Chicken and Cyber Security: Lessons from 2017

January 31st, 2018 by admin

Reading about hacks is a great blend of macabre intrigue, and education by bad example. As terrible as cyber-attacks are, there is always wisdom to be gained from them (and as long as we’re learning, it might as well be fun!). With that in mind, we’ve got a lot of learning to catch up on from 2017. Some writers are even getting bold enough to call it, the “Year of the Hacker”; I think that’s a bit of an overstatement. Having dabbled in Chinese zodiac I can tell you it was, in fact, the “Year of the Rooster”. However, there was still quite a lot of hacking in 2017, with most of them caused by very subpar security choices (made by the compromised organizations) found at the root. We dissected three of the most prominent hacks of 2017 and what we should learn from each; before laying this past year to roost.

Equifax

A hacker in a credit reporting agency is like a fox in a henhouse (hens are just roosters that lay eggs). With just one vulnerable web application, hackers were able to take control of the entire website and access most of the records available. Compromised in the breach was personal information for more than 145 million people. Among Social Security numbers, driver’s license numbers, home addresses, and about 209,000 credit card numbers, they were also robbed of their peace of mind.

What they did:

  • Got informed about the vulnerability by the Department of Homeland Security and, “allegedly” made some efforts to address it.
  • After realizing they had been compromised at some point, they continued operating as normal until they noticed somebody was actively accessing things they shouldn’t be.
  • Encouraged people to enter the last 6 digits of their social security numbers to find out if they had been compromised, on a system that was just as vulnerable to hacking, potentially giving the hackers access to even more records than they had before.

What they should have done:

  • Stopped using the application that had the vulnerability, or completely plugged the hole immediately.
  • Shutdown once they realized they had been hacked at some point, realizing the hackers now had an all you can download buffet at their fingertips.
  • Come up with a way of verifying that a user had their personal information hacked, that didn’t involve them entering that sensitive information into the system to check if that sensitive information was in the system…
 

NSA, EternalBlue

Remember reading about WannaCry ransomware last year? Or the lesser known (in the US) NotPetya and Bad Rabbit ransomware viruses that hit Europe hard last year? Each of these ransomware attacks took advantage of a Windows exploit tool that was stolen from the NSA and released to the public by a hacker group called Shadow Brokers in April of last year. The NSA is fairly controversial at times, but when they lose their super spy tools to hackers and don’t sound the alarm (much like a rooster that fails to warn his pack) they definitely missed the mark.

What they did:

  • Started getting hacked by the Shadow Brokers in 2016
  • Were still getting hacked by them in April 2017
  • Said nothing about their super spy tools and the exploits they knew about
  • Lost their super spy tools
  • Finally got the exploit patched in March

What they should have done:

  • Realized they had been getting hacked and potentially lost control of certain exploits
  • Roostered, roostered big time
 

Cellebrite

In January of 2017 a hacker sent 900 GB of Cellebrite customer data to a news source called Motherboard. Cellebrite is an Israeli company that sells UFEDs (Universal Forensic Extraction Device) which are essentially cell phone hacking devices. They are used by governments and law enforcement agencies throughout the world. The data that was taken included information about the customers, and some data/evidence that had been extracted with the devices.

What they did:

  • Notified their customers to change their passwords as soon as they found out.
  • Investigated to assess the risk level to their customers and kept them informed.
  • Notified and cooperated with law enforcement to find who was responsible.

What they should have done:

  • They pretty much nailed it.
It’s possible that security could have been tighter at Cellebrite or that mistakes were overlooked that made the breach possible. But even when doing everything right with your security, very determined hackers still might be able to find unknown exploits in your system. Security is about responding properly to breaches, as much as it is about avoiding them. If you only learn one thing from this article, I hope it’s that we love chicken. But if you learn two things, the second should be that sounding the call about a risk, and making the needed changes quickly upon learning the risk, are the two most important aspects of cyber security.   -Kender Ostlund

Posted in: Protection, Security, Tech Tips, Case Studies