Javvad is incorrigible and continues to insult Sole Founder Thom's family. Is there no stopping this man? Andy didn't feel inclined to comment or intervene. Your weekly stick of podcast bubblegum for your brain.
This week in Infosec
Liberated from the “today in infosec” twitter account:
2nd March 2002: Zone-H was launched in Estonia and began saving and publishing copies of defaced websites 7 days later.
http://www.zone-h.org/news/id/4742?hz=2
https://twitter.com/todayininfosec/status/1234492350833008640
2nd March 2010: Gregory D. Evans' book "How To Become The World's No. 1 Hacker" was published. The book was heavily plagiarized and not held in high regard. Evans was quite controversial...to say the least. And got a lot of attention for a couple of years. Google him if you wish.
https://twitter.com/todayininfosec/status/1234320212117221376
https://attrition.org/errata/charlatan/gregory_evans/
https://blog.c22.cc/2010/06/17/threats/comment-page-2/
Rant of the Week (not covered)
A warning went up on the perl.org infrastructure weblog late in January notifying users that perl.com now directed to a parking site and advised against visiting "as there are some signals that it may be related to sites that have distributed malware in the past."
The site later returned an ERR_CONNECTION_CLOSED error message.
The hijack appears to have followed the age-old path of an attacker pouncing on a compromised account and swiping the domain rather than a simple expiration.
A good read out of what happened from Perl’s point of view as well as their Incident Response processes (link at the bottom).
We had learned very quickly that when you use the registered domain for your email contact, no one can contact you when that domain no longer handles your mail.
What we think happened
This part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.
John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder.
RANT: Domain was hijacked, old methods, there are no new hacks!
https://www.perl.com/article/the-hijacking-of-perl-com/
Billy Big Balls
AOL phishing email states your account will be closed
https://mashable.com/2014/08/21/aol-disc-marketing-jan-brandt/?europe=true
Industry News
Our source on probation over at the Infosec PA newswire has been very busy bringing us the latest and greatest security news from around the globe!
TikTok Set for Massive $92m Payout Over Privacy Suit
Facebook Photo-tagging Lawsuit Settled for $650m
Go Malware Detections Increase 2000%
Quarter of Healthcare Apps Contain High Severity Bugs
Microsoft Patches Four Zero-Day Exchange Server Bugs
Password Reuse at 60% as 1.5 Billion Combos Discovered Online
Ransomware Attacks Soared 150% in 2020
Canadian Cyber-Agency Workers Threaten Strike
Missing Teens Used School Laptops to Chat with Alleged Abductors
Javvad’s Weekly Stories
Jav has the COVID Jab
Tweet of the Week
MalwareAndPickles @malwrandpickles
It's probably nothing.
The server room had no lock.
Andy Cooke แอนดี้ คุกส์ @cooke_andy
OK, 3389 open to the internet.
MrR3b00t | it's safe just don't go outside @UK_Daniel_Card
i wiped the right drive right?
Christopher J. Marcinko @christoperj
I’m compliant so I’m definitely secure
We have a strong password policy
"sorry, your password is too long"
Rudy Giuliani, professional cyber security expert
That does not happen to me.
David Robert Newman @davidnewman
“I wrote my own crypto libraries”
We’re too small to be attacked
Client required SolarWinds for security reasons.
Our security policy protects against abuse.
We have always done this way
Paul Stephenson @tupelofortitude
Wife found my credit card statement
https://twitter.com/Sophos/status/1367082335997427720
The Little People
There will no longer be a Little People segment for the foreseeable future.
Sticky Pickle of the Week
Imagine you are the CEO of an American based, billion dollar global company. You hit a SNAFU and are called to testify before congress about what happened. Obviously the members of congress will want to know in layman's terms how your IT infrastructure was left so unprotected that it was used to deliver malware to several branches of the federal government as well as a series of high-profile private sector targets?
What might be your go-to responses?
Correct answer: Blame the intern
According to Thompson and current SolarWinds CEO Sudhakar Ramakrishna, an intern who worked at the company posted the “solarwinds123” password on GitHub back in 2017. Security researcher Vinoth Kumar later discovered that the password had been posted publicly since at least June 2018 and informed the company of the leak in 2019, at which point, according to Ramakrishna, it was removed from GitHub.
Needless to say, that explanation still leaves a lot of questions unanswered. For instance, was the intern actually responsible for setting the “solarwinds123” password? And, if so, why on earth had the company delegated responsibility for setting such an important password to an intern? Was the password actually changed when the leak was discovered in 2019 or was it just removed from GitHub? And why was there no multifactor authentication protecting that server if it could be used to transfer files onto company servers?
It’s a tempting narrative—as the stories about how a massive, complicated breach is the fault of a single actor often are—in which some clueless college student shows up for a summer and sets a dumb password and then carelessly leaves it up in some publicly accessible code on GitHub. Above all, it’s a story that’s easy to understand, especially for members of Congress. For instance, California Rep. Katie Porter pointed out at the hearing, “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”
https://slate.com/technology/2021/03/solarwinds-hack-cyber-espionage-intern-password.html