Week in Review 7th July 2017

July 7, 2017  |  Javvad Malik

How to not handle a data breach

Car breakdown service provider the AA apparently suffered an issue whereby it was publicly disclosing customer data. Except it wasn’t. But it was.

Short version is that AA published 13GB worth of customer data to the internet, including partial credit card details.

However, in a masterclass on how not to handle a data breach, the AA proceeded to deny any such leak had occurred, despite there being clear evidence to the contrary. Then, when Graham Cluley pointed out that the AA may be fibbing, he was warned (threatened?) of being in breach of the computer misuse act. Note, that this is for posting a redacted screenshot of leaked data, that apparently didn’t occur in the first place.

A self-destructing PC

I remember watching the Mission Impossible TV series where at the end of the mission briefing, the director would say, “This message will self destruct in 30 seconds” and always found it to be so cool.

When my first MP3 player was stolen; I sorely wished that it had a similar functionality whereby I could remotely ‘detonate’ it so that the internals would go up in a puff of smoke.

It appears as if such a device is no longer in the realm of fantasy, as Orwl takes physical security to the next level. Not only do you need a password and wireless fob to turn it on, if the fob moves out of range, the processes goes to sleep and the USB and HDMI ports shut off.

If an attacker is persistent, the device will wipe data on the encrypted drive.

It will be interesting to see how law enforcement view this, and if such devices become favoured by those looking to do no good, if a master fob is requested.

Certificate revocation is broken

A nice piece by Scott Helme (why does autocorrect insist on referring to him as Helmet?) in which he illustrates the challenges that as more and more sites are using certificates, there isn’t a good way to revoke them if someone obtains our private key.

Kaspersky agrees to turn over source code to US government

In a story that will likely continue to take twists and turns along the way, Kaspersky has worryingly agreed to share its source code with the US government in order to continue conducting business with them.

CEO Eugene Kaspersky has stated that he is willing to do whatever is needed to prove to the US government that there is nothing untoward in its software.

However, this opens up a dangerous precedence, not only for the US to demand source code from any company; but legitimizes other governments doing the same to US-based companies. In the end, this digital cold war will impact software companies and their customers the most.

Microsoft battling Ransomware

The next windows 10 release include a new controlled folder feature designed to only allow specific apps to access and read / write to a folder. It is designed to protect against malware such as ransomware from locking machines out of certain folders.

It’s an interesting approach, which enterprises may be able to use to good effect. But the real question is whether home users will be able to wrap their heads around such a feature that will inevitable throw up many warnings that could lead to them being ignored, or the feature being turned off altogether. Either way, good steps.

Ex-employee wrecks smart meter radio masts with Pink Floyd lyrics

Adam Flanagan worked as an engineer for a company that built radio masts used by utility companies to collect power and water usage data from home energy meters.

After being let go, in an apparent alcohol-fuelled frenzy, he decided to extract revenge. He was able to log into the networking using root passwords, which he proceeded to change, uploaded Pink Floyd song lyrics in place of key code, changed the radio frequencies used by the towers, and added ASCII art to the masts’ firmware.

Despite the ingenious use of Pink Floyd, Flanagan ended up being sentenced to a year and a day and fined $40,000.

A reminder that companies should change access so that departed employees can’t simply waltz back into the network.

Backdoors in Ukrainian Software

Ukrainian accounting software provider M.E.Doc was used to push DiskCoder.C malware in the attack which shut down most Ukrainian businesses and government departments.

Apparently, the attackers achieved this by updating the source code and inserting a backdoor into one of the legitimate modules.

Additionally, the attack used an ERDPOU code, which every company that does business in Ukraine uses to identify itself. The malicious code recorded ERDPOU numbers in installed versions of the application, allowing the attackers to identify the exact organisation using the backdoored M.E.Doc.

Investigation will likely continue and more bits of information will come to light. But it is clear this wasn’t the job of a script kiddie.

Share this with others

Get price Free trial