Cyber Weekly Roundup – March 9, 2017

Weekly Roundup

Cyber Weekly Roundup – March 9, 2017

1.) Here’s a new way to prevent cyberattacks on home devices (February 28, 2017)

http://www.computerworld.com/article/3175507/security/here-s-a-new-way-to-prevent-cyberattacks-on-home-devices.html

Summary: Dojo Labs will soon be releasing their centralized security management system with the intention of protecting consumer IoT devices from cybersecurity attacks and botnets looking to grow their numbers. The device works by connecting to the home’s WiFi connection and intercepting IP packets for analysis. Those malicious packets destined for IoT devices are recorded and sent to the home user’s smart phone, which allows the user to block the attack remotely.

Why it Matters: Assuming this device is effective in blocking exploitation of IoT devices, it will be interesting to see if the consumer market takes an interest in this product, or interest in the upcoming products that will be offered by Norton and McAfee. While on paper these devices sound like a great way to reduce the attack surface of home IoT in botnets, the challenge will be convincing home users that it’s worth their money. While the desire to protect recording devices like video cameras and voice recorders is understandable, those users with items like the $20 light bulb with an IP address may not see the point in using such an expensive device to protect a low value target. Unfortunately, these low-value targets can still spew requests to web services across the internet, making them a huge risk for someone else.

2.) Amazon mega-outage caused by single command line error (March 3, 2017)
https://nakedsecurity.sophos.com/2017/03/03/amazon-mega-outage-caused-by-single-command-line-error/

Summary: An Amazon Web Services (AWS) S3 outage, which caused service interruptions for up to 150,000 customers including companies like Netflix, Spotify, Pinterest and Buzzfeed, were caused due to a typo in a single line of code made by an engineer. Due to this typo, two critical servers were brought down and had to be restarted, which kept S3 from servicing requests made by users. While subsystems were designed to support the removal of failure of certain services with little customer impact, the two critical servers were never completely restarted until last week due to S3’s massive growth.

Why it matters: Often times, in designing a solution for incident response, data backup, or disaster recovery, a key step is omitted – testing to ensure that service works. While extra time and effort are required, and may cause some inconvenience for those performing the tests, Amazon’s recent outage is a perfect illustration of just how important it is to not just design and implement solutions, but to also monitor and test them to ensure they work as expected.

For a service as large as Amazon, a significant service outage can mean real money loss, but the decision to not test can also have a huge impact to larger organizations. What if, for example, a smaller organization was hit by ransomware? Are they sure their data backups are sufficient and valid? Have they been tested? Such a minor detail can be the difference between a fast and orderly recovery, and paying a ransom, or even going out of business.

Backups aside, it’s really a sign of the times when we feel some degree of relief over outages being caused by human error, instead of DDOS, hacking, or other malicious acts.

3.) Google Increases Bug Bounty Payouts by 50% and Microsoft Just Doubles It! (March 3, 2017)

http://thehackernews.com/2017/03/google-bug-bounty.html

Summary: Tech giants Google and Microsoft have increased the amount paid to bug hunters who successfully find high severity exploits in their products, with Microsoft doubling its top reward ($15,000 to $30,000) and Google raising the payout from $20,000 to $31,337. Both companies have increased their rewards for high severity exploits, such as remote code execution, which have potentially severe consequences for both the tech companies and users if successfully exploited.

Why it matters: Bug bounties are hardly news now, given their proliferation and adoption by many services (even DoD), but these types of stories continue to remind why these programs are such a great win for everyone. Companies benefit from a larger pool of experienced hackers who are more than willing to help perform penetration testing against large, complex software in exchange for the promise of cash, as well as benefiting from a more cost effective pentest. Companies also spend their money on patching risks, instead of paying fines and losing goodwill for security breaches. Meanwhile, the bug hunters who engage in these research activities find a legitimate way to earn cash from these bug bounties, reducing the pressure to provide these exploits to nefarious parties for a bit of coin. Lastly, end users benefit from these exercises due to better security on their devices/software.

