PC microphones siphon >600 GB from 70 targets (February 20, 2017)

Summary: Researchers from CyberX discovered a malware-based operation, dubbed operation BugDrop, which collected more than 600 gigabytes of audio recordings, screenshots, documents, and passwords from a broad range of industries, including critical infrastructure, news media, and scientific research. The majority of the 70 organizations targeted are located in Ukraine, and CyberX researchers noted that similarities could be drawn between this malware-campaign and earlier tactics that led to an attack on Ukraine’s power grid in 2015 that caused 225,000 Ukrainian residents to lose electricity.

Why it matters: It appears nation-state hacking is alive and well. While CyberX has no forensic evidence linking this campaign to a nation-state, its motives and techniques certainly point in that direction. Malware-campaigns conducted independently of government funding are usually done so with the purpose of making a profit at the end, or disrupting competition – Ransomware, DDOS-as-a-service, and data breaches are all examples of a criminal individual or organization attempting to earn profits from their efforts. This campaign, however, seemed more focused on gathering data on an adversary – its purpose was gathering large amounts of information. Its targets of critical infrastructure, media, and scientific research are what cyber security researchers traditionally see in nation-state sponsored snooping, and the operational complexity and the amount of analysis needed to comb through 600 GB of voice recordings and data would most certainly have a high cost associated. The logical conclusion to draw from this data is fairly obvious, but on the other hand, hackers do often fake clues or evidence to help throw people off their trail.

5.) Google Discloses Unpatched Microsoft Vulnerability (February 21, 2017)

Summary: Project Zero, Google’s bug hunting team, publicly disclosed a vulnerability in Windows DGI library that allows attackers to steal sensitive data from program memory. While Microsoft had attempted to address the vulnerability last June after private disclosure, failure to completely remediate the vulnerability, and further failure to meet Google’s 90-day disclosure deadline for patching vulnerabilities, led to the public disclosure of the bug in February. Due to Microsoft’s monthly patching cycle, and the delay of monthly patching until March of 2017 due to last minute complications in the February patch cycle, this vulnerability will be exploitable at least until mid-March unless Microsoft releases an emergency patch.

Why it matters: Disclosing unpatched vulnerabilities is a bit of a mixed bag. The threat of public disclosure of vulnerabilities is a strong incentive to fix bugs in a timely manner, rather than allow exploits to remain and offer the possibility that it will be quietly exploited for months to years. Security researchers have adopted this 90 day vulnerability timeline as a way to push vendors to patch their products in a timely manner, and in many cases, it works out to the benefit of the end-user.

For those times when a vendor cannot or does not fix a vulnerability fast enough, however, disclosure provides information that attackers can use to exploit affected machines. Once a vulnerability is made public, it does not take long for cyber criminals, nation states, and hackers to weaponize the vulnerability. As Microsoft stated after a similar disclosure last October, “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”

The discussion of the merits of public disclosure before patches have been issued is a long discussion in and of itself, but for the most part, the 90-day window before public disclosure seems to work in most cases, and leads to a safer computing environment. If Google did not play hardball in cases like this and offered exceptions, it would tarnish the urgency to correct flaws and exploits in software, as vendors would feel they could drag their feet on patching. The benefits of a safer computing environment usually outweigh the risks.