During the week, research an article that describes a recent breach (hack) of an organization. Of special interest this week, does the article discuss whether the organization had conducted some sort of vulnerability scans, penetration tests, and/or red or blue team exercises?
When citing the article, include the URL, so that others can read the rest of the article.
Anthony Wong says
On July 15th, Twitter was the target of a Bitcoin scam by a hacker group called OGUsers. Twitter confirmed OGUsers was obtain access to its internal system by targeting Twitter employees with access to support tools by using the social engineering technique spear phishing. After gaining initial access, they targeted more employees with privileges to use the account management tools. The attackers used the account management tools to reset the passwords of high profiled and verified accounts including Elon Musk, Jeff Bezos, Bill Gates, Barack Obama, and more. On these compromised accounts, the hacker appeared to offer COVID-19 aid to its followers by doubling any amount of money sent to a specific Bitcoin wallet. In the end hackers, netted more than $180,000 in Bitcoin. Twitter support noted they were conducting a forensic investigation to review all the affected accounts, but did not provide information on conducting scans or penetration testing. Three individuals age 17, 19 and 22 were charged for this crime. I think it’s pretty impressive these young men were able to pull off such a complex hack on a huge organization like Twitter.
URLs:
https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
https://www.nytimes.com/2020/07/31/technology/twitter-hack-arrest.html
Humbert Amiani says
In a botched deployment of a SharePoint site, Southern Water utility company in Worthing UK forgot to enforce authentication on the client requests. They got exposed by a curious customer, who happened to stumble upon this vulnerability stemmed from him having knowledge of using cURL library and command line tool. The customer was able to access other customers’ full data including PII and their billing data. The customer was able to accomplish this simple hack by manipulating SharePoint URLs’ that he found to not have authentication enforced.
The company claims to carry out vigorous pentesting of their systems and are keen on safeguarding customer data. However, this simple hack contradicts that statement and highlights the kind of risk companies can put their clients in with lousy pentesting of their systems.
Link to article below;
https://www.theregister.com/2020/08/28/southern_water_sharepoint_shenanigans/?&web_view=true
Anthony Wong says
I agree with you Humbert, Southern Water’s claim on “vigorous testing” is questionable and makes me wonder what kind of testing was in scope for the SharePoint implementation. In addition to the SharePoint URL bug, it appears there’s another bug within their authentication servers for their API. This is a huge breach in confidentiality and the organization will be faced with reputational and financial damages. I’m curious if Southern Waters will offer their customers any sort of credit monitoring services to identify any fraud that may occur as a result of the bug. Southern Water’s definitely dodged a bullet on this mishap and is fortunate a customer reported the issue.
Humbert Amiani says
Anthony this actually makes me believe there might have been more than meets the eye. The company will definitely need to invest heavily into rebuilding their clients’ confidence in the system on top of a possibility of fighting legal battles against them by irate customers, whose PII was at risk of exposure.
Anthony Wong says
I agree… it would be imperative for Souther Water’s to review all their external facing applications and API’s to ensure no other vulnerabilities are present. Reputation is always hard to build, but is very easy to ruin.
Unfortunately if there are no other water suppliers within the area, the customers are stuck with them.
Kelly Sharadin says
Thanks for this interesting article Humbert. I think it can be true that the company does carry out vigorous pentests of their systems but whether they implement the findings/recommendations of those reports is another thing. I would curious to know if these tests are performed by an internal red team or external.
Amelia Safirstein says
You make a great point, Kelly. I hadn’t thought about the possibility that the organization may have had vigorous testing in place but decided against implementing recommended mitigations. If this is the case, this company’s situation would show the importance of management’s grasp on the severity of risk for each finding.
Anthony Wong says
If the organization decided against implementing the recommended mitigations, I would be curious to see what was the business justification for this. This breach could cost them thousands of dollars. Also, I wonder if they fully understood the risks and if benefit of the SharePoint deployment would outweigh the risks.
Humbert Amiani says
Kelly, it is definitely possible that someone in the company might have know about the vulnerability but left it as another days’ worry. I personally have seen that happen, especially if it took so much to deploy the system to production only to find a bug on the second day that it has been up. Even though it is only right to deal with it right then, it is possible that it was neglected in the hope that nothing will come of it until it gets fixed.
Amelia Safirstein says
I agree that they need to significantly improve their pen testing. It’s hard to comment on what improvements could be made without knowing what their current processes are. The article mentions that many companies have begun to favor bug bounty schemes over pressing charges against those who come forward with security vulnerabilities. I think that bug bounty schemes are overall a positive implementation but they could increase the number of casual/hobby hackers who may ultimately decide to take advantage of a vulnerability rather than report it. Do you think that the benefits outweigh the potential negatives of implementing these types of programs?
