Chicken and Cyber Security: Lessons from 2017
January 31st, 2018 by admin
Reading about hacks is a great blend of macabre intrigue, and education by bad example. As terrible as cyber-attacks are, there is always wisdom to be gained from them (and as long as we’re learning, it might as well be fun!). With that in mind, we’ve got a lot of learning to catch up on from 2017. Some writers are even getting bold enough to call it, the “Year of the Hacker”; I think that’s a bit of an overstatement. Having dabbled in Chinese zodiac I can tell you it was, in fact, the “Year of the Rooster”. However, there was still quite a lot of hacking in 2017, with most of them caused by very subpar security choices (made by the compromised organizations) found at the root. We dissected three of the most prominent hacks of 2017 and what we should learn from each; before laying this past year to roost.Equifax
A hacker in a credit reporting agency is like a fox in a henhouse (hens are just roosters that lay eggs). With just one vulnerable web application, hackers were able to take control of the entire website and access most of the records available. Compromised in the breach was personal information for more than 145 million people. Among Social Security numbers, driver’s license numbers, home addresses, and about 209,000 credit card numbers, they were also robbed of their peace of mind.What they did:
- Got informed about the vulnerability by the Department of Homeland Security and, “allegedly” made some efforts to address it.
- After realizing they had been compromised at some point, they continued operating as normal until they noticed somebody was actively accessing things they shouldn’t be.
- Encouraged people to enter the last 6 digits of their social security numbers to find out if they had been compromised, on a system that was just as vulnerable to hacking, potentially giving the hackers access to even more records than they had before.
What they should have done:
- Stopped using the application that had the vulnerability, or completely plugged the hole immediately.
- Shutdown once they realized they had been hacked at some point, realizing the hackers now had an all you can download buffet at their fingertips.
- Come up with a way of verifying that a user had their personal information hacked, that didn’t involve them entering that sensitive information into the system to check if that sensitive information was in the system…
NSA, EternalBlue
Remember reading about WannaCry ransomware last year? Or the lesser known (in the US) NotPetya and Bad Rabbit ransomware viruses that hit Europe hard last year? Each of these ransomware attacks took advantage of a Windows exploit tool that was stolen from the NSA and released to the public by a hacker group called Shadow Brokers in April of last year. The NSA is fairly controversial at times, but when they lose their super spy tools to hackers and don’t sound the alarm (much like a rooster that fails to warn his pack) they definitely missed the mark.What they did:
- Started getting hacked by the Shadow Brokers in 2016
- Were still getting hacked by them in April 2017
- Said nothing about their super spy tools and the exploits they knew about
- Lost their super spy tools
- Finally got the exploit patched in March
What they should have done:
- Realized they had been getting hacked and potentially lost control of certain exploits
- Roostered, roostered big time
Cellebrite
In January of 2017 a hacker sent 900 GB of Cellebrite customer data to a news source called Motherboard. Cellebrite is an Israeli company that sells UFEDs (Universal Forensic Extraction Device) which are essentially cell phone hacking devices. They are used by governments and law enforcement agencies throughout the world. The data that was taken included information about the customers, and some data/evidence that had been extracted with the devices.What they did:
- Notified their customers to change their passwords as soon as they found out.
- Investigated to assess the risk level to their customers and kept them informed.
- Notified and cooperated with law enforcement to find who was responsible.
What they should have done:
- They pretty much nailed it.
Posted in: Protection, Security, Tech Tips, Case Studies