Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending information security news. Here's what is new for this week:
DEFCON, BlackHat, The Diana Initiative and other Las Vegas conferences. Last weekend was a huge weekend for security enthusiasts in Las Vegas. The 27th annual DEFCON conference took place, alongside Black-hat and other security related conferences. I did a quick write-up here of my experience at the conference but wanted to highlight some really cool things that others had done at the conference:
The Wall of Sheep wound up on The Wall of Sheep: So 'The Wall of Sheep' is an interactive demonstration of what can happen when users let their guard down and connect to networks. This group was in Las Vegas passively observing the traffic on a network, or when a user connects to Wifi, looking for evidence of users logging into email, web sites, or other network services without the protection of encryption. They of course did not do this maliciously but as a way to educate users to protect themselves when accessing sensitive information on public networks. What's funny about this article is that the people doing the educating themselves got educated when another user found a vulnerable device and placed them on the wall.
IBM X-Force Team reveals new attack method: Announced at Blackhat the IBM team explained how the many packages going through a corporate mailroom, or even to an executive's home directly, can serve as an attack method to remotely penetrate into the wireless network.
Voting Machine Hacking: This was a huge topic this year, especially since we are in the throes of the upcoming 2020 Election season. With the Russian interference scandal not too long behind us it is necessary to re-evaluate our election methods and ensure security is embedded properly in all devices. DARPA, the Defense Advanced Research Projects Agency, had set up a voting machine hacking contest in the Voting Village for contestants to try out.
Targeted phishing campaign hits Energy Sector. Phishing is the fraudulent practice of when an attacker sends you an email pretending to be someone else, for example your bank. Though seen as simple, this attack is still very prevalent and successful to this day as seen in a recent targeted campaign that hit an organization in the energy sector. Typically phishing emails are sent to your spam inbox or are never sent to your inbox at all thanks to your email provider's security protections. In this case, the targeting phishing campaign took advantage of the trust between Microsofts email security stack and a legitimate Google Drive document. The campaign impersonated the CEO of the targeted company, a typical tactic to see a better chance of someone opening the email, and purported to be sharing an important message that was to be viewed by a link. The biggest red flag in this incident was that the email address sent to the employees didn't match the naming convention of the targeted company. This is one of the easiest ways to detect fraudulent activity but is more often than not missed by users. It is important as a consumer that you take the time to check for common red flags when reading emails. A researcher from Cofense, Aaron Riley, did a write-up of the incident noting that this particular campaign was tricky since it used secondary links to bypass security appliance checks.
Ransomware gone wrong but still possibly got the job done. Choice Hotels, a hospitality franchiser based in the United States, is the latest victim to hackers thanks to an open database containing 700,000 customer records. This is yet another instance that highlights the security risks brought to enterprises by third-party vendors as their data was being held externally in the MongoDB database that was left open to the internet. What is interesting about this case is that even though the attackers left a note in the database saying they have downloaded the database to their own servers and demanded 0.4 Bitcoin, ~$3,800USD, as a ransom, the data was not locked or made inaccessible by the company. The whole concept of ransomware is to deny the availability of data in return for money but in this case the ransom became moot. The database was discovered by Bob Diachenko, a researcher at Comparitech, who notified the company. The data leaked contained guest info, such as names, emails, and phone numbers and was exposed for a total of 4 days. Other fields such as passwords, reservation details, and payment information was not accessed.
Fingerprints and facial recognition exposed. The personal and biometrics data of approximately one million people were left publicly exposed by biometric security company Suprema. This data included facial recognition and fingerprint information of users being utilized by almost 6,000 organizations - including the UK Metropolitan Police. The data was discovered in August and if you combine these biometrics with other personal details, such as usernames and passwords, its easy to see how an exposure such as this can be massively concerning. It is common these days for biometrics to be frequently used by everyday users - you don't have to look any further than your iPhone when you unlock it uses your facial features or fingerprint. This biometric data was not stored in hashed form, meaning there was no level of encryption or security to protect the data if an incident like this were to occur. This highlights the concerns around biometric security and privacy and I encourage users to be careful regarding who you readily sign up for biometric features.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.