4.) Children’s Voice Messages Leaked in CloudPets Database Breach (February 28, 2017)
https://threatpost.com/childrens-voice-messages-leaked-in-cloudpets-database-breach/123956/

CloudPets Notifies California AG of Data Breach (March 1, 2017)
https://threatpost.com/cloudpets-notifies-california-ag-of-data-breach/124002/

Hacking Unicorns with Web Bluetooth (February 26, 2017)
https://www.contextis.com/resources/blog/hacking-unicorns-web-bluetooth/

Summary: Public disclosure by Troy Hunt revealed a data leak and attempted ransom of the “CloudPets” line of toys produced by Spiral Toys. ”CloudPets” are a line of stuffed toys with embedded devices (IoT) that allow children and friends/relatives to pass messages to one another utilizing Bluetooth technology and a web app on smart phones. Included in this breach were file paths to over 2 million voice recordings between children and friends/relatives, and 800,000 entries related to e-mail addresses and password data linked to CloudPets Accounts. The database holding this information was not protected by password or placed behind a firewall. While passwords were hashed by bcrypt, the lack of password strength rules on this database offered little protection against hackers with basic knowledge of cracking hashes.

Even though two security researchers had been warning Spiral Toys of their poor security posture since December 30, 2016, and indeed notified them of not one, but multiple ransom attempts against the exposed MongoDB, Spiral toys only announced this breach to the California AG after this information was disclosed publicly by Mr. Hunt.

In addition to these reports of data breech, security researchers with Context recently disclosed additional security vulnerabilities in the CloudPet products themselves which, if exploited, would allow attackers to connect to any given CloudPet within range using a webapp to pick up the CloudPet’s Bluetooth broadcast. Successful exploitation of this vulnerability would allow the attacker to use the toy as a remote listening device, listen to any recorded messages, as well as numerous other functions.

Why it matters: This is a sterling example on how not to do incident response and notification. While the nature of this breach is unsettling, it is likely that the level of PII disclosed is fairly minimal. That said, this case should be a lesson and a warning to any company that, whether knowingly or not, ignores basic cyber hygiene and remains silent to the inquiries of cybersecurity researchers. As recent actions by Google Project Zero illustrate, security researchers are adopting the stance of publicly disclosing vulnerabilities and breaches if companies do not take action on them. The bottom line: if you’re going to make internet connected devices, talk to the right legal experts and have an incident response plan in place in the event of a data breach – it may save some public humiliation (and dollars) down the line.

Regardless, for the average consumer, it may be worth holding off a few more years on those IoT toys – they don’t have the best track record at the moment. At the absolute least, parents should be asking themselves what is the real benefit of these toys for their children, given the fact that the security on these devices is (like so many IoT devices) still often poorly implemented. Do you really need a stuffed animal to pass recordings to friends and loved ones, or could you stick with a phone call and avoid the potential exposure of your child’s information and possible endangerment?

5.) Ransomware for Dummies: Anyone can do it (March 1, 2017)
https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/

Summary: This is a short post by Brian Krebs showing that the ransomware-as-a-service model for ransomware is alive and well, viewers are “treated” to a “slick and professionally produced video advertisement promoting the features and usability” of the Philadelphia Ransomware.

Why it Matters: Spreading malware is no longer solely the domain of hackers who do it for fun or nation-state espionage – ransomware is big money. With the development of ransomware-as-a-service packages, the black market for ransomware has enabled non-tech-saavy criminals to not only get the code they need, but also gain access to a full platform that assists them with preparing and customizing their ransom notes and assistance with preparing their command and control servers, and even PDF reports to track the metrics of their ransomware campaign.

6.) Yahoo CEO Marissa Mayer Loses Bonus And Stock Award Over Security Breach (March 2, 2017)
http://www.npr.org/sections/thetwo-way/2017/03/02/518089196/yahoo-ceo-marissa-mayer-loses-bonus-and-stock-award-over-security-breach

Summary: A Yahoo Inc. investigation has determined that two security breaches were mishandled by senior leadership, and as a result Yahoo CEO Marissa Mayer will not be awarded her annual bonus or stock awards. In addition, the company’s general counsel resigned without severance pay for his department’s response to the incidents. The breaches in question occurred in 2013, when over 1 billion accounts were affected, and in 2014, where over 500 million account details were breached. These account details included usernames, hashed passwords, and un-encrypted security challenge questions and answers (e.g., In what city were you born? What was the name of your first pet?).

Why it matters: How do you get your board room’s attention on issues related to cybersecurity? Mentioning this article is a good place to start. With the bad news continuing for Yahoo! after initially losing $350 Million from its sales price in its upcoming merger with Verizon, this blow to management and C-level executives at Yahoo! is sure to help illustrate the cost of a data breach to an organization, and to its leadership. As recommended in a recent piece in GCN by NetCentrics’ cyber expert Marvin Marin (https://gcn.com/articles/2017/01/26/explaining-cyber-in-context.aspx), attempting to talk the technical side of cybersecurity issues to decision makers can be challenging. Concrete monetary losses such as these, however, are a sure warning of the risk involved when systems are not designed, operated, and monitored properly.