Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 19th, 2019)

Understanding encryption seems to be a rare skill these days. Two stories this week stand out:

First, the Kazakhstan government is trying once again to force its citizens to install its own browser certificate. (No cert, no web access.) The idea, originally attempted several years ago, is to be able to snoop on all HTTPS traffic. It isn’t clear if they will be successful, and also what the browser vendors will do if the goernment succeeds in getting this cert deployed across their country. Part of the problem is that if the vendors block the cert, users will have to find a browser that allows communications if they want to get any useful work done online. I will be following this story carefully and report on what happens. 

Contrast this deliberate invasion of privacy with inept bungling by the state of Maryland. The state stored personal data of more than 1.4M  students and more than 200,000 teachers in clear text, rather than using any encryption. 

Today’s newsletter is chock full of the more notable security reports that I received this week, along with new details about the Slack 2015 hack and a Follow Friday link to forensics expert Heather Mahalik.

-- David Strom

  • Email gray
  • Permalink gray

1. Slack was hacked back in 2015, but new information has come to light that indicates more users’ passwords were compromised. Slack has automatically reset affected users, and also urges everyone to employ MFA (which it launched back in 2015 in response to the hack) or at least have a unique password for their accounts. The company also links in its notification message to how to access login logs, which if your usage is like mine you will find less than useful. -- ZDNET

  • Email gray
  • Permalink gray

2. Researchers have discovered a massive leak that appears to originate from a third party who has access to the data from the Chinese marketing company Aliyun Computing. The leak contains credit reports for loan applicants, including ID numbers and contact information along with details about mobile device identities (such as IMEI numbers and GPS locations). The leak has been closed. -- SAFETY DETECTIVES BLOG

  • Email gray
  • Permalink gray

3. Follow Friday: Heather Mahalik 

Heather Mahalik is best known for developing and co-teaching the SANS week-long in-depth smartphone forensics course as well as developing the content of a Windows forensics course. She has been involved in infosec for 17 years and the co-author of the book Practical Mobile Forensics, which is now in its third edition. She just took the job of Sr. Dir. of Digital Intelligence at Cellebrite, which makes various forensics analysis tools that are primarily sold to law enforcement and governments. On her personal blog you can find links to all of her speeches, such as this one that she gave last year about phone forensics where she warns to ensure that your investigations don’t end up destroying the evidence you need to collect on the phone. Her tweets are a mixture of fun and links to her professional activities and the occasional exploit. 

  • Email gray
  • Permalink gray

This week in reports. The remainder of this newsletter covers various reports that are worthy of your attention. I have indicated where your email ID is needed for the download; some of the links also go to blog posts that summarize the results. I try to steer clear of surveys of a few hundred respondents and look at those that analyze real data, such as customer and network telemetry. While that can bias the results toward those users who are more security-savvy, they are still worth reading.

  • Email gray
  • Permalink gray

4. This report from Duo examines its customer telemetry. It finds that biometrics use is growing, Android devices are still running outdated OS and software, fewer folks are fooled by phishing, and Flash has become almost extinct. A zero-day Chrome browser vulnerability sparked an increase in policies to block outdated browser versions. And not too surprisingly, its customers are moving towards risk-based authentications to secure their access. -- DUO TRUSTED ACCESS REPORT (reg. req.)

  • Email gray
  • Permalink gray

5. This report reviews more than 25,000 domain records for a progress report on DMARC adoption. Overall use has increased about five percent from last year, with the notable exception of a big increase in U.S. government-owned domains. This is because they were required to get on board last year. Online retailers saw a 15 percent increase from last year, and more than 90 percent of Chinese domains have yet to adopt these protocols. -- 250OK GLOBAL DMARC ADOPTION REPORT

  • Email gray
  • Permalink gray

6. This report pulls data from Dell's telemetry on its customers’ incident responses. Ransomware has become more targeted and used as an entry point for additional attacks. A third of all incidents were phishing-related, and most incidents were financially motivated. It is deja vu all over again, as customers still have similar issues and security gaps from previous years. -- DELL SECUREWORKS 2019 INCIDENT RESPONSE INSIGHTS REPORT (reg. req.)

  • Email gray
  • Permalink gray

7. Speaking of ransomware, this report shows the average ransom payout nearly tripled to more than $36,000, and average downtime increased from 7 to 9.6 days. This could be because of Ryuk and Sodinokibi that are more lethal. Also, almost everyone received a working decryption tool that paid a ransom, and more than 90 percent of the data was recovered from the tool. -- COVEWARE RANSOM REPORT

  • Email gray
  • Permalink gray

8. One more take on ransomware is found in this blog post on GoGalocker. The malware employs a number of evasion tactics, such as using digital certs and disabling security software. This malware is then able to laterally move across the network, infecting other PCs. There are also similarities with MegaCortex executables too. -- SYMANTEC BLOG

  • Email gray
  • Permalink gray

9. Attackers are starting to adopt lateral phishing techniques, according to this analysis. This is when a phisher uses the hijacked account to try to compromise others in the victim’s contact list, such as fellow employees or personal addresses. In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients. -- BARRACUDA BLOG

  • Email gray
  • Permalink gray

10. A major data leak was discovered by the researcher Sam Jadali that involves data collected by numerous browser extensions. He dubbed it Dataspii. This report by Dan Goodin shows the depth of their perfidy, and how various vendors had unintentional access to this information. -- ARS

  • Email gray
  • Permalink gray

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

  • Email gray
  • Permalink gray

Subscribe to Inside Security