This week, Drupal vulnerabilities, APT detection, DoD bug bounties, new DNS services and breaches galore from Under Armour, Saks, Lord and Taylor, and Panera! Jason Wood from Paladin Security joins us for expert commentary so stay tuned to this episode of Hack Naked News!
- Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable – Drupal released a patch for a “highly critical” flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms. Its so bad, we need a WaF: “The only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,” said Greg Knaddison, a Drupal security team member and product engineer and Card.com.
- MITRE Evaluates Tools for APT Detection – With the new offering, MITRE will evaluate endpoint detection and response products for their ability to detect advanced threats. “There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE. Those results will be available to the public, Duff says, because it’s important both to be transparent and to contribute to the general community’s base of knowledge.
- Four Reasons Why Data Breaches Continue – Some good reasons why data breaches still happen, according to the article, include: 1) Hackers Target Large Corporations and Individuals Alike 2) Password stink 3) Digital Property Is Increasingly Becoming Popular and 4) Hacking Evolves Faster than Security.
- Under Armour Data Breach Compromises 150 Million User Accounts – eWeek reports Under Armour reported a massive data breach on March 29 that impacted 150 million user accounts of the fitness vendor’s popular MyFitnessPal application, which provides exercise, diet and calorie counting capabilities. Under Armour stated, “On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.” Under Armour has not publicly identified the root cause of the breach.
- U.S. DoD Hopes To Stamp Out Threats With Bug Bounty Program – The “Hack the DTS” program launched in partnership with bug bounty firm HackerOne. It targets potential threats found in a Department of Defense enterprise system called Defense Travel System (DTS). The DTS serves the DoD’s massive travel services’ bureaucracy and is responsible for everything from generating itineraries to reimbursements for millions of global DoD travelers.
- 5 million credit cards exposed in Saks and Lord & Taylor data breach – Sophos Naked Security Blog reported on this statement from Gemini security, the firm who has disclosed the breach: On March 28, 2018, a JokerStash hacking syndicate announced the release for sale of over five million stolen credit and debit cards. In co-operation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores. We estimate the window of compromise to be May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations. As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months. This appears to be a physical card theft, as the attackers are offering Track 1 and 2 data from the physical cards. Chip and pin anyone?
- Cloudflare Launches 188.8.131.52 DNS Service to Improve Internet Privacy – DNS over HTTPs seems to be a thing now: With the 184.108.40.206 service, Cloudflare is integrating support for a pair of security enhancement to standard DNS resolution. The two protocols are DNS-over-TLS (Transport Layer Security) and DNS over HTTPS, which both transmit DNS queries over an encrypted data link. “The DNS resolver, 220.127.116.11, is also supporting privacy-enabled TLS queries on port 853 (DNS over TLS), so we can keep queries hidden from snooping networks,” Olafur Gudmundsson wrote in a blog post. “Furthermore, by offering the experimental DoH (DNS over HTTPS) protocol, we improve both privacy and a number of future speedups for end users, as browsers and other applications can now mix DNS and HTTPS traffic into one single connection.”
- Panera Bread Slammed After Sitting On Massive Data Leak For Eight Months – Security journalist Brian Krebs highlighted the data leaks in a post on Monday evening, saying that the data – including names, email and physical addresses, birthdays and the last four digits of credit card numbers – was available in plain text on Panera’s site. The security researcher who discuvered the bug, and reported it 8 months ago, has published the full details and Panara has been publically shamed on social media, perhaps rightfully so.
Panera Bread Fails to Rise to the Occasion The infosec world is making bad bread puns left and right today as we castigate Panera Bread for their response to the vulnerability report in their web sites. Dylan Hoilihan noticed a flaw in Panera’s delivery web site back in August 2017 and notified them of it privately. Panera responded to Dylan by saying that they didn’t like his sales pitch and lectured him on his inappropriate email. Things go back and forth a bit and you can read the exchange of emails in Dylan’s blog post that I’ve linked in the show notes. In the end, Panera was not responding to the issue and Dylan decided to contact Brian Krebs about it and put the issue into a Pastebin. Panera finally appears to address the issue, but issues a statement denying the seriousness of the issue and lowballing the number of customers that could be affected by it.
Ok, so that’s fun. What does that have to do with us? The issue that stands out to me is how unprepared Panera appeared to be for a vulnerability report from the public. Whether or not someone *should* be poking around your web sites, people are. If someone comes to us to report a problem (and it’s no longer unlikely for this to happen), then we should be ready to take the report and respond to it. What could this look like? I’m glad you asked!
First, you’ll need to convince your organization’s leadership that things like this can happen. And that they need to be prepared for it. This can be a challenge because it is oh so much more comfortable to wrap yourself in a warm blanket of denial rather than acknowledge that bad things happen some times. Get this buy-in because you’ll need top cover to make the rest happen. It won’t be just you involved in the process, so get the backing you need.
Next, provide a page with contact information and public encryption keys to communicate issues. If we give people a this information, then it at least provides the channel for people to be polite and pass information along securely. If someone is looking around for contact information and can’t find it, they may just throw in the towel and post it to the public.
Your company will also need to make some preparations for communications. What will be said to the person reporting the issue? How will they be kept informed on the investigation and remediation? What information can be shared and what cannot be shared? What will be said publicly when someone publishes the issue in a blog post, news article and on social media? Obviously, the answers to these questions will vary depending on the situation, but you need to be prepared with some guidelines on what to do. Making it up as you go while under fire is a great way to make things worse.
Your implementation of this stuff may vary a bit, but that’s ok. The goal is to make some preparations to avoid things spiraling out of control. Acting in good faith, showing that you are listening by taking steps to resolve things in a timely manner, and being ready to communicate can really help. That goes a long way with someone who has decided to work with you rather than just dump things publicly.