Bryan Garrahan says
Thanks for sharing Humbert. As we talked about in class it’s difficult to identify vulnerabilities when they’re simply not known or if the testers aren’t familiar with the system under review. It appears that the requirements in order to roll out the SharePoint implementation were severely flawed. Southern Water should consider themselves lucky as Chris was an individual who did the do right thing and opted to “not go too far” in exploiting the vulnerability.
Nicholas Fabrizio says
Title: FBI Investigates COVID-19 Patient Data Breach
URL: https://www.infosecurity-magazine.com/news/fbi-investigates-covid19-patient/
The FBI is investigating a database breach that occurred this past June in South Dakota where personal information of residents who contracted COVID-19 were exposed. The database was being hosted by a company called Netsential.com, Inc., which is used by many law enforcement agencies in the US. The purpose of hosting this information on the web was to help reduce the chances of first responders contracting the virus by contacting dispatchers to check the database to see if anyone in the residents they were responding to had COVID-19. Some of the information being stored in this database consisted of names, addresses, date of birth, and infection status. The hosting company added some labels to a file which could allow a third party to identify people on the list.
Bryan Garrahan says
I feel like we continue to see situations like this occur over and over where systems and services hosted by third-parties are compromised. Of course it’s easy to report that it is the third-parties fault for not being able to deter the intrusion since they are responsible for maintaining the system. But from my experiences I’ve noticed that companies simply outsource functions without performing any type of due diligence (i.e. SOC report reviews) around the third-parties control environment. I believe companies need to be more proactive by holding the third-parties and the services they provide more accountable so that vulnerabilities like this one could be identified and remediated before they are exploited.
Amelia Safirstein says
User login information was stolen through two of San Francisco International Airport’s websites. Malicious actors used web skimming techniques, which sent user credentials to the hacker’s specified server as users logged into the legitimate website. This method injects malicious code that runs on the client side, which delays detection.
Article: https://www.securityweek.com/san-francisco-international-airport-discloses-data-breach
Learn more about how it works and how to fight against it here: https://www.youtube.com/watch?v=14vBejCmjW4
Kelly Sharadin says
Former Cisco employee has pleaded guilty to hacking the company’s AWS infrastructure and deploying malicious code that destroyed over 450 virtual machines – costing Cisco millions of dollars in damage. The article does not discuss whether Cisco conducted any security assessments. This scenario is interesting because there are two prongs of hacking demonstrated. One is a potential vulnerability in the way Cisco deployed its AWS infrastructure, and the second being a former internal threat exploiting the company by using his insider knowledge of the business to cause harm.
https://www.securityweek.com/former-employee-admits-hacking-damaging-cisco-systems
Anthony Wong says
Hi Kelly,
Thanks for sharing for this article. This must have been an extremely tough first half of the year for Cisco due to major issues with WebEx. Due to COVID-19, in mid-March Cisco was experienced connectivity issues with WebEx due to the influx of users working from home. The organization must have allocated a large number of their employees to work on improving their infrastructure to handle all the requests. Then after resolving one major issue, they are faced with another major issue must be disheartening. I am curious why Stick Fix is willing to take the risk and keep Sudhish as an employee knowing he sabotaged his previous employer.
Kelly Sharadin says
Anthony, I was also pretty stunned Stitch Fix was so apt to defend him! I’ve had some bad work environments but I never dreamed of doing anything like this to a previous employer. Maybe Stitch Fix wants to prevent a similar scenario if he is fired 😉
Anthony Wong says
Agreed! This type of retaliation will come be with him for the rest of his career. If I were Stitch FIx, I would keep eyes on him at all times and monitor his actions within the systems he has access to.
Bryan Garrahan says
https://www.identityforce.com/blog/2020-data-breaches
The link above discusses the disclosure of a breach where US Marshall inmate PII data, including names, addresses, social security numbers, etc., was accessed by hackers. While the report initially came out in December 2019, it was discovered that over 387,000 inmates, both current and former, had their information accessed by the hacker in May 2020. The article does not mention anything around penetration testing but does mention that the hacker was able to exploit a vulnerability and extract the data. Unfortunately, we do not know the nature of this vulnerability that was exploited but the article outlines that the US Marshall plans for “numerous corrective actions to prevent future attacks, including comprehensive code review/correction and testing before returning DSNet to service.”
While it’s great they’re looking to deploy corrective actions in order to resolve the vulnerability it appears that either insufficient or zero security or risk assessments were performed prior to the finding.